RSA: Nation-state was behind SecurID hack

The theft of data about RSA Security tokens that was used in an attempted hack of a major U.S. defense contractor was carried out by two groups of hackers working for a nation-state, RSA executives say.

Speaking at the company’s European conference in London, RSA executive Chairman Art Coviello said the company has not been able to identify the nation behind it, but that, “we are very confident, with the skill and the degree and the resource behind the attack, that it could only have been perpetrated by a nation-state," reported ZDNet UK.

Coviello said the different methods used in the attacks indicated two groups, working in tandem, were involved, ZDNet UK reported.

Related coverage:

RSA confirms its tokens used in Lockheed hack

Significant attack shuts down Lockheed network

RSA in March reported the breach, which it said was a result of an “extremely sophisticated” attack to gain information from the company’s SecurID authentication tokens. In June, RSA confirmed that information from the breach was used in a failed attack in May on Lockheed Martin.

Cyberattacks against defense contractors L3 Communications and Northrop Grumman also were reported in May, but RSA has said only Lockheed Martin had been attacked as a result of the SecurID breach.

The attackers reportedly used phishing techniques on RSA employees to get them to click on a link that delivered a zero-day exploit, then quietly collected information on SecurID, which is used by many banks and other large organizations, such as defense contractors, to authenticate employees.

Researchers at F-Secure said in August the malware may have been contained in an Excel spreadsheet that arrived with a recruitment plan e-mail, PC World reported.

That information, believed to be about the seed numbers used by an algorithm to generate one-time passcodes on the token, was then used in the attack on Lockheed. Passcodes are used with a user’s log-in ID and personal identification code for network access.

“Whoever attacked Lockheed Martin was the same as attacked RSA or had access to information from the RSA breach,” Harry Sverdlove, chief technology officer of security company Bit9, told GCN in June.

Social-engineering tricks delivered by phishing e-mails have been used in a number of high-profile attacks, including the December 2009 hack of Google and an attack earlier this year of Google’s Gmail that snagged quite a few federal employees. Google blamed both of those attacks on China.

At the London conference, Coviello said the RSA attackers left traces of their espionage behind, but not enough to identify the country they came from.

After the attack, RSA reported it to international law enforcement agencies, and Coviello told ZDNet UK that the FBI, Homeland Security Department and Defense Department agencies are among those investigating.

Since the attack, the company has replaced SecurID tokens for many of its customers and offered others risk-based authentication strategies to protect Web-based financial transactions.

About the Author

Kevin McCaney is a former editor of Defense Systems and GCN.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected