Expert Reveals the Story of RSA Hack
The theft of the original RSA SecurID token values compromised the cybersecurity of thousands of the company's customer networks.
In 2011, Chinese cybercriminal spies hacked into the networks of corporate cybersecurity giant RSA. The RSA hack was a massive attack on the supply chain. Government hackers working for the People's Liberation Army of China infiltrated digital security infrastructure around the world. Over the next decade, many of RSA's key executives remained silent about the incident as part of a 10-year nondisclosure agreement. According to Wired, the agreement has now expired.
Security expert Todd Leetham was involved in the investigation of the incident and was able to track the intruders to their final targets - secret keys, also known as seeds. Seeds are a collection of numbers that provide a fundamental level of cybersecurity to tens of millions of users in government, military, defense industries, banks and countless corporations around the world.
RSA stored the keys on a secure server. Keys served as an essential component of one of RSA's flagship products, SecurID tokens. Devices in the form of small key fobs made it possible to confirm the identity of the user by entering six-digit codes, which were constantly updated on the key fob screen. Stealing the seed tokens provided hackers with the ability to clone SecurID, subtly break two-factor authentication, and bypass security anywhere in the world. Criminals could gain access to bank accounts, national security secrets, and more.
The hackers spent nine hours sending seeds from the storage to the hacked server of the cloud provider Rackspace. Leetham discovered logs containing the stolen credentials of the compromised server. The expert connected to the remote Rackspace device and entered the stolen credentials. The server logs still contained the entire stolen seed collection as a compressed .rar file. Leatham typed in to delete the file and hit Enter, but the computer's command prompt returned a "File not found" response. The Rackspace server content was empty. The hackers pulled the original database from the server seconds before he could delete it.
The theft of the original RSA token values meant that critical protection of thousands of her clients' networks was disabled. Cyberspies received keys to generate six-digit codes without physical tokens and opened their way to any account
Analysts ultimately traced the hack to a single malicious file that they believed ended up on an RSA employee's computer five days before the investigation began. An employee from Australia received an email with the subject 2011 Recruitment plan and a Microsoft Excel spreadsheet attached to it. Inside the file was a script to exploit a zero-day vulnerability in Adobe Flash that installed the Poison Ivy malware on the victim's device.
This initial attack vector was not particularly difficult. The attacker would not be able to exploit the vulnerability in Flash if the victim was using a later version of Windows or Microsoft Office, or if she had limited access to install programs on her computer. According to RSA representatives, two groups of hackers were involved in the hacking: one highly qualified group used the access of the other.
On an Australian employee's computer, someone used a tool to steal credentials from the device's memory and then reused those credentials to authenticate to other systems. The hackers then began looking for administrator credentials and eventually got to a server containing the credentials of hundreds of users.