Military contractor Booz Allen hacked
Another US military contractor falls victim to cyber attack, as hackers steal passwords and deface code
Hacking group Anonymous announced on Monday that it had infiltrated the IT systems of Booz Allen Hamilton, a major US government and military contractor.
In a Twitter message announcing the attack, the hackers said they had stolen 90,000 email addresses with encrypted passwords and deleted code from the Booz Allen systems.A list of emails and encrypted passwords was made available online through multiple filesharing websites.
Booz Allen stored the passwords using an SHA hash, a weak form of encryption according to Chester Wisniewski, a security analyst at Sophos. "The passwords are not salted (injected with random data), which will likely lead to the majority of the passwords being exposed," Wisniewski said in a blog post.
Booz Allen made no comment, referring all enquiries to a statement on Twitter. "As part of @BoozAllen security policy, we generally do not comment on specific threats or actions taken against our systems," the company said.
"While this should certainly be embarrassing to Booz Allen Hamilton, the real impact is on the US military," Wisniewski said. "These 90,000+ individuals will need to reset their passwords, and ensure any systems that they shared these passwords with are changed."
This is the second high profile data breach at a US military contractor this year. In May, Lockheed Martin fell victim to a cyber attack, in which hackers used security certificates that had previously been stolen from RSA Security.
When he admitted that his company's security certificated had been involved in the cyber attack, RSE CEO Art Covilello implied that it had been politically or militarily motivated. "The fact that the only confirmed use to date of the extracted RSA product information involved a major U.S. defense contractor only reinforces our view on the motive of this attacker."