RSA: Nation state double-teamed on SecurID attack

Two groups of hackers working in tandem for a nation state were behind the sophisticated cyberattack on RSA that stole information on its SecurID tokens, the encryption company has revealed.

RSA has said that two groups of hackers working in tandem for a nation state were behind the sophisticated cyberattack that stole information on its SecurID tokens. Photo credit: Alexander Klink/Wikipedia

"We know there were two groups because of the methodology in the attack," RSA executive chairman Art Coviello said on Tuesday. "We have not attributed the attack to a particular nation state, although we are very confident, with the skill and the degree and the resource behind the attack, that it could only have been perpetrated by a nation state."

RSA disclosed the cyberattack in March. As part of the attack, hackers stealthily removed information related to SecurID, which is used by thousands of large organisations to authenticate staff. In June, the company said it would replace SecurID tokens for virtually all its customers, after stolen data was found to have been used in a failed attack on Lockheed Martin.

Coviello told press at the RSA Conference in London that the attack on RSA aimed to grab information that could be used for cyber-espionage, by stealing data largely from defence contractors.

The hackers left enough traces for an investigation, but RSA does not have the forensic evidence to track the exfiltrated information back to a particular nation state, he added.

Hacker collaboration

The two hacker groups — one visible and one less visible — collaborated to steal the RSA intellectual property, the company's president Tom Heiser said in a speech at the conference.

"The adversaries were seen to switch connective techniques, malware and origin during the connection," Heiser said. "There were two groups involved. Both groups were known to authorities, but they had never been known to work together before."

"It took them a lot of co-operation to put this together," he added.

 There were two groups involved. Both groups were known to authorities, but they had never been known to work together before.

– Tom Heiser, RSA

The hackers got into RSA's systems by a series of phishing attacks on RSA employees, using email from trusted sources such as a company or person they knew, according to Heiser. The malware payload delivered a zero-day exploit.

With these Advanced Persistent Threat (APT) methods, the intruders used their initial foothold in RSA's systems to gain independent network access. The hackers traversed the system, and used layers of resistance in their software to prevent their discovery, according to RSA. Attackers worked in multiple groups, with "one visible, and one shielding the other", Heiser said.

The attackers used sophisticated methods to avoid detection once they had infiltrated RSA's networks, the company said. For example, they modified their host computers to match RSA's internal Microsoft Active Directory — a Microsoft database that keeps track of usernames and passwords within an organisation and enforces security policies. In addition, they used the same naming conventions used on RSA's corporate network.

Intrusion detected

RSA discovered the intrusion via networking monitoring before any attempt was made to hack a customer, the company's chief security officer Eddie Schwartz said. The stolen data has only been used in one unsuccessful attack, and no other customers have been affected, the company insisted, despite reports in June that it had reached L-3 Communications and Northrop Grumann, as well as Lockheed Martin.

Heiser said RSA reported the incident to international law enforcement when it discovered the intrusion. The agencies actively investigating the incident include the FBI, the Department of Homeland Security, and other agencies within the US defence establishment, Coviello told ZDNet UK.

Law enforcement and intelligence agencies in the UK are also looking into the cyberattack, Heiser said.

Although millions of people use RSA's SecurID authentication tokens, the company's supply matched demand for replacements in August, Heiser told the conference. It replaced its top 500 customers' tokens relatively quickly, he added, but it faced a challenge with its hundreds of thousands of other customers, not all of whom are direct clients.