recommended reading

Hackers execute sophisticated strike on government cybersecurity contractor Bit9


Unprotected computers at a cybersecurity contractor that services the Defense Information Systems Agency and many other federal agencies were compromised in a way that enabled the company's product to run viruses on customer networks.

The incident echoes a 2011 hack job at security vendor RSA where outsiders stole the contractor's proprietary login technology to gain access to RSA-protected defense companies’ networks. This time, the target was Bit9, a firm specializing in so-called application whitelisting, which is intended to allow only those software programs listed as safe to operate. Reporter Brian Krebs of the blog Krebs on Security broke the news of the breach Friday afternoon.

DISA, the departments of Justice and Commerce, Immigration and Customs Enforcement (an arm of the Homeland Security Department), the National Transportation Safety Board, Centers for Disease Control and Prevention,  and General Services Administration recently acquired Bit9 tools, according to contract records, agency reports, and government spending databases reviewed by Nextgov.

Five of the top 10 aerospace and defense companies, along with more than 20 federal, civilian, Pentagon and intelligence agencies are Bit9 customers, the company's website states.  

Application whitelisting works under the premise that letting in only trusted, “signed” applications is safer than trying to block infections through anti-virus software, which does not spot viruses until they are discovered by researchers.

To undermine Bit9's technology, intruders grabbed signed certificates from the company’s computers and used them on malicious software to trick customers' Bit9-protected systems into executing what the systems thought were trusted applications.

After Krebs contacted Bit9, the company posted an admission of the problem. Bit9 Chief Executive Officer Patrick Morley wrote, “Due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network. As a result, a malicious third party was able to illegally gain temporary access to one of our digital code-signing certificates that they then used to illegitimately sign malware."

At least three customers “were affected” by the falsely-certified malware, Morley added, without describing the nature of the clients’ business.

During the RSA assault, bad actors also filched that company’s secret sauce – in that instance, login coding -- to penetrate an RSA customer. The hackers excised information about RSA’s SecurID identification verification technology, and then piggybacked off that information to access Lockheed Martin Corp.'s network. The defense contractor notified the public it had contained the breach.

The two-step attack laid bare the risk of adversaries compromising Pentagon suppliers’ computers as part of a larger plot to reach other, higher-value government information.

Eugene Spafford, a computer science professor at Purdue University, told Krebs, “Those defense contractors were the real targets, but they were using a very strong security tool – RSA’s tokens. So, if you’re an attacker and faced with a strong defense, you can try to break straight through, or find ways around that defense. This is more than likely [the product of] very targeted, careful thinking by someone who understands a higher level of security strategy.”

The article quoted Spafford as saying the Bit9 and RSA attacks can be thought of as “supply chain” hacks.

Officials for Bit9, based in Waltham, Mass., said indications are that the breach was not the result of a problem with their product, and the product was not compromised. To shield the three customers hit and other clients, Bit9 revoked the certificate and has “ensured Bit9 is installed on all of our physical and virtual machines," Morley said.

(Image via Lightspring /

Threatwatch Alert

Network intrusion / Software vulnerability

Hundreds of Thousands of Job Seekers' Information May Have Been Compromised by Hackers

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.