When RSA executive chairman Art Coviello told attendees of the company’s conference in London two weeks ago that the March cyberattack on his company “could only have been perpetrated by a nation-state,” he refused to elaborate on which country that might be. Data shared with Congress by security experts, however, suggests strongly that the nation-state in question was China and that the infrastructure used in the attacks had been active long before RSA was breached.
Hackers used a zero-day Flash exploit, embedded in a spreadsheet sent through a “spear-phishing” attack, to gain access to RSA’s network and compromise information on RSA’s SecurID authentication tokens. But as security blogger Brian Krebs reports, over 700 organizations’ networks were found to be transmitting data back to the command-and-control networks used to coordinate the attack—including a number of ISPs, financial and technology firms, and government agencies. Reasearch In Motion, Cisco, Google, Northrop-Grumman, Charles Schwab, the General Services Adminstration, the Internal Revenue Service, and the State of Michigan were among the notable names on the list.
The data shared with congressional staffers also showed that of the over 300 C&C networks used to coordinate the Flash zero-day attacks, the vast majority—299 of them—were located in China. And the first communication with these networks dates back to November 2010, predating the known timeline of the Flash zero day by at least three months