Security giant RSA has confirmed that hackers leveraged stolen information about its SecurID two-factor authentication offerings in a recent attack on U.S. defense contractor Lockheed Martin.
In an open letter to customers on Monday, RSA President Art Coviello said the company would offer other customers the option to replace SecurID tokens in light of the Lockheed attack. Lockheed has stated that the incident, disclosed late last month, was thwarted, though security experts remain skeptical as to whether the firm is letting on to the true extent of the infiltration.
The attack on Lockheed’s network was the only confirmed use of extracted SecurID product information to date, Coviello wrote in the letter. However, other defense contractors, such as L-3, reportedly have been hit by attackers armed with the stolen data.
Rick Moy, president of NSS Labs, which tests network security products, told SCMagazineUS.com on Tuesday, there will likely be additional disclosures from other affected RSA customers, though he could not confirm any such cases.
“We are expecting others to come forward based on off-the-record comments,” he said. “It’s odd that [Lockheed] was the only company breached. If you spend all the effort to get that [SecurID] data, I would think you’d want to maximize the use of it if you’re a cybercriminal.”
In March, RSA revealed that sophisticated hackers launched a spear phishing attack that exploited an Adobe Flash zero-day vulnerability to successfully infiltrate its systems and steal information related to its SecurID products.
Such products include hardware token authenticators, software authenticators, authentication agents and appliances. Millions of customers worldwide use SecurID to protect access to sensitive assets, such as web servers, email clients and VPNs.
At the time of the breach, RSA warned customers that the stolen information may teach attackers how to circumvent its security offerings, but provided few details about the extent of the damage. Many have criticized RSA in light of the breach for failing to publicly disclose exactly how its SecurID system is affected and whether the stolen information could allow attackers to generate valid token values.
In the letter released Monday, Coviello said the perpetrators most likely targeted SecurID data as part of a broader scheme to steal defense secrets and related intellectual property, rather than financial or publicly identifiable information.
“It is important for customers to understand that the attack on Lockheed Martin does not reflect a new threat or vulnerability in RSA SecurID technology,” Coviello wrote.
Since the breach, RSA has been quietly working with government agencies and defense firms to replace their tokens as a precautionary measure, he admitted.
The security firm is now offering to replace the SecurID tokens for customers “with concentrated user bases typically focused on protecting intellectual property and corporate networks,” the letter states. In addition, RSA has offered to implement risk-based authentication strategies for firms “typically focused on protecting web-based financial transactions.”
NSS Labs’ Moy criticized RSA for being vague about which customer tokens it would replace, noting that the company has left it up to its own discretion as to which firms are most at risk.
“I applaud them for replacing tokens, but it seems late in the game,” he said. “It would have been better for their customers and reputation to be more proactive two months ago.”