RSA employees have ended their 10-year nondisclosure agreements (NDAs) so that they can finally share the events that happened in 2011 . These events changed the landscape of the global information security industry forever. Namely, it was the first ever supply chain attack that caused serious concern among the American intelligence services, to put it mildly.
What is a supply chain attack? If you cannot directly attack a strong adversary such as the NSA or the CIA, then you find their partner - and infiltrate their product. One such hack gives access to hundreds of highly protected organizations at once. This happened recently with SolarWinds.... But former RSA employees look to SolarWinds and have a sense of déjà vu. Indeed, in 2011, unknown hackers gained access to the most valuable thing that RSA had - a repository of seeds (generation vectors). They are used to generate two-factor authentication codes in SecurID hardware tokens, which are tens of millions of users in government and military agencies, defense contractors, banks and countless corporations around the world.
However, about everything in order.
Andy Greenberg of Wired spoke with several former RSA employees. One of them is Todd Leetham, "a bald and bearded analyst from the incident response department who was called the carbon hacker machine." It was he who was the first to suspect that something was wrong, noting that one of the users went online not from his computer and with non-standard rights. He looked at the logs of this user for several days - and it became clear that there was a hack. The hackers have dug themselves into the internal network.
Worst of all, they made it to the seed vault. Technically, this server should be offline, disconnected from the Internet and from the rest of the network - air gap protection. But in practice, it was protected by a firewall and connected every 15 minutes to give out a fresh batch of encrypted seeds, which were burned to CDs and given to clients. They then remained in storage as a backup.
Based on these generation vectors, two-factor authentication codes were generated on SecurID tokens, which were distributed to the client's employees. That is, both the token and the RSA server independently generated the same codes.
Algorithm for obtaining a token code
SecurID, 128- — (). . - — RSA , . - , .
- ( ). , -. , , . , , . , PIN, , - , .
If someone got to the seed repository, then it compromised the SecurID tokens on all clients. Since this is the main business of RSA, in the worst case scenario, the company can be closed altogether ...
After examining the network logs, Leitham came to the conclusion that these "keys to the kingdom" of RSA were indeed stolen.
He read in horror in the logs as hackers for nine hours methodically siphoned seeds from storage and sent them via FTP to a hacked server at the cloud provider Rackspace. But then he noticed something that gave a ray of hope: stolen credentials, username and password for this hacked server slipped through the logs. Leitham quickly connected to the remote Rackspace machine and entered the stolen credentials. And here it is: the directory on the server still contained the entire stolen collection of seeds as a compressed .rar file.
Using a hacked account to log into a server owned by another company and tinkering with data there, according to Leitham, is at best an unorthodox move, and at worst a serious violation of US laws on unauthorized access to information. But looking at the stolen RSA holy of holies on this Rackspace server, he didn't hesitate: “I was prepared for the consequences,” he says. “In any case, I could not give our files,” and he entered the command to delete the file and pressed Enter.
A few moments later, the response came to the console: "File not found." He examined the contents of the server again. The folder was empty. Hackers took the database from the server a few seconds before he tried to delete it!
He hunted for hackers for several days, day and night, and now he almost grabbed the fleeing thief by the sleeve. But he literally slipped through his fingers, hiding in a fog with the most valuable information (as further investigation showed, these could be hackers from the APT1 cyber intelligence unit of the People's Liberation Army of China based on military unit 61398 in the suburbs of Shanghai. them).
Location of military unit 61398, source
A few days later, RSA was forced to announce the hack. And it has truly changed the cybersecurity landscape. First successful supply chain attack, targeting thousands of organizations, the world's most secure agencies and military contractors. Ten years later, something similar happened to the NotPetya worm, and then to the SolarWinds system (18,000 customers worldwide), but at that time the history of RSA was unprecedented. Almost no one even imagined that it was possible to conduct attacks in this way - through a "proxy" in the supply chain.
“It opened my eyes to supply chain attacks,” says Mikko Hipponen, chief scientist at F-Secure, which published an independent analysis of the RSA incident. "And it changed my view of the world: if you can't penetrate the target, then you find the technology that the victim uses, and instead you penetrate there."
His colleague Timo Hirvonen says the incident was a worrying demonstration of the growing threat from a new class of hackers. From highly qualified specialists who carry out foreign intelligence orders. RSA is a cyber security company and its business is to protect others . If she can't even protect herself, how can she protect the rest of the world?
