Targeting only certain users in EMC's HR department with malware-encrusted email pretending to be genuine business correspondence – a technique called spear phishing for its selectivity compared to the email-blast approach of sending poison email to everyone with a mailbox on a certain domain – is consistent with attacks that have cracked servers at the Pentagon, FBI and other government agencies and contractors.
Once the spear-phishing messages did their job and hackers had access to EMC's network, they knew enough about the Active Directory structure to give themselves genuine-sounding usernames to avoid raising any red flags as they moved through EMC's system.
Attackers used "sophisticated" techniques to hack different servers, often using malware bombs customized and compiled just hours before the attack to burst through particular barriers, Heiser said.
After getting the data they were looking for, the attackers compressed and encrypted it, making identifying exactly what was stolen far more difficult, according to Eddie Schwartz, RSA's chief security officer.
The motive was clearly to give attackers a better weapon for further attacks on U.S. defense contractors or agencies, but so far only one attack has genuinely involved code stolen from RSA, Heiser said, declining to name the victim except to say the attack was ultimately unsuccessful.
Lockheed Martin, in announcing the breach, also said hackers had failed to reach their objective.
So who did it, already?
The attackers were "stealthy, but they did leave some information behind," according to Heiser, who said the company's delay in informing customers about details of the breach was to avoid tipping off the attackers to what RSA knew.
Neither Heiser nor EMC Executive Chairman Art Coviello would put a name to the two groups RSA is blaming for the attacks, or what information specifically incriminates them.
The level of sophistication behind the attack was such that "we can only conclude it was a nation-state sponsored attack," Coviello said.
In cybersecurity circles, "nation-state sponsored attack" is almost always a euphemism for "China," which has been implicated in more than a decades' worth of brazen and successful attacks on U.S. government agencies, defense contractors and the Pentagon.
A five-year series of cyberattacks code-named Night Dragon by security vendor McAfee, were so similar in technique and objective that it became almost certain they came from the same source, according to a McAfee report published in August. McAfee also declined to name the source except to call it a nation-state.