A sophisticated attack against RSA, the security division of EMC, shares characteristics with similar attacks against Western firms, according to the security blog Krebsonsecurity.
Despite RSA’s claims that it was the victim of a unique and targeted attack, research into the incident by reporter Brian Krebs found that Websites used in the attack are well known to cyber investigators and have been fingered in previous attacks against different firms.
The sites, Good[DOT]mincesur[DOT]com, up82673[DOT]hopto[DOT]org and www[DOT]cz88[DOT]net, weren’t one-time, throw-away attack sites. They have instead been used a number of times, and have in fact earned something of a reputation as launching sites for these sorts of attacks in the year leading up to the RSA breach, according to Gunter Ollman, Vice President of Research at security firm Damballa. That company has been monitoring the three domains for the last year. Other major companies have also linked attacks on their networks and employees back to the same three domains, Ollman told Krebs. He declined to name those firms, citing the need for confidentiality because of ongoing criminal investigations.
The report raises important questions. Among them, why RSA failed to block three Web addresses that had been linked to prior targeted attacks. Ollman claims that the domains and associated malware were definitely known about for some time and that the organizations in questions, quite simply and inexcusably, failed to block them.
Security experts and EMC/RSA executives pointed the finger of blame for the attacks on China. An expert who spoke to Krebs on conditions of anonymity was less accusatory. He said that there is a “concerted and organized national level strategy being orchestrated against our country and others,” and that if the security industry, our government, and others don’t work together on a collective defense to address this issue, then we run the “risk of being completely overwhelmed and outmatched.”