CybersecurityRSA blames nation-state for SecurID cyberattack

Published 18 October 2011

Last week at a press conference in London, RSA executives revealed more details about the cyberattack that stole information regarding the company’s SecurID authentication tokens in March; Art Coviello, the executive chairman of RSA, said two well-known hacker groups as well as a nation-state collaborated to infiltrate the company’s networks

Last week at a press conference in London, RSA executives revealed more details about the cyberattack that stole information regarding the company’s SecurID authentication tokens in March.

We know there were two groups because of the methodology in the attack,” said Art Coviello, the executive chairman of RSA. “We have not attributed the attack to a particular nation state, although we are very confident, with the skill and the degree and the resource behind the attack, that it could only have been perpetrated by a nation state.”

Investigators were able to find evidence of the hackers, but not enough to trace it back to a particular nation state.

Tom Heiser, RSA’s president, added that the two hacker groups collaborated to steal RSA’s data.

The adversaries were seen to switch connective techniques, malware and origin during the connection,” Heiser said. “There were two groups involved. Both groups were known to authorities, but they had never been known to work together before.”

He went on to say, “It took them a lot of co-operation to put this together.”

Using a series of phishing attacks on RSA employees, hackers sent emails from trusted sources like the company or a person the employee knew to deliver malware that enabled them to enter RSA’s networks.

From there, hackers were able to gain independent access to the company’s data and slowly made their way deeper into the company’s networks. According to RSA, the hackers used sophisticated methods to avoid detection like modifying their host computers to match their internal Microsoft Active Directory — a Microsoft database that keeps track of usernames and passwords within an organization and enforces security policies. In addition, they used the same naming conventions used on RSA’s corporate network.

In March RSA revealed that its networks had been hit and that hackers had stolen information regarding its SecurID products, a two factor authentication system used by major government agencies and private businesses around the world including the Department of Defense, Lockheed Martin, and Wells Fargo.