Nation state behind RSA's SecurID breach

March attack on security vendor's SecurID tokens conducted by two groups acting on behalf of a single nation but no culprit has been singled out, report notes.

Following internal investigations, RSA has stated definitively that the security breach on its SecurID tokens was executed by two groups acting on behalf of a single nation. The security vendor, however, did not identify the country behind the attack, a report noted.

In a Reuters report Tuesday, RSA Chief Executive Art Coviello revealed its forensic intelligence indicated that the two groups were well coordinated in executing the breach in March, which signaled one nation state was behind the attack.

"One group was more surreptitious in their approach than the other. Is it possible that one was deliberately a little bit more visible than the other to mask the other? It's possible. We don't know," he said.

The company also stated that it did not know for sure which nation was behind the attack.

As a result of the breach, EMC, which owns RSA, has taken a US$66 million charge for the cost of replacing the compromised tokens. Coviello said in the report that demand for these replacement tokens has "slowed to a trickle" and the company now has a large inventory.

SecurIDs are widely used electronic keys to computer systems designed to thwart hackers by requiring two passwords: one fixed PIN and another six-digit number that is automatically generated by the token, typically every 60 seconds.

The chief executive had written an open letter to customers on Jun. 6 stating that it will offer new tokens to "customers with concentrated user bases typically focused on protecting intellectual property and corporate networks". In addition, it would also implement risk-based authentication strategies such as monitoring and fraud detection services for consumer-facing organizations.

Prior to the announcement of the measures, Lockheed Martin suffered network intrusions that were attributed to the SecurID breach. ZDNet Asia's sister site CNET reported that hackers were said to have broken into the weapons maker's computer systems, potentially gaining access to information about future weapons programs as well as military technology currently in use.

Lockheed subsequently revealed that hackers had used data stolen in the RSA breach and other methods to figure out the coded password of a company contractor, but the weapons maker blocked the attack before any sensitive data could be exposed. China has been also fingered as a possible culprit as the attack was similar to other cyberattacks attributed to the nation, a separate report noted.