SecurID Attack Was the Work of ‘Very Experienced’ Attackers

MALAGA, SPAIN–An RSA official on Friday offered more details of the attack the company suffered earlier this year in which thieves made off with key data related to the RSA SecurID two-factor authentication system. The attack, he said, targeted just four employees and was executed by a group he said was highly skilled and experienced.

SecurIDMALAGA, SPAIN–An RSA official on Friday offered more details of the attack the company suffered earlier this year in which thieves made off with key data related to the RSA SecurID two-factor authentication system. The attack, he said, targeted just four employees and was executed by a group he said was highly skilled and experienced.

The attack on RSA in March has been the subject of much speculation and concern in the industry for a number of reasons, not the least of which is the huge number of large companies and federal agencies and defense contractors that used the SecurID system. Recent attacks againt Lockheed Martin and other defense heavyweights have been linked to the SecurID compromise, which RSA officials said involved information that could reduce the security of the tokens.

Speculation has centered on the theory that the attackers may have stolen the cryptographic seeds for some of the tens of millions of deployed SecurID tokens. RSA officials have not said exactly what was taken. But, speaking during a panel discussion on targeted attacks at the Kaspersky Lab International Press Tour here Friday, Uri Rivner, head of new technologies in the identity protection division at RSA, said the company had concluded that the attack was the work of very, very good attackers.

“The team that attacked us was very organized and very experienced. They had a lot of practice,” he said. Rivner likened the attackers to SEAL Team Six in that they were well-prepared, trained and organized.

Rivner said that the attack, which came in the form of well-crafted spear phiching emails containing an Excel spreadsheet with an exploit loaded in it, targeted just four employees at RSA and it was just one of them who actually opened the email and the attachment. Once that was done, the exploit code inside used a then-unknown Adobe Flash vulnerability to gain control of the user’s machine and the attackers were off and running.

During the panel, the speakers said that even though the RSA attack and others done recently have involved the use of zero day vulnerabilities, that isn’t necessarily typical.

“I would say that the vast majority of attacks out there are against older bugs, not zero days,” said David Lenoe, head of the Product Security Incident Response Team at Adobe, which also was the victim of a targeted attack last year.

Suggested articles

Discussion

  • Anonymous on

    Nothing in the description or anything in the information they have released suggests "highly skilled and experienced". What is suggests is embarrassment on their part.  

  • Anonymous on

    Is it not possible to block *.pdf attachments from being delivered?  I'm just an ordinary bloke, but I stay far away from any Adobe product on the machine I use for online banking, etc..  After all the Adobe exploits of the last few years, you'd think a security company would be a bit leary of them.

  • Anonymous on

    Looks like in RSA there's no sufficient user education.
  • Anonymous on

    It was most likely a few children with talent beating the old guys at chess. 

  • JK on

    Nothing suggests "highly skilled and experienced"?  I disagree.  It is one thing to look for published vulnerabilities that should have been patched; it is something else entirely to look at the design of something, see a vulnerability that masses of others have missed and to exploit it.  Sure it required an employee to bite on a 'hook,'  but usually IT workers are a bit more cautious about what they open.  Not only were they technically skilled, but they had the right mix of people skills to get one of four employees to open the hook.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.