Hackers using Chinese IP addresses gained full access to the IT systems of NASA’s Jet Propulsion Laboratory in 2011, allowing them to steal information and manipulate high-profile user accounts, a senior Nasa official told US Congress last week.
Paul Martin, NASA’s inspector general, disclosed the scale of the space agency’s cybersecurity issues in a report presented to the US House of Representatives. The report revealed that 13 out of 47 ‘advanced persistent threat’ (APT) attacks against NASA were successful in 2011, despite the agency spending $58 million on IT security.
Martin’s report to congress also examined the role of NASA’s CIO, Linda Cureton, finding that the position lacks "visibility and oversight authority" over NASA’s various IT assets.
It found that while Cureton has adequate oversight on NASA’s institutional IT systems – those used to support administrative functions such as budgeting and human resources – her control over "mission systems", which contain sensitive, operational information, is limited.
Besides the lack of CIO oversight, Martin identified the transition to cloud computing, limited use of encryption on NASA devices and the increasing sophistication of cyber attacks as the space agency’s most serious IT security challenges.
Martin concluded that improving NASA’s IT security would require better overarching management practices, specifically more CIO oversight of mission systems.
What is an advanced persistent threat?
The term APT is most commonly used to refer to attacks were a software agent is installed on an orgainsation’s network, often via email attachment, reports back to a control server, and is used to search for documents and data remotely.
The phrase is most often associated with attacks the originate in China. Ashar Aziz, CEO of APT detection software vendor FireEye, told Information Age last year that the term is essentially a euphamism for attacks by Chinese intelligence forces. He conceded, however, that there is only circumstantial evidence linking the two, such as Chiness IP addresses and the nature of the targets.
Last year, a US nuclear research laboratory was successfully breached by an APT.
In 2010, security vendor RSA said "what all APTs have in common is the more sophisticated ecosystem and R&D support. It’s not about what the malware looks like or how it behaves because that’s a consequence of the real threat: the threat is the people. It makes far more sense to talk about the people and ignore the distractions of the symptoms of this disease."
Later, RSA became a victim of an APT itself, in which hackers stole SecureID certificates.