October 12, 2011, 11:40 AM — After six months of investigation into the data breach that pulled the rug out from under the two-factor authentication system that guarantees 40 million people in 30,000 organizations worldwide are who they say they are, RSA announced yesterday it had identified the culprits behind the attack: Hackers and "a nation state."
RSA president Tom Heiser refused to be any more precise than that in identifying who, specifically, RSA believes broke into its SecureID database, reportedly by sending spear-phishing emails to HR staffers at EMC, RSA's parent company.
The emails reportedly carried Excel files containing malware that would use a security flaw in Adobe's Flash graphics program to give itself rights to the user's computer and allow it to metastasize to other servers through the network.
The attack netted attackers code and algorithms that enabled them to generate their own SecureID tokens to fake authentication on other systems.
The stolen code is blamed for the successful break-in at defense contractor Lockheed Martin in May, in which attackers got access to servers holding information secure government and corporate project-development plans; L3 Communications and defense contractor Northrup Grumman also blamed the stolen tokens for attempts to crack their security at about the same time.
The attack angered RSA customers not only for undermining their own security, but because RSA refused to give them enough information to judge the risk themselves.
The attack took place in March; it was June before RSA announced it would replace the secure tokens of many customers, partly in response to the Lockheed Martin attack.
Attack was persistent, sophisticated
You have to take with a grain of salt the statement from any company that the people who cracked it were "determined, persistent and very well coordinated," as Heiser said about RSA's data breach during a press conference yesterday.
Who wants to announce they'd been cracked by script kids?
The details Heiser announced seemed to back up the evaluation.