Ex-CIA boss "in awe" of Chinese hackers as RSA boss defends SecurID attack

That phishing email really was sophisticated and could have fooled anyone, RSA boss Art Coviello testifies.

Despite claims the phishing email that netted RSA’s staff in its SecurID breach was a crude example of social engineering, RSA boss Art Coviello insists it was highly sophisticated and would have fooled even the most skilled PC operator.

The recruitment email that contained a rigged Excel file came from a “compromised organisation”, Coviello told the US Government’s Permanent Select Committee on Intelligence on Tuesday morning when asked to describe the attack.

It was previously believed that the email, containing the attachment 2011 Recruitment plan.XLS, was merely “spoofed” to appear as if it came from the recruiter Beyond.com.

“The way that email was sent, however, would have been very difficult even for a savvy employee to recognise because it came from a compromised organisation,” said Coviello.

“So the environment of another organisation was compromised, and the email was sent to our employees. It looked like an email that they would normally receive, from people that they would recognise. So it was very easy for them to click on a file where there was a zero day malware exploit.”

An analysis of the attack email, discovered in August by Finnish security outfit, F-Secure, noted that the previously unknown Flash exploit the attackers used had launched the backdoor “Poison Ivy” and connected to the domain mincesur.com.

The combination had been used in similar espionage attacks for some time, according to F-Secure chief security analyst Mikko Hypponen, who judged that neither the email, nor the backdoor were advanced. On the other hand, the attacker’s target, namely RSA, was and that made it an advanced attack.

The breach of RSA's SecurID two factor authentication system was later attributed to subsequent attacks on several US Defense contractors, Lockheed Martin and L-3 Communications. 

But the attack was far from familiar, according to Coviello, who said law enforcement and government agencies it consulted after the breach told RSA the type of attack it suffered was unprecedented.
“From our discussions with law enforcement and other agencies, we were told it was a very, very sophisticated attack. It hadn’t been recognised before,” he said.

“There was some elements of what we call an Advanced Persistent Threat that hadn’t been seen before. This was one of the first times that there were actually a combined attack from two sources that came through the same opening, so it was a compound attack that made even that much more difficult to discover.”

Hats off to China from former CIA director.

Although China Coviello steered clear of mentioning China, he said the attack "could not have been perpetrated by anyone other than a nation state”.

However, China was high on the agenda for fellow speaker, General Michael Hayden, the former director of both the Central Intelligence Agency and National Security Agency.  

“As a professional intelligence officer, I step back in awe at the breadth, depth and sophistication of the Chinese espionage effort against the United States of America,” said Hayden, going on urge the US to “unleash” some of its technical spying capabilities that were constrained by legislation that protected its citizen's privacy. 

At the turn of the millennium, when he was director of the NSA, Hayden “couldn’t find a civil libertarian” that opposed it using enemy communications networks to spy on Russian missile activity.
“It was a dedicated link, dedicated system. Built for it,” he pointed out.

“But in the modern world, all communications -- and this is kind of pre-internet in terms of my description -- all communications are out there in a common network. And targeted signals co-exist with protected signals. We’re kind of in that domain now when it comes to cyberspace. And we want NSA to protect us, but we want don’t want NSA being out there being present when our own communications are flowing.”

On the other hand, he feared that if it did not allow the NSA to conduct deeper inspection of public networks, a major cyber catastrophe on par with the 9/11 attacks might cause the US to over-react.

“So, we’re going to have the worst of both worlds if we don’t strap this on now... We’ve got capabilities on the sidelines, wanting policy guidance, and if we can reach that guidance, and get them into the field, the safer we are.”

Kevin Mandia, CEO of corporate security consultancy, Mandiant, placed the threat by the Asia Pacific attackers as much higher than the quick buck attacks coming out of Eastern Europe.

“It’s either Asia Pacific attacking us or the Eastern Europeans attacking us. With the Eastern Europeans, generally it feels criminally motivated, to make money the short way. The Asia Pacific intrusions seem to be more low and slow, very sophisticated, very persistent, hard to remediate."

Follow @CSO_Australia and sign up to the CSO Australia newsletter.


More recent articles from Liam Tung:

IBM: Don’t bully the ‘idiots’ who fall for phishing

Anatomy of a cunning APT: the SK Communications breach


Join the CSO newsletter!

Error: Please check your email address.

Tags espionage attacksSecureID attackadvanced persistent threats (APTs)securityArt Coviellophishing emailflash exploitf-secureadvanced persistent threatsrsa

More about ----APTBeyond.comBuiltExcelF-SecureIBM AustraliaIBM AustraliaLockheed MartinNational Security AgencyNSARSASK

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place