RSA Security says two-pronged nation state attack caused breach

Two groups operating on behalf of a single nation state were responsible for the attack on RSA Security that breached its IT systems earlier this year and allowed hackers to subsequently attack a defence contractor, according to the security vendor.

Speaking at a press Q&A during the RSA Conference Europe show, executives from the vendor revealed more about what happened during and after the breach in March, which ultimately forced the firm to offer new authentication tokens to all of its 20,000-plus customers.

"There were two individual groups from one nation state, one supporting the other. One was very visible and one less so," said RSA executive chairman Art Coviello.

"We've not attributed it to a particular nation state although we're very confident that with the skill, sophistication and resources involved it could only have been a nation state."

Although it used a simple malicious Excel attachment to breach RSA's defences, the attack was highly sophisticated in that the perpetrators made it impossible to trace them. 

Coviello defended his firm's security systems, however, saying that the attackers "only got one piece of information from us", that no subsequent attacks had been successful and that remediation steps had been sufficient.

"One of the ironies of the breach for us is that it was a validation of the strategy we were already pursuing," he said.

"It's the reason we bought NetWitness. Having that allowed us to see the attack in progress and minimise the damage and forensically determine exactly what was taken at a very fast rate."

Defence contractors and RSA SecureID customers Lockheed Martin, Northrop Grumman and L-3 Communications were all thought to have been attacked in the wake of the breach, although it is believed these attacks were ultimately unsuccessful.

RSA maintains that only one firm was attacked using information gleaned from the original SecureID breach.

The admission by Coviello will once again focus eyes on China, which has been implicated in similar Advanced Persistent Threats (APTs) involved in the Operation Aurora attacks on Google and countless other firms discovered in early 2010 and Night Dragon attacks on energy firms in February this year.

RSA Security president, Thomas Heiser, fell short of admitting to what many customers and commentators criticised at the time as a sluggish response to the attacks, but he did reveal that the sheer number of potentially compromised customers had presented a challenge.

"We got out to our top 500 customers relatively quickly," he said.

"The challenge was that we have tens of thousands of customers and a lot of them we deal with indirectly so we were reliant on our marketing press and partners. There wasn't the hand-holding here we could do with our other customers."