IMF May Be Latest Victim of RSA SecurID Hack

Monday, June 13, 2011



The recent incidents at Lockheed Martin, L-3 Communications and Northrop Grumman appear to originate from a breach in which data was stolen related to RSA’s SecurID two-factor authentication devices.

Now it looks as if the International Monetary Fund (IMF) could be the latest victim of the RSA SecurID breach that occurred last March. Reports indicate that the IMF detected an unauthorized network intrusion that has been traced to a single infected machine that was used to access sensitive data.

UPDATED: While there is no confirmation that the IMF breach is related to the SecurID breach directly. ThreatPost reports that "the organization is also a user of RSA's SecurID tokens and informed employees on June 8 that it would be replacing their tokens following the security breach at RSA."

"It appears as though there are still dozens of similar yet still undisclosed breaches that have taken place in the U.S. government and defense domain during the same time frame. My guess is that it is the same set of bad actors who are behind the attacks focused on military, government and economic intelligence," said Gartner's Avivah Litan.

"Of course, no one knows who the attackers are, and some seem to think they may be government agents. It seems more likely that they may be highly unethical individuals and contractors using these attacks for financial gain as they compete for business in seemingly legitimate ways," says Litan.

Few details have been released about the breach, but early analysis indicates the IMF may have succumb to a targeted spear-phishing attack, a necessary step for the attackers to harvest an employee's SecurID password to use in conjunction with a stolen RSA security token.

RSA, the security division of EMC, announced in mid-March they had suffered a breach stemming from an attack on their network systems that targeted proprietary information about the company's SecurID product.

SecurID is a product designed to prevent unauthorized access to enterprise network systems, and exposure of proprietary information about the product could in turn make RSA's clients more vulnerable to hacks themselves.

RSA's customers include government, military, financial, enterprise, healthcare and insurance companies.

In late May defense contractor Lockheed disabled their employees remote access privileges while the company reissued new SecurID tokens to all telecommuting workers, as well as requiring all employees with network access to change their passwords, after detecting unauthorized access attempts.

Shortly thereafter, defense contractor Northrop Grumman has also reportedly disabled remote access to company networks, and L-3 Communications reported the company has suffered a network breach stemming from cloned RSA SecurID tokens.

RSA said Lockheed planned to continue using the SecurID tokens, but security experts believe RSA’s reputation has been damaged. Many of RSA’s 25,000 customers could face difficult decisions about what to do next, according to the New York Times.

Lockheed announced it is replacing 45,000 SecurID tokens held by remote workers. Lockheed says it is adding a further step to the sign-on process and all users will change their passwords.

Some security experts are openly speculating that China may be responsible for the RSA SecurID breach, as well as being behind the unauthorized network access events at the U.S. defense contractors, and now the IMF.

Possibly Related Articles:
RSA China Attacks Headlines hackers breach SecurID Lockheed Northrop Grumman International Monetary Fund
Post Rating I Like this!
Lawrence Pingree Um... its clear this is unrelated to RSA, I curious how that connection is even suggested based on what we know so far. Sure, a spearfishing attack "could" be used to gain access to secureid data, but doesn't necessarily mean that was the target data. A further examination of network traffic and the code installed on the internal machine would result in aiding a determination of the real data breached. It would certainly be a criminal case and must be investigated.
Anthony M. Freed Lawrence - thanks for the comment. I updated the post with a report from ThreatPost that indicates the IMF uses the SecurID product and is reissuing tokens. Given the limited information available on the IMF breach, I agree that it may not be SecurID related. Given the timing of the IMF breach and Litan's suggestion that all of the recent events (Lockheed, L3, Northrop, etc...) may be connected to one another, it may turn out that IMF is also amongst that group. The article is meant to be speculative based on available evidence, but was not meant to be declarative.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.