May 31, 2011 18:18 GMT  ·  By

Government contractor Lockheed Martin has admitted that its network came under attack recently, but claims it successfully repelled it without any loss of sensitive data.

The attack is said to have involved cloned SecurID tokens that were used to access the contractor's network and resulted in the VPN being suspended for at least a week while employees are being issued new devices and passwords.

The SecurID tokens are being produced by RSA Security, a division of EMC, which suffered a security breach earlier this year.

Attackers are believed to have stolen undisclosed information about the product as a result of the compromise.

"On Saturday, May 21, Lockheed Martin detected a significant and tenacious attack on its information systems network," the government contractor said in a public statement.

"The company’s information security team detected the attack almost immediately, and took aggressive actions to protect all systems and data.

"As a result of the swift and deliberate actions taken to protect the network and increase IT security, our systems remain secure; no customer, program or employee personal data has been compromised," it added.

However, Jeffrey Carr, a security expert who specializes in cyber conflicts, doubts that everything is as good as Lockheed claims.

For one, he takes issue with the wording in the public statement, noting that tenacious means "not easily dispelled" and "persisting in existence" and that such an attack cannot be "swiftly" dealt with.

He then points out that, according to public data, attackers had access to the contractor's network for up to 24 hours and that the incident was severe enough for President Obama to be personally briefed about it.

Furthermore, the expert notes that part of the fault lies with Lockheed senior executives who failed to take appropriate measures following the RSA SecurID breach. Other contractors replaced their tokens with ones from others vendors.

"Clearly, the extent of the RSA SecurID breach was worse than EMC reported to the public, to the Security and Exchange Commission, and to its customers; at least the ones that I've spoken to," Mr. Carr concludes.