RSA: "We were hacked by a nation state"
The two top executives at RSA, Art Coviello (chairman) and Tom Heiser (president), have both used their opening keynotes at the RSA Conference in London to provide details concerning the attacks in March. Coviello said that his company is confident that a nation state was behind the attacks because of the skill, sophistication and resources that were involved. However, he added that the available evidence is insufficient to attribute the attacks to a particular state. The executive explained that the attacks were carried out by two individual groups, adding that both groups were already known to the investigating authorities, but that it wasn't previously known that they co-operated with each other.
According to Coviello, it has become clear that RSA wasn't the actual attack target. Instead, the attackers probably wanted to use the stolen information for further attacks on other companies. The executive continued to insist that the stolen RSA data has not lead to any successful attacks. The attack on Lockheed-Martin was thought to be a consequence of the RSA hack, but it was averted in time. The RSA executives said that the nature of the data that was stolen from RSA can't be revealed because investigations are still in progress. The only statement Coviello repeated was that only partial SecurID information left his company. Nevertheless, RSA replaced around 40 million customer tokens in June.
RSA itself was very probably hacked via a targeted phishing attack on a member of staff. It is believed that an email attachment contained an Excel spreadsheet that exploited a zero-day hole in Adobe Flash was used, but RSA has not officially confirmed this information. What is known is that the malware used in the attack was compiled only hours before the attack, and that previously unknown methods were used to compress and encrypt the stolen data.
Tom Heiser apologised to RSA customers for the unpleasant surprise of being informed about the break-in at the same time as the rest of the world. The RSA executive said that the breach was publicised a few hours after it had been discovered, and that the most important of RSA's more than 17,000 customers were only notified individually afterwards.
Apparently, the company wanted to prevent any information from leaking while individual customers were notified. This was probably the reason for the chosen approach, which was criticised by a large number of customers. Heiser related the story of a meeting with the CIO of a medical device manufacturer a few weeks after the hack: "The CIO was really angry. It wasn't a pleasant conversation, I can assure you that."
(Uli Ries / djwm)