The question was quite literal. The theft of the generation vectors meant that critical 2FA defenses were compromised on thousands of RSA clients. After stealing the generation vectors, attackers could enter codes from SecureID tokens in almost any system.
Ten years later, the NDAs of many of RSA's key executives have expired - and we can find out the details of this incident. Today, the RSA hack is seen as a harbinger of our current era of digital insecurity and the incredible activity of government hackers in many areas of public life, including social media, media and politics. Hacking RSA is a lesson in how a determined adversary can undermine what we most trust . And because you don't have to trust anything.
An analysis of the incident revealed how the attack began - with an innocent e-mail received by one Australian employee, with the subject line "Recruitment plan for 2011" and an Excel spreadsheet attached. Inside was a script that exploited the 0day vulnerability in Adobe Flash, installing the well-known Poison Ivy Trojan on the victim's computer .
The entry point to the RSA network is a completely commonplace implementation that would not work if the victim was running a newer version of Windows or Microsoft Office or had limited access to installing programs on his computer, as recommended by sysadmins on many corporate and government networks.
But after this infiltration, the attackers began to demonstrate their real abilities. In fact, analysts concluded that at least two groups were simultaneously operating on the network. One group gained access to the network, and a second group of highly qualified specialists used this access, perhaps without the knowledge of the first group. The second attack was much more advanced.
On an Australian employee's computer, someone was using a tool that extracts credentials from memory. He then uses these accounts to log into other machines. Then the memory of these new computers is scanned in search of new accounts - and so on, until the logins of privileged administrators are found. In the end, the hackers got to a server containing the credentials of hundreds of users. This credential theft technique is common today. But in 2011, analysts were surprised to see hackers move across the web: “It was truly the most brutal way to exploit our systems I’ve ever seen,” says Bill Duane, an experienced software engineer and developer of RSA algorithms.
Typically, such incidents are discovered months after the hackers leave. But the 2011 hack was special: within a few days, the investigators, in fact, “caught up” with the hackers and watched their actions. “They tried to break into the system, we found them after a minute or two, and then they shut down the system completely or access to it,” says Duane. "We fought like wild beasts in real time."
It was in the midst of this feverish fight that Leitham caught the hackers stealing seeds from the central vault, which was supposedly their top priority. Instead of the usual connections every 15 minutes, Leitham saw thousands of continuous requests every second in the logs. Hackers collected generation vectors not on one, but on three compromised servers, passing requests through another connected machine. They split the seed collection into three parts, moved them to a remote Rackspace server, and then merged them into a complete RSA repository database. “I thought, this is fucking awesome,” says Litham. - I kind of admired that. But at the same time I realized that we are in complete shit. "
When it dawned on Leitham that the seed collection had been copied, and after making a belated attempt to delete the file from the server, the enormity of the event startled him: he really thought RSA was over.
Panic
Late at night, security learned that the vault had been robbed. Bill Duane made a warning call that they would physically disconnect as many network connections as necessary to limit damage and stop further data theft. They hoped to protect customer information that maps to specific generation vectors. In addition, they wanted to prevent theft of the private encryption key needed to decrypt the seeds. Duane and the manager entered the data center and began to unplug the Ethernet cables one by one, shutting down all servers and even the company's website. “I actually shut down the RSA business,” he says. "I crippled the company to stop any potential further data release."
The next day, RSA CEO Art Coviello made a public announcement that the hack was ongoing. The invasion grew in scale as more details were revealed. At first, it was not known about the hacking of the SecurID seed storage, but when this fact was revealed, the management had to make a decision. Some advised to hide this fact from clients (among them the special services, intelligence, the US army). But nevertheless, they decided to disclose the information - to personally call each client and replace all more than 40 million tokens. But RSA didn’t come close to having so many tokens ... Only in a few weeks will the company be able to resume production, and then in smaller quantities.
A group of nearly 90 RSA employees took over the conference room and began a multi-week call to all customers. They worked in a scripted fashion, guiding customers through protective measures such as adding or extending a PIN as part of the SecurID login to make it harder for hackers to replicate. On many occasions, customers started yelling, recalls David Castignola, RSA's former director of sales for North America. Each of them made a hundred of these calls, even top managers and management had to deal with this (clients were too important).
At the same time, paranoia began to spread throughout the company. Castignola recalls how on the first night he passed a small room with network equipment - and suddenly an absurd number of people began to come out of it, much more than he could imagine that it would fit. "Who are these people?" He asked another leader, who was standing nearby. “This is the government,” he answered vaguely.
