Top 10 Influential 2011: RSA’s Advanced Persistent Threat

While the repeated hacking of Sony’s PlayStation Network service grabbed mainstream media attention this year, an even more surprising compromise was being played out with RSA’s SecurID tokens, earning it a place in the Top 10 Influential list for 2011. The drama began on 18 March 2011 when security vendor RSA discovered it had been hit by an advanced persistent threat (APT) from an undisclosed nation state which took all the information stored on its SecurID tokens. These tokens are used on PCs, USB devices, phones and key fobs in many companies to provide an extra layer of security beyond a username and password for people logging into programs or networks. Two weeks later, US government contractor Lockheed Martin was reportedly forced to pull access to its virtual private network after hackers compromised the SecureID technology.

However, it was not just US based companies that were affected by the APT. Australian banks Westpac and ANZ announced in June that while there were no signs of compromise, a decision was made to replace all SecurID tokens in order to ease customers concerns. At the time Westpac would not say how many tokens were replaced but ANZ revealed it was re-issuing 50,000 new tokens to customers.

The story didn’t end there as RSA came in for criticism from the international and Australian IT industry as details were slow in forthcoming, three months after the compromise took place. 2nd Phase founder, Campbell Bradford, questioned why RSA customers were waiting so long for replacement tokens. According to Bradford, Australian customers had invested in one of the most expensive systems on the market and had to “shell out” more expense recalling and redistributing tokens.

Rival security token vendors, SafeNet and CA, saw RSA’s APT as an opportunity to poach new business and began offering special offers to affected RSA customers.

When RSA finally opened up to the media in August, ANZ general manager, Andy Solterbeck, said that the company “still had a few months” to go before all its tokens were replaced in the ANZ market. It had offered large customers, such as ANZ Banking Group, an early renewal of their contracts along with new devices, while smaller users were able to get free contract extensions.

Solterbeck said at the time there was “no question whatsoever” that the company suffered a nation-state-orientated APT attack.

“The reason we say that was because of the level of the sophistication of the attack and specifically what they went after,” he said.

“We believe that we were one of the only commercial organisations that caught an APT in flight. Unfortunately we didn’t stop it in time but we did see it.”

The nightmare was not quite over yet for RSA with the discovery in October by US-based security blogger, Brian Kreb, that customers of Australian internet service providers (ISPs) including Telstra and iiNet may have been compromised. This was because hackers used the same command and control techniques that infiltrated RSA to target 760 companies around the world.

“It is not clear how many systems in each of these companies or networks were compromised, for how long those intrusions persisted, or whether the attackers successfully stole sensitive information from all of the victims,” Krebs wrote in his blog.

While RSA has learnt the hard way that even a security vendor is vulnerable to outside attacks, one positive aspect of the APT has been greater information sharing. RSA chief information security officer, Eddie Schwartz, told Computerworld Australia in October that the company now has “brothers in arms.” “If you look around the defence industrial base, companies that support the defence community, they’ve all been hacked and had weapon systems and airplane designs stolen,” he said. “That was a lesson learnt because you think you’re fighting a very difficult battle in isolation,” he said.

Finally in December, it was revealed that the APT managed to hack RSA’s security network because the company failed to update its Windows XP operating system. Qualys’ vulnerability and malware research labs director, Rodrigo Branco, found that while Windows XP includes data execution prevention (DEP) defensive technology it is not switched on by default – and RSA neglected to turn DEP on.