Lockheed's cyber cops sift through hacker evidence

WASHINGTON Sun May 29, 2011 6:48pm EDT

A U.S. Lockheed Martin F-16 flies during an air display at the Farnborough International Air Show, Hampshire, July 19, 2004. REUTERS/Toby Melville

A U.S. Lockheed Martin F-16 flies during an air display at the Farnborough International Air Show, Hampshire, July 19, 2004.

Credit: Reuters/Toby Melville

Related Topics

WASHINGTON (Reuters) - Last week's attack on Lockheed Martin Corp's computer networks has galvanized dozens of cyber "detectives" at the company's cavernous security intelligence center outside Washington.

The U.S. government and Lockheed, the world's biggest military contractor and the Pentagon's No. 1 supplier, have said the unknown hackers did not seize any sensitive information in the May 21 attack, but government and industry experts are still working feverishly to isolate the origins of the attack.

Lockheed, which is also the U.S. government's biggest information technology provider, opened the 25,000-square-foot, $17 million center in 2008. It opened a sister site in Denver last year to help deal with the growing workload and take over if the main center is knocked off line.

Dozens of highly trained analysts work at the center in Gaithersburg, Maryland, where green plants and a Feng Shui-styled decor beckon visitors to a public collaboration space that looks like a high-tech university campus.

The real work, though, goes on in a large, dimly lit internal security center only open to critical personnel. Flickering wall-sized flat screens continuously update activity on Lockheed's mammoth worldwide computer network while monitoring data transmissions by 126,000 employees and outsiders trying to get access to the system.

A Defense Department spokeswoman, Air Force Lieutenant Colonel April Cunningham, said on Saturday that the Pentagon was working with Lockheed to gauge the scope of the attack.

Some top defense officials were on site last week to assess the wider impact, a defense official, who requested anonymity, told Reuters on Thursday.

Just two weeks ago, Lockheed advertised for a "lead computer forensic examiner" for the center, saying it needed someone who could work in a fast paced environment, understood "attack signatures, tactics, techniques and procedures associated with advanced threats," and was able to "reverse engineer attacker encoding protocols."

Lockheed builds advanced satellites, fighter jets and warships for the U.S. military, but also provides information technology services to the Justice Department, Federal Aviation Administration, Social Security Administration, and other federal agencies. It even ran the latest U.S. national census, which is only conducted once a decade, for the government.

Seeking to recruit the best cyber analysts on the market, Lockheed last year released a YouTube video, which portrays the cyber security problem as a complex chess match, or a sophisticated war game, between U.S. government and industry on one side, and a host of smart attackers from nation states and criminal groups on the other.

"It is a cat-and mouse game between the two sides," Eric Hutchins, a Lockheed cyber intelligence analyst, told Reuters during a visit to the center in March 2010. "They're constantly trying to develop new ways of attacking us and we're constantly trying to develop new ways of defending us."

Hitchens said Lockheed analysts processed 1 million "incidents" a day, sorting through the "white noise" to identify possible attacks and likely targets.

Another analyst featured in the Lockheed video compared his work to that of "CSI-style" detectives in reference to crime scene investigators who focus on forensic evidence and have been popularized by the CSI group of TV shows. "We go right to the scene of the crime and we look for evidence of the attack," he said.

It says they use techniques far beyond anything available in the wider commercial world.

The video makes the center seem like it is out of a movie like "Minority Report", describing hackers as "adversaries," "the enemy" or "bad guys" whose onslaught needs to be repelled. It ends with a flourish as one forensic analyst declares: "This is the fight we fight."

Cyber experts are now scouring the network to find any "electronic DNA" left behind by the hackers -- time-intensive work that may eventually help pinpoint the source of the attack, said one former senior government official.

"Everything leaves electronic DNA if you can find it," said the official, who was not authorized to speak on the record. "It's like digging for old bones."

Lockheed officials say they responded almost immediately to the May 21 attack, which was first reported by Reuters on Thursday, averting the loss of any customer, program or employee personal data.

Loren Thompson, a defense analyst who does consulting work for Lockheed and other military contractors, said the attack was "fairly subtle" but it underscored the growing information security challenges facing the U.S. government and industry, and validated Lockheed's ability to detect intrusions.

The next test is how quickly experts will be able to identify the source of the attack, and in particular whether it can be traced to a foreign power.

(Reporting by Andrea Shalal-Esa)

(Additional reporting by Jim Wolf. Editing by Martin Howell)

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Comments (3)
ronryegadfly wrote:
The last sentence of the article is interesting. Are there really any questions about who that “foreign power” might be? I think not.

May 29, 2011 6:03pm EDT  --  Report as abuse
Chivelry wrote:
“unknown hackers did not seize any sensitive information”.. Would we be told if they did? What constitutes “sensitive”?,, only Lockheed knows.

May 29, 2011 6:46pm EDT  --  Report as abuse
quatra wrote:
All internet traffic should have a machine dependent and unique identifier hard wired on the processor chip. It will not identify the actual user but only the machine. Records of the ID should be kept at the recipients ISP (it’s being done right now but incomplete and not very specific). After all, If you don’t engage in illicit activity you don’t have anything to fear.

May 30, 2011 3:21pm EDT  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.