In fact, by that time the NSA and FBI had already sent their people to investigate the company, as well as defense contractor Northrop Grumman and incident response company Mandiant (by accident, Mandiant employees were already on site at the time of the break-in, installing sensors for security systems on the RSA network).
RSA employees began to take decisive action. Concerned that the phone system could be compromised, the company switched carriers from AT&T to Verizon. The leaders did not even trust the new phones, they held face-to-face meetings and handed over paper copies of documents. The FBI, fearing a mole in RSA due to the attackers' apparent level of knowledge about the company's systems, began checking the biographies of all employees.
Some executive offices and conference rooms have been covered with layers of brown paper to prevent imaginary spies from eavesdropping in the surrounding forests with laser microphones, just like the current Havana Syndrome hysteria.... The building was checked for bugs. Several executives did find a couple of bugs, although some of them were so old that their batteries were dead. But it was not clear if these had anything to do with the incident.
In the meantime, the RSA security team and outside specialists brought in to help began to "demolish the building to the ground," as they put it. Disks were formatted on every machine the hackers touched, and even on neighboring machines. “We physically walked around everything, and if there were hackers on the computer, we erased everything,” says Sam Curry, former director of security at RSA. "If you lost your data, it's a pity."
Second wave
At the end of May 2011, about two months after the incident was announced, RSA was still recovering and apologizing to customers. But here the second wave started.
Influential tech blogger Robert Kringley has published rumors of a major defense contractor being hacked over compromised SecureID tokens. All employees of the company had to change tokens.
Two days later, Reuters revealed the name of the hacked contractor: Lockheed Martin , a gold mine for industrial espionage.
Lockheed Martin F-35 Lightning II Fifth Generation Multipurpose Fighter-Bomber
In the following days in the news defense contractors Northrop Grumman and L-3 Communications were mentioned, hackers with generation vectors for SecurID tokens were mentioned, although no one provided specific evidence, for obvious reasons, because we are talking about military contractors (see the top 100 contractors of the US government ).
However, in June 2011, the RSA chief executive admitted that the stolen seeds were indeed used in the attack on Lockheed Martin. Ten years later, he is already giving up his words. Now, former company executives say the use of RSA seeds has never been proven.
Although in 2013, representatives of Lockheed Martin at the Kaspersky Security Analyst Summit forum in Puerto Rico told in detailhow hackers used the code generation vectors for SecurID tokens as a stepping stone to penetrate the network.
A Lockheed Martin source is now confirming the findings of that investigation. According to him, the company saw how hackers entered SecurID codes in real time, while users did not lose their tokens. After replacing these tokens, hackers continued to unsuccessfully inject codes from the old tokens.
The NSA, for its part, has never really questioned RSA's role in subsequent hacks. At the briefingat the Senate Armed Services Committee a year after the hack, NSA Director General Keith Alexander said the RSA hack "resulted in at least one American defense contractor being the victim of someone holding fake IDs," and the Department of Defense was forced to replace all RSA tokens.
When APT1's involvement was revealed, Bill Duane printed out a photograph of their headquarters in Shanghai and glued it to a darts board in his office.
Duane left RSA in 2015 after more than 20 years with the company. Wired author Andy Greenberg asked him this question: “When do you think the RSA hack really ended after the server shutdown in the data center? Or when the NSA, FBI, Mandiant and Northrop finished their investigation and left? " The engineer replied, “We believed the attack was never over. We knew they had left behind backdoors and would be able to infiltrate the network whenever they wanted. ”
Duane and RSA's sad experience should teach all of us that “every network is dirty,” as he put it. Now he advises companies to segment systems and isolate the most valuable data so that it is inaccessible even to an adversary who has already infiltrated the perimeter.
As for Todd Leitham, he has watched the SolarWinds fiasco over the past six months with a dark sense of déjà vu. He draws conclusions from the history of RSA in sharper terms than his colleague. In his opinion, it was rare evidence of how fragile the global information security system is today: “This is a house of cards before the start of a tornado,” he says.
He argues that SolarWinds has demonstrated how unreliable this structure remains. For Leitham, the security world blindly trusted something outside of its threat model. Nobody imagined that the enemy could compromise it. And again, the enemy pulled out a card that stood at the very base of the house of cards - and everyone thought it was solid ground.