RSA Security executives disclosed that its investigation of the breach in March of the SecurID multifactor identification technology found that the attack was carried out by two groups of attackers backed by a nation-state.
Two separate groups of attackers, most likely funded by a
nation-state, were behind the attack on RSA Security, the company's senior executives
said at a conference.
Two unidentified hacker groups who had not previously worked
together collaborated on the attack against RSA Security earlier this year, Tom
Heiser, president of the EMC subsidiary, and Art Coviello, the executive
chairman, told attendees at RSA Conference Europe in London in a joint-keynote
speech on Oct. 11. The attackers possessed inside information about the
company's computer naming conventions and Active Directory, which helped
disguise the malicious activity as legitimate network traffic, Heiser said.
RSA executives were "very confident" that the
groups had been supported by a nation-state because of the skill,
sophistication and resources necessary to launch the attack. However, they
declined to name the country they considered was responsible.
"We can only conclude it was a nation-state sponsored
attack," Heiser said.
Organizations should not fall in the trap of thinking that
nation-states would not be interested in attacking them, according to Coviello.
"Think a nation state is not interested in you? Think again! They might use you to go after someone else," he said.
Details about how RSA
had been compromised
have been trickling out ever since the company first admitted
in March. The attackers used various pieces of malware, some
developed specifically for this attack, to penetrate the RSA network, Heiser
said. They also compressed and encrypted the data before transferring them out
of the network, making it harder to identify the traffic as malicious.
"Our adversary was determined, persistent and very well
coordinated. They knew what to look for and where to go," Heiser said.
In August, researchers at Dell
SecureWorks Counter Threat
unit traced malware used in the attack back to
two APT malware families and tied to a network in Shanghai. Dell SecureWorks
noted that despite uncovering the network hosting the malware, there was not
enough information to identify "who" the perpetrators were.
Later that month, F-Secure researchers analyzed the
malicious Excel spreadsheet that had been emailed to a small number of RSA
employees during the attack. The "2011
" file contained an embedded Flash file which
exploited an Adobe zero-day vulnerability to download a remote access Trojan on
to the computer.
It seemed "very odd" for a company to say a
country had attacked them but not name the country, Graham Cluley, senior
technology consultant at Sophos, wrote on the Naked Security blog. While he
hasn't "seen or heard anything which has convinced me that a nation state
had to be involved," it was likely that another country would have a
motive for attacking a military contractor, according to Cluley.
While RSA initially claimed the breach did not compromise
the SecurID two-factor authentication technology, it turned out the thieves
were able to use the stolen information to attack at least one major United
States defense contractor
"We will never keep up with individual attacks but we
can create systems with the resiliency to withstand any attack," Coviello
said, insisting that the SecurID technology remained secure.
"The RSA algorithm is still effective today because it
solved the problem of privacy generically-not in response to a specific
threat," he told RSA Europe attendees.
RSA has not disclosed everything it knows about the attacks
because the company doesn't want to give the attackers an idea of how much of
their activities have been uncovered, according to Heiser. "They were
stealthy but they did leave some information behind," Heiser said.