RSA Attack Traces to China

Monday, October 31, 2011 @ 04:10 PM gHale


Of the more than 300 command-and-control networks used in the March hack of RSA Security, 299 are in or around Beijing, according to security blogger Brian Krebbs, citing information presented to congressional staffers.

In addition, there were 760 companies, government agencies and other organizations suffering hits from the same operation, according to the blog.

RELATED STORIES
XML Encryption Insecure
Hacking RFID Smart Cards
Two Groups Join in RSA Attack
Cyber Threats Forecast for 2012

He also provides the list of organizations compromised by parts of the same control infrastructure used to attack RSA, while noting there are no details on how many networks in each organization suffered hits from the attack, or how successful any of those attacks were, or whether some of the organizations, such as ISPs, ended up linked incidentally.

The list includes the General Services Administration, IRS, Homeland Security Department, several universities and major IT companies, such as Cisco, Facebook, Google, IBM, Intel, Northrop Grumman, Research in Motion and Verisign.

The hack against RSA netted information about the company’s SecurID two-factor authentication tokens used in a failed attempt to hack defense contractor Lockheed Martin.

At the company’s conference in London earlier this month, RSA’s Executive Chairman Art Coviello said the attacks “could only have been perpetrated by a nation-state,” because of the level of skill and resources required, but said RSA had not been able to identify the country.

The initial attack was an Advanced Persistent Threat targeting information about SecurID, the company has said. Attackers used phishing techniques on RSA employees to get them to click on a link that delivered a zero-day exploit.

Coviello said there were two groups of hackers working in tandem.

Until now, there hadn’t been mention of so many other organizations hit by the same group, although speculation about China’s involvement isn’t new.

However, the location of servers doesn’t necessarily indicate the source of the attacks.



Leave a Reply

You must be logged in to post a comment.