Despite claims the phishing email that netted RSA’s staff in its SecurID breach was a crude example of social engineering, RSA boss Art Coviello insists it was highly sophisticated and would have fooled even the most skilled PC operator.
The recruitment email that contained a rigged Excel file came from a “compromised organisation”, Coviello told the US Government’s Permanent Select Committee on Intelligence on Tuesday morning when asked to describe the attack.
It was previously believed that the email, containing the attachment 2011 Recruitment plan.XLS, was merely “spoofed” to appear as if it came from the recruiter Beyond.com.
“The way that email was sent, however, would have been very difficult even for a savvy employee to recognise because it came from a compromised organisation,” said Coviello.
“So the environment of another organisation was compromised, and the email was sent to our employees. It looked like an email that they would normally receive, from people that they would recognise. So it was very easy for them to click on a file where there was a zero day malware exploit.”
An analysis of the attack email, discovered in August by Finnish security outfit, F-Secure, noted that the previously unknown Flash exploit the attackers used had launched the backdoor “Poison Ivy” and connected to the domain mincesur.com.
The combination had been used in similar espionage attacks for some time, according to F-Secure chief security analyst Mikko Hypponen, who judged that neither the email, nor the backdoor were advanced. On the other hand, the attacker’s target, namely RSA, was and that made it an advanced attack.
The breach of RSA's SecurID two factor authentication system was later attributed to subsequent attacks on several US Defense contractors, Lockheed Martin and L-3 Communications.
But the attack was far from familiar, according to Coviello, who said law enforcement and government agencies it consulted after the breach told RSA the type of attack it suffered was unprecedented.
“From our discussions with law enforcement and other agencies, we were told it was a very, very sophisticated attack. It hadn’t been recognised before,” he said.
“There was some elements of what we call an Advanced Persistent Threat that hadn’t been seen before. This was one of the first times that there were actually a combined attack from two sources that came through the same opening, so it was a compound attack that made even that much more difficult to discover.”
Hats off to China from former CIA director.
Although China Coviello steered clear of mentioning China, he said the attack "could not have been perpetrated by anyone other than a nation state”.
However, China was high on the agenda for fellow speaker, General Michael Hayden, the former director of both the Central Intelligence Agency and National Security Agency.
“As a professional intelligence officer, I step back in awe at the breadth, depth and sophistication of the Chinese espionage effort against the United States of America,” said Hayden, going on urge the US to “unleash” some of its technical spying capabilities that were constrained by legislation that protected its citizen's privacy.
At the turn of the millennium, when he was director of the NSA, Hayden “couldn’t find a civil libertarian” that opposed it using enemy communications networks to spy on Russian missile activity.
“It was a dedicated link, dedicated system. Built for it,” he pointed out.
“But in the modern world, all communications -- and this is kind of pre-internet in terms of my description -- all communications are out there in a common network. And targeted signals co-exist with protected signals. We’re kind of in that domain now when it comes to cyberspace. And we want NSA to protect us, but we want don’t want NSA being out there being present when our own communications are flowing.”
On the other hand, he feared that if it did not allow the NSA to conduct deeper inspection of public networks, a major cyber catastrophe on par with the 9/11 attacks might cause the US to over-react.
“So, we’re going to have the worst of both worlds if we don’t strap this on now... We’ve got capabilities on the sidelines, wanting policy guidance, and if we can reach that guidance, and get them into the field, the safer we are.”
Kevin Mandia, CEO of corporate security consultancy, Mandiant, placed the threat by the Asia Pacific attackers as much higher than the quick buck attacks coming out of Eastern Europe.
“It’s either Asia Pacific attacking us or the Eastern Europeans attacking us. With the Eastern Europeans, generally it feels criminally motivated, to make money the short way. The Asia Pacific intrusions seem to be more low and slow, very sophisticated, very persistent, hard to remediate."
Follow @CSO_Australia and sign up to the CSO Australia newsletter.
--------------------------------------------------------------------------------------------------------------------
More recent articles from Liam Tung:
IBM: Don’t bully the ‘idiots’ who fall for phishing
Anatomy of a cunning APT: the SK Communications breach