RSA Blames SecurID Breach on Two Attacker Groups, Unnamed Country

RSA Security executives disclosed that its investigation of the breach in March of the SecurID multifactor identification technology found that the attack was carried out by two groups of attackers backed by a nation-state.

Two separate groups of attackers, most likely funded by a nation-state, were behind the attack on RSA Security, the company's senior executives said at a conference.

Two unidentified hacker groups who had not previously worked together collaborated on the attack against RSA Security earlier this year, Tom Heiser, president of the EMC subsidiary, and Art Coviello, the executive chairman, told attendees at RSA Conference Europe in London in a joint-keynote speech on Oct. 11. The attackers possessed inside information about the company's computer naming conventions and Active Directory, which helped disguise the malicious activity as legitimate network traffic, Heiser said.

RSA executives were "very confident" that the groups had been supported by a nation-state because of the skill, sophistication and resources necessary to launch the attack. However, they declined to name the country they considered was responsible.

"We can only conclude it was a nation-state sponsored attack," Heiser said.

Organizations should not fall in the trap of thinking that nation-states would not be interested in attacking them, according to Coviello. "Think a nation state is not interested in you? Think again! They might use you to go after someone else," he said.

Details about how RSA had been compromised have been trickling out ever since the company first admitted the breach in March. The attackers used various pieces of malware, some developed specifically for this attack, to penetrate the RSA network, Heiser said. They also compressed and encrypted the data before transferring them out of the network, making it harder to identify the traffic as malicious.

"Our adversary was determined, persistent and very well coordinated. They knew what to look for and where to go," Heiser said.

In August, researchers at Dell SecureWorks Counter Threat unit traced malware used in the attack back to two APT malware families and tied to a network in Shanghai. Dell SecureWorks noted that despite uncovering the network hosting the malware, there was not enough information to identify "who" the perpetrators were.

Later that month, F-Secure researchers analyzed the malicious Excel spreadsheet that had been emailed to a small number of RSA employees during the attack. The "2011 Recruitment Plan.xls" file contained an embedded Flash file which exploited an Adobe zero-day vulnerability to download a remote access Trojan on to the computer.

It seemed "very odd" for a company to say a country had attacked them but not name the country, Graham Cluley, senior technology consultant at Sophos, wrote on the Naked Security blog. While he hasn't "seen or heard anything which has convinced me that a nation state had to be involved," it was likely that another country would have a motive for attacking a military contractor, according to Cluley.

While RSA initially claimed the breach did not compromise the SecurID two-factor authentication technology, it turned out the thieves were able to use the stolen information to attack at least one major United States defense contractor in May.

"We will never keep up with individual attacks but we can create systems with the resiliency to withstand any attack," Coviello said, insisting that the SecurID technology remained secure.

"The RSA algorithm is still effective today because it solved the problem of privacy generically-not in response to a specific threat," he told RSA Europe attendees.

RSA has not disclosed everything it knows about the attacks because the company doesn't want to give the attackers an idea of how much of their activities have been uncovered, according to Heiser. "They were stealthy but they did leave some information behind," Heiser said.