The RSA attack - who else was hit?

David Heath
Monday, 31 October 2011 09:02

Business IT - Security

In March this year, RSA was the victim of a relatively stealthy attack which appeared to have breached its proprietary secure token systems - the so-called key-fobs.  Unfortunately, they were not the only ones hit by the same attackers.

A few days ago, well-known security writer Brian Krebs posted a list of over 760 organisations that appear to have a close victim relationship with the RSA attack.

As Krebs makes very clear, these organisations may or not have been infiltrated by the attackers, but they are clearly showing the effects of being infiltrated.

The list shows those organisations which have made contact with one of the many command-and-control (C&C) servers associated with the attack. Readers should also be reminded that many of the listed organisations are ISPs (who may have had affected customers) or AV organisations (who clearly have an interest in testing these C&C servers).  There are approximately 20% of the Fortune-500 companies in the list.

Many commenters to both Krebs' blog and other summaries have complained that without knowing the source of the list (which Krebs claims to not be at liberty to disclose) there is doubt as to its veracity.

However in the security arena, pearls such as this are always at the flimsy end of the spectrum.  Too many people and organisations are overly protective of their security and any facts related to gaps in such security; particularly as it relates to shareholder value and public image are tightly controlled.  Alternately, knowing the source might also expose the method of obtaining the list.

So, who was behind this attack?