Throwback Attack: RSA SecurID attack shows the importance of protecting critical assets

Courtesy: CFE Media and Technology

“If a major cybersecurity company — one of the very companies we rely on to protect our own systems — can’t protect itself, what does that mean for us?” That’s the question defense contractors, government agencies and manufacturers around the world were asking themselves in early 2011 when the shockwaves from the alarming RSA SecurID attack were first starting to ripple across the cybersecurity landscape.

The RSA SecurID breach was a highly sophisticated cyberattack that occurred in March 2011, in which hackers accessed the computer systems of RSA, a company that provides two-factor authentication solutions to many organizations. The hack was a significant blow to the security of the defense industrial base, as RSA’s SecurID tokens were used to authenticate users to computer systems, including those used by defense contractors and the military.

Ultimately, the breach cost RSA parent company EMC $66.3 million to investigate, remediate and monitor the more than 30,000 customers of its SecurID tokens. It was also a canary in the coal mine, warning organizations of the dangers of future supply chain attacks.

The roots of the RSA breach

The RSA attack is still considered one of the most worrisome cyberattacks in history and a real eye-opener to the cybersecurity community about the importance of protecting critical assets. As they often do, the attack began with a phishing email sent to RSA employees that contained a malicious attachment. When an RSA employee opened the attachment, it launched a sophisticated malware program called “Poison Ivy” that allowed attackers to gain access to RSA’s internal network. The attackers then moved laterally through the network, searching for and stealing data related to RSA’s SecurID tokens.

In May 2021, after 10-year nondisclosure agreements had expired, Wired wrote a comprehensive examination of the RSA attack and how it played out in real time. Bill Duane, an engineer with RSA, described the incident as a cat-and-mouse game. As the attackers probed the network and attempted to break into a connected system, the information technology (IT) team would detect them and disable the system. But the attackers would just move on to the next system, leaving defenders chasing their collective tails.

One of the standard pieces of cybersecurity advice most experts and laypeople alike have internalized is using two-factor authentication. Cyber mature companies are already using the technique, which adds an extra layer of security by demanding an additional login credential beyond the simple username and password. Even consumers are used to being asked for a second credential by banks and other institutions. The threat actors were really after the root of RSA’s two-factor authentication program, their special, proprietary sauce.

Their target was, “the secret keys known as ‘seeds,’ a collection of numbers that represented a foundational layer of the security promises RSA made to its customers, including tens of millions of users in government and military agencies, defense contractors, banks and countless corporations around the world,” according to the Wired article. “RSA kept those seeds on a single, well-protected server, which the company called the ‘seed warehouse.’

“They served as a crucial ingredient in one of RSA’s core products: SecurID tokens — little fobs you carried in a pocket and pulled out to prove your identity by entering the six-digit codes that were constantly updated on the fob’s screen.”

The stolen data included information about how the SecurID tokens were programmed and used, which allowed the attackers to create their own tokens that could access the networks of defense contractors and other organizations. The hackers reportedly leveraged the stolen data to launch attacks on major companies, including security and aerospace giant Lockheed Martin, which was forced to shut down its network temporarily and replace SecurID tokens in response.

Other defense contractors and government agencies believed to have been affected by the breach include Northrop Grumman, L-3 Communications and the U.S. military. The full impact of the RSA SecurID breach on these organizations and their networks is still unknown, but it is believed to have had significant implications for national security.

The RSA SecurID attack response

After discovering the SecurID breach, RSA took a number of steps to investigate the attack, protect its customers and prevent similar incidents from happening in the future. One of the first things RSA did was notify its customers about the breach and the potential impact on their systems. Initially — and perhaps before they knew the full extent — they downplayed the attack. The company published an open letter to their customers reading:

“Recently, our security systems identified an extremely sophisticated cyberattack in progress. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.”

As the full extent of the attack became known, the company provided guidance on how to protect customer systems, including recommendations for strong passwords, network segmentation and other security measures.

In addition, RSA worked closely with law enforcement, including the FBI and NSA, and other security experts like Mandiant to investigate the breach and identify the attackers. While the company did not disclose the full breadth of the breach or the identity of the attackers, it did provide regular updates to its customers and the public about its findings and actions.

To prevent similar attacks from happening in the future, RSA implemented a number of security enhancements, including stronger authentication measures, network segmentation, and increased monitoring and threat detection capabilities. But all of this took time. RSA and its customers were still reeling from this breach years after the fact.

Repercussions of the RSA SecurID attack

The RSA SecurID breach was a wake-up call for the defense industry and other organizations about the vulnerability of two-factor authentication systems and the importance of securing the supply chain. While the SolarWinds attack from 2020 made headlines as a major supply chain strike — where a threat actor is able to compromise an upstream, third-party software or hardware supplier to access hundreds of other companies — RSA is considered by many the first of the breed. This turned out to be a nation-state attack, perpetrated by people working for the Chinese People’s Liberation Army, a group cybersecurity response firm Mandiant has called APT1.

“It opened my eyes to supply chain attacks,” said Mikko Hypponen, chief research officer at F-Secure, in the Wired article. “It changed my view of the world: the fact that, if you can’t break into your target, you find the technology that they use and break in there instead.”

More recent attacks like SolarWinds and Okta have proven that this problem is far from fixed. While the more recent strikes may have been shocking in their scope and scale, no one who witnessed the 2011 RSA attack should have been surprised by what happened, as the roadmap had been set a decade before.

In the Wired piece, Duane said the main thing the RSA attack taught him is that “every network is dirty.” This incursion highlighted the need for organizations to remain vigilant and implement strong security measures to protect sensitive information and systems, including regular employee training, network segmentation and, yes, multifactor authentication.




Keep your finger on the pulse of top industry news