Phoning Home to China
A couple of weeks ago, during the RSA Conference in London, Tom Heiser, president of RSA declared that two separate hacker groups already known to authorities were behind the serious breach affecting tbe Security Firm early this year in March, and were likely working at the behest of a government. Heiser also declared that the attackers possessed inside information about the company’s computer naming conventions that helped their activity blend in with legitimate users on the network, concluding that, due to the sophistication of the breach:
“we can only conclude it was a nation-state-sponsored attack.”
In a statement issued after the breach, the Security Firm declared that some information related to their two-factor authentication technology SecurID had been extracted during the attack, and that information could be used, as part of a broader attack, to decrease the effectiveness of the two-factor authentication.
Curiously RSA refused to name the involved nation, so not confirming the suspects directed to China. Regardless of the nation, among Security Professional it was immediately clear that the true target of the attack was not RSA but its customers: SecurID tokens are used by 40 million people in at least 30,000 organizations worldwide to allow secure access to IT systems. So it was not a surprise the fact that few weeks after the breach three Defense Contractor were attacked using compromised seeds, and although in two cases (L-3 Communications and Northrop Grumman) there was no direct evidence of a direct involvement of compromised tokens but only rumors, in one case (Lockheed Martin), RSA admitted the use of compromised tokens and offered to replace the tokens to affected customers.
Today another interesting piece of the puzzle: in his blog Brian Kerbs publishes a list of companies whose networks were shown to have been phoning home (i.e. connect to the C&C Server) to some of the same control infrastructure that was used in the attack on RSA. The first victims appear to have begun communicating with the attacker’s control networks as early as November 2010. According to the list 760 other organizations had networks compromised with some of the same resources used to hit RSA and almost 20 percent of the current Fortune 100 companies are on this list.
Scroll down the names on the list and you will find many interesting and surprising firms, even if the author correctly advises that:
- Many of the network owners listed are Internet service providers, and are likely included because some of their subscribers were hit;
- It is not clear how many systems in each of these companies or networks were compromised, for how long those intrusions persisted, or whether the attackers successfully stole sensitive information from all of the victims;
- Some of the affected organizations (there are also several antivirus firms mentioned) may be represented because they intentionally compromised internal systems in an effort to reverse engineer malware used in these attacks.
So at the end, what’s the matter with China? Simple, at the bottom of the article there is a chart reporting the location of more than 300 command and control networks that were used in these attacks. Guess where 299 of them were located…
(Thanks to @MasafumiNegishi for reporting the original blog post).