Report: RSA Hack Part Of Larger Operation

A sophisticated attack against RSA, the security division of EMC, shares characteristics with similar attacks against Western firms, according to the security blog Krebsonsecurity.

A sophisticated attack against RSA, the security division of EMC, shares characteristics with similar attacks against Western firms, according to the security blog Krebsonsecurity.

Despite RSA’s claims that it was the victim of a unique and targeted attack, research into the incident by reporter Brian Krebs found that Websites used in the attack are well known to cyber investigators and have been fingered in previous attacks against different firms.

The sites, Good[DOT]mincesur[DOT]com, up82673[DOT]hopto[DOT]org and www[DOT]cz88[DOT]net, weren’t one-time, throw-away attack sites. They have instead been used a number of times, and have in fact earned something of a reputation as launching sites for these sorts of attacks in the year leading up to the RSA breach, according to Gunter Ollman, Vice President of Research at security firm Damballa. That company has been monitoring the three domains for the last year. Other major companies have also linked attacks on their networks and employees back to the same three domains, Ollman told Krebs. He declined to name those firms, citing the need for confidentiality because of ongoing criminal investigations.

The report raises important questions. Among them, why RSA failed to block three Web addresses that had been linked to prior targeted attacks. Ollman claims that the domains and associated malware were definitely known about for some time and that the organizations in questions, quite simply and inexcusably, failed to block them.

Security experts and EMC/RSA executives pointed the finger of blame for the attacks on China. An expert who spoke to Krebs on conditions of anonymity was less accusatory. He said that there is a “concerted and organized national level strategy being orchestrated against our country and others,” and that if the security industry, our government, and others don’t work together on a collective defense to address this issue, then we run the “risk of being completely overwhelmed and outmatched.”

Suggested articles

Discussion

  • Anonymous on

    "Despite RSA's claims that it was the victim of a unique and targeted attack, research into the incident by reporter Brian Krebs found that Websites used in the attack are well known to cyber investigators and have been fingered in previous attacks against different firm..."

    Does anyone doubt that the security team for a multi-billion $$$ company like EMC would be so dumb and irresponsible not to update its block lists if it actually had knowledge of these websites , IP addresses and malicious domains that were supposedly so "well-known" to cyber investigators? Well-known to some does not mean well-known to the rest of the security industry unless you're part of the Fed's inner circle or if you pay out of nose to a firm like Damballa to get their privileged threat intel feed.

    At what point will the public and private sectors get real about information sharing so the rest of the world can at least have a fighting chance against attackers like those that got at RSA, Sony, Epsilon, Komodo and the laundry list of others this year?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.