The Rsa Hack: How They Did It

Google+ Pinterest LinkedIn Tumblr +

The hack last month at RSA Security has been shrouded in mystery.

How did a hacker manage to infiltrate one of the world’s top computer-security companies? And could the data that was stolen be used to impair its SecurID products, which are used by 40 million businesses that are trying to keep their own networks safe from intruders?

The division of the EMC Corporation is staying mum about what exactly was stolen from its computer systems, aside from that it was data related to SecurID.

But on Friday RSA shed some light on the nature of the attack. In a blog post titled “Anatomy of an Attack,” the company’s head of new technologies, Uri Rivner, described a three-stage operation that was similar to several other recent prominent attacks on technology companies, including a 2009 attack on Google that it said originated in China.

In the attack on RSA, the attacker sent “phishing” e-mails with the subject line “2011 Recruitment Plan” to two small groups of employees over the course of two days. Unfortunately, one was interested enough to retrieve one of these messages from his or her junk mail and open the attached Excel file. The spreadsheet contained malware that used a previously unknown, or “zero-day,” flaw in Adobe’s Flash software to install a backdoor. RSA said that Adobe had since released a patch to fix that hole.

After installing a stealthy tool that allowed the hacker to control the machine from afar, he stole several account passwords belonging to the employee and used them to gain entry into other systems, where he could gain access to other employees with access to sensitive data, Mr. Rivner said.

Then came stage three: spiriting RSA files out of the company to a hacked machine at a hosting provider, and then on to the hacker himself.

The attacker left few traces. But an unclassified document from the United States Computer Emergency Readiness Team (US-CERT) obtained by the blogger Brian Krebs revealed three Web addresses used in the intrusion, one of which includes the letters “PRC,” which could refer to the People’s Republic of China — or it could be a ruse.

According to Mr. Rivner, it’s difficult for companies with the world’s most sophisticated defenses to stop this newfangled “advanced persistent threats,” which are made potent by the combination of low-tech “social-engineering” cons and a high-tech zero-day attack that antivirus software won’t recognize.

That RSA detected the attack in progress was a victory, he argued. Many other companies hit by similar attacks “either detected the attacks after months, or didn’t detect them at all and learned about it from the government,” he said. “As an industry, we have to act fast and develop a new defense doctrine; the happy days of good old hacking are gone, and gone too are the old defense paradigms.”

But some security experts ridiculed the notion that the attack was sophisticated. Jeremiah Grossman, founder of WhiteHat Security, posted on Twitter: “I can’t tell if this RSA APT blog post is actually being serious or an April 1st gag. The content is absurd either way.”

Share.

About Author

Leave A Reply