RSA says attacks on its web security system that put US defense contractors at greater risk were ordered by a nation state. It’s not naming names, and thus passing on any guesses at this stage would simply be Chinese whispers.
RSA offers a security tool named SecurID that is commonly used for regulating remote access to a corporate network. It goes a step beyond simply requiring a user name and password, for example by requiring users to have a physical “key” in the form of a USB stick.
In March the company was attacked and information about SecurID stolen, an event which it kept under wraps until April. In June it admitted the stolen details had been used in an unsuccessful attack on defense firm Lockheed Martin.
Speaking at a conference this week, company chairman Art Coviello (pictured) discussed the original attack on RSA itself. Naked Security quotes him as saying it was the work of two groups from the same country, working together:
“We’ve not attributed it to a particular nation state although we’re very confident that with the skill, sophistication and resources involved it could only have been a nation state.”
RSA has also revealed that the hackers had inside info in the form of the system used for naming the various machines on its network. That made it much easier for them to make their way round the system without detection.
The company still isn’t revealing exactly what was stolen. The best bet seems to be that it was the database that generates the codes used on the USB sticks. There’s speculation the hackers have the ability to generate bogus codes, but not to customize that successfully for a particular target.
Why RSA isn’t naming the country isn’t clear, though it may be a case of “knowing” but not having any incontrovertible proof. It does certainly appear its strategy now is to give as much weight as possible to the idea this was a nation state going after US defense interests, with RSA simply getting caught in the crossfire.