This is the second installment of a multi-part series examining the tools and tactics used by attackers in the RSA breach and other recent network intrusions characterized as “ultra-sophisticated” and “advanced persistent threats.” If you missed the first piece, please check out Advanced Persistent Tweets: Zero-Day in 140 Characters.
The recent data breach at security industry giant RSA was disconcerting news to the security community: RSA claims to be “the premier provider of security, risk, and compliance solutions for business acceleration” and the “chosen security partner of more than 90 percent of the Fortune 500.”
The hackers who broke into RSA appear to have leveraged some of the very same Web sites, tools and services used in that attack to infiltrate dozens of other companies during the past year, including some of the Fortune 500 companies protected by RSA, new information suggests. What’s more, the assailants moved their operations from those sites very recently, after their locations were revealed in a report published online by the U.S. Computer Emergency Readiness Team (US-CERT), a division of the U.S. Department of Homeland Security.
In RSA’s explanation of the attack, it pointed to three domains that it claimed were used to download malicious software and to siphon sensitive data taken from its internal networks: Good[DOT]mincesur[DOT]com, up82673[DOT]hopto[DOT]org and www[DOT]cz88[DOT]net. But according to interviews with several security experts who keep a close eye on these domains, the Web sites in question weren’t merely one-time attack staging grounds: They had earned a reputation as launch pads for the same kind of attacks over at least a 12 month period prior to the RSA breach disclosure.
What’s more, the same domains were sending and receiving Internet connections from dozens of Fortune 500 companies during that time, according to Atlanta-based Damballa, a company that mines data about malware attacks using a network of sensors deployed at Internet service providers and large enterprises around the world. Damballa monitors the domain name system (DNS) servers at those networks, looking for traffic between known good hosts and known or suspected hostile locations.
Gunter Ollmann, Damballa’s vice president of research, said that for more than a year his company has been monitoring the three malicious sites that RSA said were involved in the theft of its intellectual property, and that many other major companies have had extensive communications with those hostile domains during that time. He added that his company is not in a position to name the other companies impacted by the breach, and that Damballa is helping federal authorities with ongoing investigations.
“There is lots of malware that have relied on those domains for command and control,” Ollmann said. “We know who the victims are, roughly how many devices within those victim organizations were compromised, and are still compromised. RSA was not the only victim of these attacks.”
RSA said attackers stole information related to its SecurID two-factor authentication products. The company has kept mum on what exactly was taken, and it remains unclear how much sensitive data was swiped from other organizations compromised by the same infrastructure used to attack RSA.
But the methods used in the intrusions — which began with the targeted exploitation of previously undocumented “zero-day” security flaws — bear the signature of those chronicled in a series of recently leaked U.S. State Department cables. Those communiques detail more than a half-decade worth of incessant and sophisticated cyber attacks attributed to Chinese state-sponsored efforts to extract commercial and national security secrets from the U.S. government and private sector.
The apparent compromise of so many organizations at the hands of an adversary that launched one attack after another from the same infrastructure raises the question: If these domains were known to be so bad for so long, how could so many organizations — including those that specialize in providing Internet security services — have failed to simply block all communications to and from those malicious sites?
“In this case, the malware and their associated domains were known about for a very long time,” Ollmann said. “There is no excuse for organizations not blocking [access to] those sites and communications channels.”
Timely information sharing about new, sophisticated cyber threats has been and remains a major weak spot for both the government and the private sector. Part of problem, experts say, is that some victim organizations aren’t aware of systemic compromises on their networks until they are alerted months later by law enforcement officials. By that time, attackers will have had ample time to move laterally through the target’s network and steal intellectual property and other proprietary data. Other victims may merely be afraid that sharing information about such attacks could lead to the requirement for public acknowledgment of a security breach.
“What a lot of people need to understand is that there is a concerted and organized national level strategy being orchestrated against our country and others,” said one security expert who has helped a number of organizations respond to these sophisticated attacks, but who spoke on condition of anonymity because he was not authorized to speak to the press. “Not many security companies out there are highly focused on this threat. We’re at risk of being completely overwhelmed and outmatched [if we don't] work together in a collective defense.”