RSA provides details of SecureID attack methodology

RSA has been briefing analysts on the attack vectors used by the hackers seeking access to SecureID technology, and how the break-in was stopped.

The company said that the initial attack came in the form of emails sent to groups of low ranking employees entitled '2011 Recruitment Plan', which contained an Excel spreadsheet with malware using an Adobe Flash exploit.

The bulk of these were shifted into spam folders, but some were opened and access to RSA was gained by the attackers.

Once inside they used the accounts to access more employees until one was found with access to the target files. The information was harvested and sent to an external server, but RSA has not said exactly what was taken.

The company detected and blocked the attack thanks in large part to third-party network monitoring software from NetWitness. However, reaction times were too slow to prevent the theft of the data.

"RSA should have known better. The irony is that they don't eat their own dogfood," said Gertner analyst Avivah Litan.

"They relied on yesterday's best-of-breed tools to prevent and detect the attack. They obviously weren't able to stop the attack in real time, which means the signals and scores weren't high enough to cause a person to shut down the attack immediately.

Litan praised RSA for alerting customers to the problem, something she said many companies would not have done.

Meanwhile, an unclassified document on the attack from the US Computer Emergency Readiness Team (US-CERT) shows that at least one of the domains used in the attack was based in China.

Sam Norris, founder of ChangeIP.com, the provider for some of the domains on US-CERT's list, told security analyst Brian Krebs that he suspected Chinese involvement.

"Ninety nine per cent of the time, when these guys logged in to one of their accounts to change the IP address for a domain, they were coming from a Chinese address," he said.

"This guy has been emailing me, asking me for the account back, saying things like ‘Hey, I had important stuff on that domain, and I need to get it back.'

"The bad guys are definitely interested in getting it back, which means we probably cut off their communications or made it so that they couldn't clean up their trail afterward."