Two separate groups joined forces and were responsible for the RSA SecurID attack, said RSA president Tom Heiser.
Art Coviello, executive chairman of parent company EMC, declined to identify the groups, but said due to the sophistication of the intrusion “we can only conclude it was a nation-state sponsored attack.”
RSA is working with the U.S. Federal Bureau of Investigation, the U.S. Department of Homeland Security, U.K. law enforcement and other agencies. Heiser said at the company’s security conference in London authorities know both groups, but did not know they worked together.
“What does this tell us?” Heiser asked. “Our adversary was determined, persistent and very well coordinated. They knew what to look for and where to go.”
RSA spotted the attack as it was underway using technology from NetWitness, a company it acquired in April, Heiser said. Experts believe hackers gained access to RSA’s systems by sending certain employees in EMC’s human resources department an Excel spreadsheet rigged to exploit an Adobe Flash vulnerability. RSA has not confirmed this.
Additionally, the hackers had knowledge about RSA’s internal naming conventions used for hosts on its network as well as Active Directory — a Microsoft product used for managing authentication of users on corporate networks — which made their movements inside the system appear to be more legitimate.
“User names could match workstation names, which could make them a little more difficult to detect if you are not paying attention,” said Eddie Schwartz, RSA’s chief security officer.
Heiser said the sophistication level of the attacks was very high. They used advanced techniques to connect to RSA’s systems and used different malware, some of which the attackers compiled just hours before. The attackers were able to compress and encrypt the stolen information before it extracting it, making it more difficult to identify.
RSA went into lock-down mode, giving employees free food round-the-clock for a month while they investigated. The two hacker groups stole specific information about SecurID, but RSA declined to say what they stole. Coviello said the “piece of information was important” but it was only one piece of information.
RSA’s follow-up with its customers was slow, causing concern over SecurID. RSA offered to replace SecurID tokens for customers, although Coviello said a small number of customers requested that.
The motive for the attack against RSA was clearly to gain access to U.S. defense-related technology, Heiser said. RSA reached out to about 500 of its top customers while also using its partner network to contact others. Nonetheless, many companies felt left out of the loop, wondering if their systems were vulnerable.
“We had our trial by fire,” Heiser said. “Many stakeholders felt we could have done more and we should have done more sooner, and to those customers we inconvenienced, we truly apologize.”
Heiser said media reports have not always been accurate. To date, there has been only one attack that tried to use the SecurID information taken from RSA. The company attacked — which Heiser did not identify — was in the defense industry, but the attack was ultimately unsuccessful. The RSA breach threatened companies including Lockheed Martin, L-3 and Northrop Grumman.
“They were stealthy but they did leave some information behind,” Heiser said.