RSA: Nation-state was behind SecurID hack
- By Kevin McCaney
- Oct 12, 2011
The theft of data about RSA Security tokens that was used in an attempted hack of a major U.S. defense contractor was carried out by two groups of hackers working for a nation-state, RSA executives say.
Speaking at the company’s European conference in London, RSA executive Chairman Art Coviello said the company has not been able to identify the nation behind it, but that, “we are very confident, with the skill and the degree and the resource behind the attack, that it could only have been perpetrated by a nation-state," reported ZDNet UK.
Coviello said the different methods used in the attacks indicated two groups, working in tandem, were involved, ZDNet UK reported.
RSA confirms its tokens used in Lockheed hack
Significant attack shuts down Lockheed network
RSA in March reported the breach, which it said was a result of an “extremely sophisticated” attack to gain information from the company’s SecurID authentication tokens. In June, RSA confirmed that information from the breach was used in a failed attack in May on Lockheed Martin.
Cyberattacks against defense contractors L3 Communications and Northrop Grumman also were reported in May, but RSA has said only Lockheed Martin had been attacked as a result of the SecurID breach.
The attackers reportedly used phishing techniques on RSA employees to get them to click on a link that delivered a zero-day exploit, then quietly collected information on SecurID, which is used by many banks and other large organizations, such as defense contractors, to authenticate employees.
Researchers at F-Secure said in August the malware may have been contained in an Excel spreadsheet that arrived with a recruitment plan e-mail, PC World reported.
That information, believed to be about the seed numbers used by an algorithm to generate one-time passcodes on the token, was then used in the attack on Lockheed. Passcodes are used with a user’s log-in ID and personal identification code for network access.
“Whoever attacked Lockheed Martin was the same as attacked RSA or had access to information from the RSA breach,” Harry Sverdlove, chief technology officer of security company Bit9, told GCN in June.
Social-engineering tricks delivered by phishing e-mails have been used in a number of high-profile attacks, including the December 2009 hack of Google and an attack earlier this year of Google’s Gmail that snagged quite a few federal employees. Google blamed both of those attacks on China.
At the London conference, Coviello said the RSA attackers left traces of their espionage behind, but not enough to identify the country they came from.
After the attack, RSA reported it to international law enforcement agencies, and Coviello told ZDNet UK that the FBI, Homeland Security Department and Defense Department agencies are among those investigating.
Since the attack, the company has replaced SecurID tokens for many of its customers and offered others risk-based authentication strategies to protect Web-based financial transactions.
Kevin McCaney is a former editor of Defense Systems and GCN.