Pages Navigation Menu

‘Lid comes off’ cyber espionage fight

On site with General Dynamics Fidelis Cyberscurity Solutions

China has allegedly been planting executable code into American businesses from a 12-story military building in Shanghai, where members of the People’s Liberation Army must be getting tired of chasing away photographers and reporters. America’s private-sector cyber forensic experts work in humbler settings. One is a ground-level suite inside a suburban Maryland office building about seven miles from the National Security Agency.

Inside is a small lab where 15 forensic experts dig into corrupted corporate hard drives and samples of malware code. The lab is part of General Dynamics Fidelis Cybersecurity Solutions, a subsidiary of General Dynamics formed last year when the defense giant bought Fidelis, a 70-person security software firm in Waltham, Mass.

No one’s chasing reporters away from this Marlyand office. In fact, the company recently invited reporters to come in, ask questions and watch a lab version of last year's Shamoon virus wipe data from a laptop computer. Quiet days are almost unheard of in the cybesecurity world, and sure enough members of the team were up late analyzing a sample of the code that struck thousands of computers at South Korean banks and broadcasters. They put out an advisory on their Threat Geek blog saying the wiped data was recoverable.

  • Anatomy of a hack

    An employee finds a thumb drive in a parking lot. He plugs the drive into a laptop computer and opens a Word file with the supposed owner's contact info.

    That's how GD Fidelis kicked off a lab demo of the Shamoon virus for reporters. No one knows for sure how Shamoon got into the Saudi Aramco oil company’s network last year, but thumb drives are always likely suspects.

    A large display showed the laptop’s screen. All looked normal, but inside Shamoon was busy executing code to infiltrate files and propagate to other computers.

    In a case like Shamoon, the experts create images of the malware in action so they can analyze and reverse engineer it. Malware code is criminal evidence, and so chain of custody is a big deal. A write blocker prevents accidental changes to the original code; hash marks serve as digital fingerprints to prove in court that the malware wasn’t changed in the lab.

    After a few minutes, the fictional employee couldn’t move the laptop’s window, and then the screen went black. The computer had been wiped.

GD Fidelis and its competitors are on the frontline in the corporate world’s battle against cyber espionage and sabotage by criminals and nation states. The battle has been a quiet one, but that’s changing and partly because of one of GD Fidelis’ competitors, the 300-person Mandiant company of Alexandria, Va.

Mandiant cleaned up the hacking mess at The New York Times in November and then outed the Shanghai building in a 76-page page report alleging Chinese cyber espionage going back years.

After the Shamoon demo, reporters sat down with GD Fidelis executives to talk about cybersecurity. If GD Fidelis is feeling scooped by Mandiant, the executives give no hint of that. In fact, they described the Mandiant report as a welcome turning point away from the corporate secrecy that has hampered the sharing of threat intelligence.

“All of the sudden, you know, it’s not the scarlet letter to be compromised,” said Peter George, who was CEO of Fidelis and is now president of GD Fidelis. "The Mandiant report, right, kind of took the lid off this particular issue," he added.

George has been working closely of late with veteran General Dynamics executive Jim Jaeger (say Yaeger), a retired Air Force brigadier general and former NSA operations deputy. Jaeger’s forensics team is now sharing threat intelligence with designers of Fidelis’s malware-blocking XPS security software, which GD Fidelis says is being tested by companies in the Persian Gulf in the wake of the Shamoon wiping attack against the Saudi Aramco oil company.

“Jim (Jaeger) and I have been to eight Fortune 100 companies in the last three weeks because this is a boardroom issue now,” George said. “Everybody’s talking about it, everybody wants to share information on how do we deal with this national security problem -- protecting intellectual property.”

If the cyber community is in the midst of a sea change, it’s one that arguably began on Jan. 30, when the New York Times described how and why 53 computers at various Times sites were broken into, allegedly by China. Times executives then did something corporate espionage victims aren't known to do: They freed their hired forensics gun – Mandiant -- to talk to the media, including Deep Dive.

The way George sees it, all the hubbub from the Times and other breaches could help in the battle against “advanced persistent threats,” malicious code that hides in computers and secretly exfiltrates data. With secrecy less of an issue, momentum is growing for better collaboration between the government and private businesses.

George said there was electricity in the air at the late February RSA security conference in San Francisco. “People were talking about APTs four years ago out there, but it was always a whispering in the back room. Customers didn’t really want to talk about it,” he said.

The shift could be good news for General Dynamics, which does a lot of work for the National Security Agency and also for commercial businesses.

“We have this unique opportunity to reach across General Dynamics into some of the organizations that have been dealing with this cyber threat, leave the classified information there, but bring this into our commercial customers,” he said.

Leave a Comment

Your email address will not be published. Required fields are marked *