The Full Story of the Stunning RSA Hack Can Finally Be Told
In late May 2011, about two months after the breach announcement, RSA was still recovering, rebuilding, and apologizing to customers when it was hit with an aftershock: A post appeared on the influential tech blogger Robert X. Cringely’s website, titled “InsecureID: No More Secrets?”
The post was based on a tip from a source inside a major defense contractor, who’d told Cringely that the company was responding to an extensive intrusion by hackers who seemed to have used stolen RSA seed values to get in. Everyone at the defense contractor was having their RSA tokens replaced. Suddenly RSA’s breach seemed far more severe than the company’s original announcement had described it. “Well it didn’t take long for whoever cracked RSA to find a lock to fit that key,” Cringely wrote. “What if every RSA token has been compromised, everywhere?”
Two days later, Reuters revealed the name of the hacked military contractor: Lockheed Martin, a company that represented a cornucopia of ultra-secret plans for weapons and intelligence technologies. “The scab was healing,” Castignola says. “Then Lockheed hit. That was like a mushroom cloud. We were back at it again.”
In the days that followed, defense contractors Northrup Grumman and L-3 were also named in news reports. Hackers with SecurID’s seed values had targeted them too, the stories said, though it was never clear how deeply the intruders had penetrated the companies. Nor was it revealed what the hackers had accessed inside Lockheed Martin. The company claimed it had prevented the spies from stealing sensitive information like customer data or classified secrets.
In another open letter to customers in early June 2011, RSA’s Art Coviello admitted, “We were able to confirm that information taken from RSA in March had been used as an element of an attempted broader attack on Lockheed Martin, a major US government defense contractor.”
Today, with 10 years of hindsight, Coviello and other former RSA executives tell a story that starkly contradicts accounts from the time: Most of the former RSA staff who spoke to me claim that it was never proven that SecurID had any role in the Lockheed breach. Coviello, Curry, Castignola, and Duane all argued that it was never confirmed that the intruders inside RSA’s systems had successfully stolen the full list of seed values in an uncorrupted, unencrypted form, nor the customer list mapped to those seeds necessary to exploit them. “I don’t think that Lockheed’s attack was related to us at all,” Coviello states flatly.
By contrast, in the years since 2011, Lockheed Martin has detailed how hackers used information stolen in RSA’s SecurID breach as a stepping stone to penetrate its network—even as it insists that no information was successfully stolen in that event. A Lockheed source with knowledge of the company’s incident response reaffirmed to WIRED the company’s original claims. “We stand by our forensic investigation findings,” the source says. “Our analysis determined the breach of our two-factor authentication token provider was a direct contributing factor in the attack on our network, a fact that has been widely reported by the media and acknowledged publicly by our vendor, including Art.” In fact, the Lockheed source says the company saw the hackers entering SecurID codes in real time, confirmed that the targeted users hadn’t lost their tokens, and then, after replacing those users’ tokens, watched the hackers continue to unsuccessfully enter codes from the old tokens.
The NSA, for its part, has never had much doubt about RSA’s role in subsequent break-ins. In a briefing to the Senate Armed Services Committee a year after the RSA breach, NSA’s director, General Keith Alexander, said that the RSA hack “led to at least one US defense contractor being victimized by actors wielding counterfeit credentials,” and that the Department of Defense had been forced to replace every RSA token it used.
via Wired https://ift.tt/2uc60ci
May 20, 2021 at 03:06AM