Employees at defence contractor Raytheon UK were taken in by a cloud-based attempt to steal information, according to the company's head of cybersecurity.
The attack, which was ultimately unsuccessful, was the first time Raytheon UK had seen hackers use a cloud service to try to steal data, Raytheon head of cyber Vincent Blake told an event at the RSA Conference on Wednesday.
The spear-phishing attack last week was aimed at 20 people with access to Raytheon systems, Blake told ZDNet UK.
"The attack vector was through emails targeted to individuals," Blake said. "We had 20 people targeted. It was looped back through a cloud service saying 'please use this particular service for this particular application'. Two of the individuals did click."
The two people were targeted with tailored emails that fooled them into clicking on a link leading to an unnamed cloud-based service, which the hackers used to try to steal data.
The attack was unusual in that hackers normally try to steal data by running deceptive services on servers that are completely under their control — either to a proxy server some security professionals call a 'drop zone', or to the command and control server of a botnet.
We had 20 people targeted. It was looped back through a cloud service saying 'please use this particular service for this particular application'. Two of the individuals did click. – Vincent Blake, Raytheon
Raytheon caught the attack in progress and managed to stop information being stolen, according to Blake. The compromised individuals' machines started 'beaconing' to the cloud, which was picked up by Raytheon monitoring before any information was stolen, Blake said.
"If everything else has failed, there's your answer," said Blake.
Blake said Raytheon was aware of the hacker group that was responsible for the attack, but declined to say who was responsible.
However, Blake did say that five years ago Raytheon had a epiphany about security when it decided to sell missiles to Taiwan.
"We truly had a 'come to Jesus' moment five years ago because we decided to sell missiles to Taiwan," he said. "For some reason, a country next door to Taiwan didn't really like that, so they got very interested in our IPR [intellectual property rights]. We've had to very, very rapidly catch up with our own internal networks." His remark to the audience came in a discussion about state-sponsored hacking attacks by China on western companies.
At present, Raytheon, a company of 72,000 people, has 1.2 billion security events per day. Raytheon blocks 35,000 advanced persistent threats per day. Last year, 138 zero-day exploits targeted 5,000 Raytheon employees, said Blake.
Advanced persistent threats (APTs) are stealthy attacks designed to get as much information out of a company as possible, without that company being aware of the attack. In March this year authentication and encryption company RSA suffered an APT attack in which information on SecurID authentication tokens was stolen.
The information that was taken was used to target defence company Lockheed Martin, and led to Raytheon taking defensive precautions, Blake told reporters on Wednesday.
"There was a company-wide response," said Blake. "We had to significantly change our attitude to be less reliant on SecurID."
Raytheon changed all of its passwords, and added extra layers of security. The company still uses SecurID authentication tokens, Blake added.