View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 12, 2011

RSA finds nation state’s hand behind March SecurID breach

Forensic intelligence probing the security breach finds two well coordinated groups behind the breach, considered to be one of the biggest hacks in history

By CBR Staff Writer

Security tokens provider RSA chief has revealed that a nation state was behind the security breach on its SecurID tokens which took place in March this year.

In a Reuters report, RSA chief executive Art Coviello said that its forensic intelligence has found that there were two well coordinated groups which executed the breach in March, which signalled one nation state was behind the attack.

However, Coviello has refused to identify the country.

"We do know that it was one nation state because these groups were well coordinated. That much the forensic intelligence told us," Coviello told Reuters.

"One group was more surreptitious in their approach than the other," he said. "Is it possible that one was deliberately a little bit more visible than the other to mask the other? It’s possible. We don’t know."

Data storage company EMC owns RSA, which supplies coded security tokens — used for remote access to desktops — to millions of computer users across the world, including banks and defence companies. It is estimated that around 40 million SecurID tokens are in use across the world.

In March this year, EMC disclosed that hackers had stolen data from RSA in a "very sophisticated attack". The company had also warned that stolen IDs could be used by the hackers to launch a bigger attack on a client’s SecurID system.

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

In an open letter to its customers, RSA wrote, "On March 17, 2011, RSA publicly disclosed that it had detected a very sophisticated cyber attack on its systems, and that certain information related to the RSA SecurID product had been extracted."

"We immediately published best practices and our prioritised remediation steps, and proactively reached out to thousands of customers to help them implement those steps. We remain convinced that customers who implement these steps can be confident in their continued security, and customers in all industries have given us positive feedback on our remediation steps."

RSA also wrote on its blog that the attack was launched with a targeted email to EMC employees, and that the email contained an attachment called ‘2011 Recruitment plan.xls’.

In May, the US-based fighter planes and spy satellites maker Lockheed Martin revealed that its database had been attacked by hackers. The defence contractor said that it identified the breach quickly and prevented critical data theft, but later traced the breach to the hack attack on RSA in March.

RSA accepted Lockheed’s claim. It said, "Certain characteristics of the attack on RSA indicated that the perpetrator’s most likely motive was to obtain an element of security information that could be used to target defence secrets and related [information]."

In August, computer security firm F-Secure claimed that it had found that hackers working for a "nation state" used a targeted ‘job offer’ email to EMC employees to breach the security of RSA to steal military secrets from US arms supplier Lockheed-Martin.

The computer security firm said that its researchers have found that a "nation-state" was behind the hack attack on EMC-owned RSA in March, considered to be one of the biggest hacks in history.

F-Secure said on its website, "As far as we know, a nation-state wanted to break in to Lockheed-Martin and Northrop-Grumman to steal military secrets. They couldn’t do it, since these companies were using RSA SecurID tokens for network authentication. So, the hackers broke into RSA with a targeted email attack."

Coviello also revealed that demand for replacement tokens had slowed down and the company now had a large inventory.

He told Reuters that "it wouldn’t have been much more than single digits" — had asked for replacements.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.