RSA Hack Leads to China

Friday, August 5, 2011 @ 01:08 PM gHale

Control of the malware used in the attack against RSA Security earlier this year came from China, a botnet researcher said.

Joe Stewart, director of malware research for Dell SecureWorks, traced the command-and-control (C&C) servers used to oversee the RSA attack to networks in Beijing and Shanghai.

RELATED STORIES
SCADA Hacking via Search Engines
Help Wanted: Government Hackers
Feds Fear New Stuxnet Threats
Paranoia Means Better Security

“This gives us the where, but not the who,” said Stewart when asked whether his work had come up with clues about the attack’s architects.

In mid-March, RSA confirmed it was the target of an attack by hackers who breached its network defenses and stole proprietary information. Although RSA has never detailed the stolen data, it has admitted that information related to the company’s SecurID two-factor authentication products was part of the haul.

The attack was expensive for RSA, which said it had spent $66 million so far to replace customers’ SecurID tokens.

The attackers gained access to RSA’s network by convincing a small number of the company’s employees to open malware-infected Excel spreadsheets. The spreadsheets included an exploit for a then-unpatched vulnerability in Adobe’s Flash Player.

Later attacks on the defense contractor Lockheed reportedly utilized information obtained in the RSA hack.

Stewart uncovered the location of the malware’s command servers by using error messages displayed by a popular tool called “HTran,” which Chinese hackers often bundle with their code. HTran bounces traffic between multiple IP addresses to mask the real identity of the order-giving servers, making it appear, for instance, that the C&C servers are in the U.S. when they are not.

Those error messages came from debugging code left in HTran, a mistake by the malware’s eventual users, who Stewart believes were not the attack code’s writers. “They weren’t completely familiar with the tool, and they didn’t know that it would reveal the locations [of the C&C servers],” said Stewart.

“Occasionally you get this kind of opportunity,” said Stewart of the glitch that led him to the Chinese ISPs. “They make mistakes, too.”



Leave a Reply

You must be logged in to post a comment.