MALAGA, SPAIN–An RSA official on Friday offered more details of the attack the company suffered earlier this year in which thieves made off with key data related to the RSA SecurID two-factor authentication system. The attack, he said, targeted just four employees and was executed by a group he said was highly skilled and experienced.
The attack on RSA in March has been the subject of much speculation and concern in the industry for a number of reasons, not the least of which is the huge number of large companies and federal agencies and defense contractors that used the SecurID system. Recent attacks againt Lockheed Martin and other defense heavyweights have been linked to the SecurID compromise, which RSA officials said involved information that could reduce the security of the tokens.
Speculation has centered on the theory that the attackers may have stolen the cryptographic seeds for some of the tens of millions of deployed SecurID tokens. RSA officials have not said exactly what was taken. But, speaking during a panel discussion on targeted attacks at the Kaspersky Lab International Press Tour here Friday, Uri Rivner, head of new technologies in the identity protection division at RSA, said the company had concluded that the attack was the work of very, very good attackers.
“The team that attacked us was very organized and very experienced. They had a lot of practice,” he said. Rivner likened the attackers to SEAL Team Six in that they were well-prepared, trained and organized.
Rivner said that the attack, which came in the form of well-crafted spear phiching emails containing an Excel spreadsheet with an exploit loaded in it, targeted just four employees at RSA and it was just one of them who actually opened the email and the attachment. Once that was done, the exploit code inside used a then-unknown Adobe Flash vulnerability to gain control of the user’s machine and the attackers were off and running.
During the panel, the speakers said that even though the RSA attack and others done recently have involved the use of zero day vulnerabilities, that isn’t necessarily typical.
“I would say that the vast majority of attacks out there are against older bugs, not zero days,” said David Lenoe, head of the Product Security Incident Response Team at Adobe, which also was the victim of a targeted attack last year.