Ex-CIA boss "in awe" of Chinese hackers as RSA boss defends SecurID attack

That phishing email really was sophisticated and could have fooled anyone, RSA boss Art Coviello testifies.
  • Liam Tung (CSO Online)
  • — 05 October, 2011 08:54

Despite claims the phishing email that netted RSA’s staff in its SecurID breach was a crude example of social engineering, RSA boss Art Coviello insists it was highly sophisticated and would have fooled even the most skilled PC operator.

The recruitment email that contained a rigged Excel file came from a “compromised organisation”, Coviello told the US Government’s Permanent Select Committee on Intelligence on Tuesday morning when asked to describe the attack.

It was previously believed that the email, containing the attachment 2011 Recruitment plan.XLS, was merely “spoofed” to appear as if it came from the recruiter Beyond.com.

“The way that email was sent, however, would have been very difficult even for a savvy employee to recognise because it came from a compromised organisation,” said Coviello.

“So the environment of another organisation was compromised, and the email was sent to our employees. It looked like an email that they would normally receive, from people that they would recognise. So it was very easy for them to click on a file where there was a zero day malware exploit.”

An analysis of the attack email, discovered in August by Finnish security outfit, F-Secure, noted that the previously unknown Flash exploit the attackers used had launched the backdoor “Poison Ivy” and connected to the domain mincesur.com.

The combination had been used in similar espionage attacks for some time, according to F-Secure chief security analyst Mikko Hypponen, who judged that neither the email, nor the backdoor were advanced. On the other hand, the attacker’s target, namely RSA, was and that made it an advanced attack.

The breach of RSA's SecurID two factor authentication system was later attributed to subsequent attacks on several US Defense contractors, Lockheed Martin and L-3 Communications. 

But the attack was far from familiar, according to Coviello, who said law enforcement and government agencies it consulted after the breach told RSA the type of attack it suffered was unprecedented.
“From our discussions with law enforcement and other agencies, we were told it was a very, very sophisticated attack. It hadn’t been recognised before,” he said.

“There was some elements of what we call an Advanced Persistent Threat that hadn’t been seen before. This was one of the first times that there were actually a combined attack from two sources that came through the same opening, so it was a compound attack that made even that much more difficult to discover.”

Hats off to China from former CIA director.

Although China Coviello steered clear of mentioning China, he said the attack "could not have been perpetrated by anyone other than a nation state”.

However, China was high on the agenda for fellow speaker, General Michael Hayden, the former director of both the Central Intelligence Agency and National Security Agency.  

“As a professional intelligence officer, I step back in awe at the breadth, depth and sophistication of the Chinese espionage effort against the United States of America,” said Hayden, going on urge the US to “unleash” some of its technical spying capabilities that were constrained by legislation that protected its citizen's privacy. 

At the turn of the millennium, when he was director of the NSA, Hayden “couldn’t find a civil libertarian” that opposed it using enemy communications networks to spy on Russian missile activity.
“It was a dedicated link, dedicated system. Built for it,” he pointed out.

“But in the modern world, all communications -- and this is kind of pre-internet in terms of my description -- all communications are out there in a common network. And targeted signals co-exist with protected signals. We’re kind of in that domain now when it comes to cyberspace. And we want NSA to protect us, but we want don’t want NSA being out there being present when our own communications are flowing.”

On the other hand, he feared that if it did not allow the NSA to conduct deeper inspection of public networks, a major cyber catastrophe on par with the 9/11 attacks might cause the US to over-react.

“So, we’re going to have the worst of both worlds if we don’t strap this on now... We’ve got capabilities on the sidelines, wanting policy guidance, and if we can reach that guidance, and get them into the field, the safer we are.”

Kevin Mandia, CEO of corporate security consultancy, Mandiant, placed the threat by the Asia Pacific attackers as much higher than the quick buck attacks coming out of Eastern Europe.

“It’s either Asia Pacific attacking us or the Eastern Europeans attacking us. With the Eastern Europeans, generally it feels criminally motivated, to make money the short way. The Asia Pacific intrusions seem to be more low and slow, very sophisticated, very persistent, hard to remediate."

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

--------------------------------------------------------------------------------------------------------------------

More recent articles from Liam Tung:

IBM: Don’t bully the ‘idiots’ who fall for phishing

Anatomy of a cunning APT: the SK Communications breach

 

Tags: espionage attacks, advanced persistent threats (APTs), SecureID attack, security, phishing email, Art Coviello, f-secure, flash exploit, advanced persistent threats, rsa

Google introduces Chrome 'factory reset' pop-ups to tackle extensions hijacks

READ THIS ARTICLE
DO NOT SHOW THIS BOX AGAIN [ x ]
Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

ZENworks® Endpoint Security Management

Get powerful mobile security capabilities, and protect the data the various mobile devices inside your organization.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).


  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.