Two distinct groups were behind the March attack against RSA’s networks, said RSA president Tom Heiser, and they seem to have been directed in their efforts by a single nation-state.
Apparently, one group was very visible and one less so, but both have been known to the authorities for quite some time and this is the first time that they have been detected working together.
According to Computerworld, RSA’s executives declined to say which country was behind the attack, justifying their decision by saying that they didn’t want the attackers to know just how much the company knowns now about them.
But the hackers also knew a lot about the company – and knew exactly where and how to look and what they were after. RSA executive chairman Art Coviello still claims that the algorithm used in its SecurID tokens was not compromised, but said that the attackers did get their hands on “one piece of information that was important”.
They also knew things that made their movements inside the system unnoticeable for a while: the company’s use of Active Directory for authentication management inside the networks and its internal naming conventions for hosts.
They said that the attackers used advanced techniques and sophisticated malware, some of which was developed mere hours before being used. They cloaked the stolen information before exfiltrating it by using encryption and compression.
The executives still haven’t confirmed or denied whether the email discovered in August by an F-Secure researcher was the one with which the attackers initiated their attack, but they did say that the culprit was a booby-trapped Excel spreadsheet that opened a backdoor through which they gained access to the company systems.
In the end, they confirmed that which the public already suspected: that the attack on RSA was executed with the goal of stealing information that would be later used to penetrate the systems of – according to them – one U.S. military contractor. In the end, though, they were unsuccessful.