After six months of investigation into the data breach that pulled the rug out from under the two-factor authentication system that guarantees 40 million people in 30,000 organizations worldwide are who they say they are, RSA announced yesterday it had identified the culprits behind the attack: Hackers and "a nation state."
RSA president Tom Heiser refused to be any more precise than that in identifying who, specifically, RSA believes broke into its SecureID database, reportedly by sending spear-phishing emails to HR staffers at EMC, RSA's parent company.
The emails reportedly carried Excel files containing malware that would use a security flaw in Adobe's Flash graphics program to give itself rights to the user's computer and allow it to metastasize to other servers through the network.
The attack netted attackers code and algorithms that enabled them to generate their own SecureID tokens to fake authentication on other systems.
The stolen code is blamed for the successful break-in at defense contractor Lockheed Martin in May, in which attackers got access to servers holding information secure government and corporate project-development plans; L3 Communications and defense contractor Northrup Grumman also blamed the stolen tokens for attempts to crack their security at about the same time.
The attack angered RSA customers not only for undermining their own security, but because RSA refused to give them enough information to judge the risk themselves.
The attack took place in March; it was June before RSA announced it would replace the secure tokens of many customers, partly in response to the Lockheed Martin attack.
Attack was persistent, sophisticated
You have to take with a grain of salt the statement from any company that the people who cracked it were "determined, persistent and very well coordinated," as Heiser said about RSA's data breach during a press conference yesterday.
Who wants to announce they'd been cracked by script kids?
The details Heiser announced seemed to back up the evaluation.
Targeting only certain users in EMC's HR department with malware-encrusted email pretending to be genuine business correspondence – a technique called spear phishing for its selectivity compared to the email-blast approach of sending poison email to everyone with a mailbox on a certain domain – is consistent with attacks that have cracked servers at the Pentagon, FBI and other government agencies and contractors.
Once the spear-phishing messages did their job and hackers had access to EMC's network, they knew enough about the Active Directory structure to give themselves genuine-sounding usernames to avoid raising any red flags as they moved through EMC's system.
Attackers used "sophisticated" techniques to hack different servers, often using malware bombs customized and compiled just hours before the attack to burst through particular barriers, Heiser said.
After getting the data they were looking for, the attackers compressed and encrypted it, making identifying exactly what was stolen far more difficult, according to Eddie Schwartz, RSA's chief security officer.
The motive was clearly to give attackers a better weapon for further attacks on U.S. defense contractors or agencies, but so far only one attack has genuinely involved code stolen from RSA, Heiser said, declining to name the victim except to say the attack was ultimately unsuccessful.
Lockheed Martin, in announcing the breach, also said hackers had failed to reach their objective.
So who did it, already?
The attackers were "stealthy, but they did leave some information behind," according to Heiser, who said the company's delay in informing customers about details of the breach was to avoid tipping off the attackers to what RSA knew.
Neither Heiser nor EMC Executive Chairman Art Coviello would put a name to the two groups RSA is blaming for the attacks, or what information specifically incriminates them.
The level of sophistication behind the attack was such that "we can only conclude it was a nation-state sponsored attack," Coviello said.
In cybersecurity circles, "nation-state sponsored attack" is almost always a euphemism for "China," which has been implicated in more than a decades' worth of brazen and successful attacks on U.S. government agencies, defense contractors and the Pentagon.
A five-year series of cyberattacks code-named Night Dragon by security vendor McAfee, were so similar in technique and objective that it became almost certain they came from the same source, according to a McAfee report published in August. McAfee also declined to name the source except to call it a nation-state.
“All the signs point to China,” Vanity Fair quoted James A. Lewis, director and senior fellow of the Technology and Public Policy Program at the Center for Strategic and International Studies as saying.
Just during the past week a report from the CIA-affiliated Open Source Center found there were close ties between the Chinese telecommunications giant Huawei Technologies Co. and China's Ministry of State Security (MSS), which the Washington Times refers to as China's "KGB-like intelligence service."
The company's chairwoman, Sun Yafang worked for the MSS before joining Huawei, according to the report, was instrumental in getting MSS to help fund Huawei when it was founded in 1987, and recently paid Huawei $228.2 million for research and development work during the past three years.
The U.S.-China Economic and Security Review Commission – an 11-year-old investigatory and oversight group established by Congress to keep track of relations between the two countries – issued a similar report in January describing deep connections and cooperation between China's telecommunications industry and its intelligence services.
"Beijing is waging a massive trade war on us all, and we should band together to pressure them to stop," according to Mike Rogers, (R.-Mich.), chairman of the U.S. House of Representatives intelligence committee, said during a committee hearing on cybersecurity Oct. 4. "China's economic espionage has reached an intolerable level and I believe that the United States and our allies in Europe and Asia have an obligation to confront Beijing and demand that they put a stop to this piracy."
China is unquestionably the biggest threat to U.S. cybersecurity according to Greg Hoglund, CEO of U.S. security contractor HBGary, which became famous for being cracked ostentatiously by members of the LulzSec branch of the hactivist group Anonymous.
Why didn't RSA name China?
So, even if the evidence isn't boiler plated, why didn't RSA name China as the likely culprit?
Security companies don't want to lose business opportunities in the world's fastest-growing economy which is led by one of the world's most oversensitive governments.
China has been known to change its decisions on business deals, international trade talks and even treaty negotiations based on what government officials in other countries said or did about one of its pet obsessions – the Dalai Lama, Taiwan or the Falun Gong religious movement.
During the past month, China and South Africa have been at odds over whether South Africa would issue a visa allowing the Dalai Lama to attend a celebration of the 89th birthday for South African civil rights leader Archbishop Desmond Tutu.
The government of South Africa refused to grant the permit for more than two weeks, during which its deputy president traveled to Beijing to confirm a pledge from China that it would make more than $2.5 billion in investments in South African companies. China is South Africa's largest trading partner.
"Most security companies won't come out and say it," Hoglund said during an interview with technology information site Thinq_. "The [US] government won't seem to out them for what they're doing either."
That doesn't mean China or its typical attack method – malware inserted into networks via spear-phished emails, followed by persistent intrusion attempts using both direct cracking methods and other layers of malware, however.
"They're everywhere," Hoglund said of Chinese intrusion attempts. "Malware that looks like kids have written it is being used to steal weapons plans."
There is also some doubt about the evidence, according to some analysts.
Discrepancies in published reports about the attack and the risks existing at the time don't always match up, according to one analysis.
Given the bulk of circumstantial evidence, the prototypical method of the attack and China's track record in both intellectual property theft and cyberespionage, there is little doubt that it was behind the attack, Congressman Rogers told Reuters.
Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.