RSA Blames Breach on Two Hacker Clans Working for Unnamed Government

Two separate hacker groups whose activities are already known to authorities were behind the serious breach of RSA Security earlier this year and were likely working at the behest of a government, according to new statements from the company’s president.

RSA President Tom Heiser, speaking at the RSA conference in London this week, said that the two unidentified hacker groups had not previously been known to work together and that they possessed inside information about the company’s computer naming conventions that helped their activity blend in with legitimate users on the network, according to IDG news service.

Heiser said that due to the sophistication of the breach, “we can only conclude it was a nation-state-sponsored attack.”

RSA announced last March that intruders had breached its network and succeeded in stealing information related to the company’s widely used SecurID two-factor authentication products. SecurID adds an extra layer of protection to a login process by requiring users to enter a secret code number displayed on a keyfob, or in software, in addition to their password. The number is cryptographically generated and changes every 30 seconds.

The company was forced to replace SecurID customer tokens after the breach.

The attackers gained access to the network after sending two different targeted phishing e-mails to four workers at its parent company EMC. The e-mails contained a malicious attachment that was identified in the subject line as “2011 Recruitment plan.xls.”

None of the recipients were people who would normally be considered high-profile or high-value targets, such as an executive or an IT administrator with special network privileges. Nonetheless, when one of the recipients clicked on the attachment, the attachment used a zero-day exploit targeting a vulnerability in Adobe Flash to drop another malicious file — a backdoor — onto the recipient’s desktop computer. This gave the attackers a crack they used to burrow farther into the network and gain the access they needed.

“The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached excel file,” RSA wrote on its blog in April.

Heiser revealed this week that the hackers had knowledge of the internal naming conventions that his company used for hosts on its network. They also had knowledge of Active Directory — a Microsoft product used for managing the authentication of users on a network. This knowledge helped them disguise their malicious activity inside the network so that it appeared to be legitimate.

“User names could match workstation names, which could make them a little more difficult to detect if you are not paying attention,” Eddie Schwartz, RSA’s chief security officer, told IDG.

Heiser said the attackers used various pieces of malware to penetrate its system, some of which were compiled just hours before the attackers used them. The attackers also compressed and encrypted the data they stole before they exfiltrated it from the network, making it more difficult to identify as malicious traffic.

The attackers appeared to be after information that would help them penetrate networks belonging to U.S. defense contractors who used SecurID to authenticate their workers.

Heiser said that so far there has been only one attack discovered that involved an attempt to use the SecurID information taken from RSA. Heiser wouldn’t identify the company, but news reports in May indicated that hackers had tried to breach defense contractor Lockheed Martin using information stolen from RSA.

Photo: RSA SecurID tokens (br2dotcom/Flickr)

See Also: