CybersecurityRSA explains how hackers stole critical SecurID data

Published 5 April 2011

Cyber security giant RSA detailed how hackers recently infiltrated its systems and stole critical data related to its SecurID two factor authentication products which are used by the Department of Defense, major banks, and other government agencies around the world; hackers used a “spear-phishing attack,” fake emails containing malicious code, to first gain access to its networks; once inside the network, hackers were able to target high-level RSA employees with access to sensitive information and copy their data; experts warn that these types of attacks primarily exploit people, so educating employees to not open these types emails that may contain malicious code is critical

Last Friday, cyber security giant RSA detailed how hackers recently infiltrated its systems and stole critical data related to its SecurID two factor authentication products, which are used by the Department of Defense, major banks, and other government agencies around the world.

RSA’s investigation found that hackers had used a “spear-phishing attack,” fake emails containing malicious code, to first gain access to its networks.

The attackers sent two series of emails titled “2011 Recruitment Plan” with an Excel spreadsheet attached to RSA’s Human Resources department.

 

According to Uri Rivner, the head of new technologies at RSA’s consumer identity protection group, “The attacker in this case installed a customized remote administration tool known as Poison Ivy RAT variant.”

In a blog post, Rivner explained that with this set up, the infected PC pulls commands from an external server instead of receiving commands from a control server.

This connectivity method makes them more difficult to detect, as the PC reaches out to the command and control rather than the other way around,” he said.

The Poison Ivy RAT variant has been successfully used in several other attacks including the cyber raids against Google in late 2009 where the email accounts of Chinese dissidents were stolen.

Once inside the network, hackers were able to target high-level RSA employees with access to sensitive information and copy their data. After retrieving the information they wanted, hackers then exported it to an external website where they downloaded and erased it to hide their tracks.

Rivner called the attack on RSA networks an advanced persistent threat (APT).

One cannot stress enough the point about APTs being, first and foremost, a new attack doctrine built to circumvent the existing perimeter and endpoint defenses,” he claimed.

Security analysts disagree with Rivner as APTs are not new and believe that Rivner is trying to spin the situation.

Rick Wanner at the SANS Internet Storm Center, wrote, “There is very little in this attack that is particularly sophisticated. The big question is, what are the defenses that would have prevented or reduced the impact of this attack?”

Wanner explains that hackers are primarily exploiting people, and so educating employees to not open these types of emails that may contain malicious code is critical.

“The more users who know how to analyze an email to test its legitimacy the less likely an attack like this will succeed,” he says.

Wanner believes that a new “defense paradigm” must be developed. “The traditional paradigm of a well protected perimeter with a soft inside should be dead. There are just too many ways to circumvent the perimeter, spear phishing being just one.”

RSA is one of the primary providers of two-factor authentication products, a highly secure way to identify an individual requesting permission to access information.

Some of the world’s largest organizations and government agencies rely on RSA’s SecurID including the Department of Defense, Lockheed Martin, First National Bank, and the French Ministry of Education.

RSA has been vague about what data was stolen, but the company has been working with Pentagon security officials to secure their networks in light of the attack.

 

Adobe has said that it has fixed the security flaw in its Flash, Reader, and Acrobat products that hackers exploited in the RSA attacks.