Inside the 2011 RSA Breach

Andy Greenberg, Wired:

For those with a longer memory, though, the RSA breach was the original massive supply chain attack. State cyberspies—who were later revealed to be working in the service of China’s People’s Liberation Army—penetrated infrastructure relied on across the globe to protect the internet. And in doing so, they pulled the rug out from under the entire world’s model of digital security. “It opened my eyes to supply chain attacks,” says Mikko Hypponen, chief research officer at F-Secure, who worked with Hirvonen on the company’s analysis of the RSA breach. “It changed my view of the world: the fact that, if you can’t break into your target, you find the technology that they use and break in there instead.”

In the decade that followed, many key RSA executives involved in the company’s breach have held their silence, bound by 10-year nondisclosure agreements. Now those agreements have expired, allowing them to tell me their stories in new detail. Their accounts capture the experience of being targeted by sophisticated state hackers who patiently and persistently take on their most high-value networked targets on a global scale, where an adversary sometimes understands the interdependencies of its victims’ systems better than victims do themselves, and is willing to exploit those hidden relationships.

There are two things this article illustrated for me. The first is that it was relatively easy for RSA to trace the attack as it happened on its own network, no doubt due to some excellent design decisions.

The second is how difficult it can be to accurately attribute security breaches. Greenberg relays the story of how the NSA and Lockheed Martin claimed that RSA’s stolen seeds were used by Chinese intelligence agencies to infiltrate U.S. defence contractors. At the time, RSA acknowledged that this breach may have been responsible, but former RSA executives now dispute that, pointing to a lack of evidence. While it is easy to assume that people closely associated with RSA are going to defend the company, we should also be cautious in assuming that U.S. intelligence and these contractors are telling the truth. Unfortunately, there is still little public evidence either way. That is not to say that there are two equally-valid theories; we just do not yet know what the truth is.