In March, RSA suffered a cyberattack that compromised their SecurID platform and led to a recall and increased paranoia among their defense contractor customers. Yesterday at a press conference an RSA spokesman mentioned that they believe it was the act of two separate hacking outfits both of whom could be connected to a nation state.
Although RSA did not mention which nation state they believed to be behind the hacks.
ZDNet UK reported extensively on the press conference and the wrap up of what we understand occurred before and after the attacks.
“We know there were two groups because of the methodology in the attack,” RSA executive chairman Art Coviello said on Tuesday. “We have not attributed the attack to a particular nation state, although we are very confident, with the skill and the degree and the resource behind the attack, that it could only have been perpetrated by a nation state.”
After the attacks had been announced by RSA reports from various defense contractors began to filter in as they noticed and stopped strange activity on their networks: affected contractors included Lockheed Martin, Northop Grumman, and L-3 Communications. RSA acknowledged that the cryptographic keys underlying the encryption that protected the SecurID confidence system had been compromised and called for a recall of all the current keys; that action and subsequently adding transaction monitoring cost RSA $66 million.
According to Art Coviello, the tag-team hackers first involved spear-phishing attacks against RSA employees posing as trusted people. The phishing pushed malware that involved a zero-day exploit to establish a beachhead—according to report at PCWorld, the exploit may have been an Excel spreadsheet with an infected Adobe Flash file.
Once the attackers got a foothold within RSA’s systems they began to fortify their position and gain network access. From there, the second team infiltrated the network, traversed the various systems, and began looking for their intended target: defense contractor SecurID key codes. The attack appeared to be highly sophisticated and used knowledge of the software running in the networks to obfuscate the movements and probing 1of the hackers.
According to Chief Security Officer Eddie Schwartz, RSA uncovered the attack before any of their customers had been compromised by the stolen cryptographic keys. No hack attempts against RSA customers were successful—even those apparent against Lockheed, Northop, and L-3 Communications were detected and thwarted; but those came after RSA reported the breach and informed their customers.
Law enforcement and intelligence agencies in the UK are still looking into the source of the attacks—no doubt this is true of the US as well.
We’ll keep you appraised should any further information reveal itself from this high-profile hacking incident.