RSA has revealed that it believes two groups, working on behalf of a single nation state, hacked into its servers and stole information related to the company’s SecurID two-factor authentication products.
Speaking at the RSA Security Conference in London, RSA’s executive chairman Art Coviello described the high profile attack that made headlines around the world.
"There were two individual groups from one nation state, one supporting the other. One was very visible and one less so.. We've not attributed it to a particular nation state although we're very confident that with the skill, sophistication and resources involved it could only have been a nation state."
Inevitably, people are likely to assume that China might have been involved in the attack – but there’s nothing in RSA’s statements to either implicate China or to back-up the claims that any country was involved.
It seems very odd to me for a company to say that they have determined that a country had attacked them, but to not then name the country.
You will probably remember that RSA didn’t do itself many favours when it first admitted the breach in April, playing its cards rather close to its chest then, and not saying much more about the ongoing security of its tokens than:
"we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers."
Unfortunately, the truth was that RSA’s server breach did subsequently lead to another attack against a leading US military contractor, and the security firm’s hand was forced into offering to replace some customers’ SecurID devices.
The malware attack
RSA was struck by a targeted malware attack, emailed to a small number of their employees.
Attached to the email was a file, “2011 Recruitment plan.xls”. The poorly worded email was designed to trick users into opening the attachment. And – unfortunately – at least one of them fell for the trap.
The Excel spreadsheet had been boobytrapped, and contained a malicious Flash payload inside it. Opening the file exploited an Adobe zero-day vulnerability that then downloaded a remote access Trojan horse called Poison Ivy onto the computer.
Once the Trojan horse was in place, the hackers could begin to steal information and inveigle their way into RSA’s network infrastructure.
(Incidentally, Sophos has been detecting the malicious XLS file since March 2011 as Troj/SWFExp-Y – although at the time, we did not know this was the malware used in the RSA security breach).
APT or not?
At the time of the initial disclosure, RSA’s Coviello described the attack as an “extremely sophisticated” Advanced Persistent Threat (APT).
Some wags in the security industry have noted that corporate victims of malware attacks might like to use the “APT” buzzword to make a breach seem less embarrassing.
Whether that’s fair or not is open to debate. But it certainly puts a better spin on things if you claim that highly-skilled hackers with the resources of an unnamed country attacked your computer network rather than your common-or-garden cybercriminal.
I haven’t seen or heard anything which has convinced me that a nation state had to be involved in the attack against RSA. The only thing which begins to point a finger towards a foreign power being involved is the fact that information stolen by the RSA hackers was subsequently used in attacks against military contractors.
You have to ask yourself who would have the biggest motive for that – and the most likely answer would be another country.
Regardless of who was responsible for the attack, we must not forget that RSA and some of its customers were the victims of criminal acts. They didn’t deserve to be hacked, and we all have to be on our guard to prevent comparable attacks happening against our own companies.