Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

RSA SecurID hack originated in China, says researcher

Security certificate breach data sent to servers at Chinese ISPs

Article comments

The breach of RSA, the security division of EMC, last spring in which sensitive information related to RSA SecurID tokens was stolen, can be traced back to an attack originating in China, a security researcher strongly believes based on a close look into malware associated with the RSA breach.

Joe Stewart, director of malware research for Dell SecureWorks, says his conclusion is based on his work on a project to classify 60 different families of custom malware that have been used in the type of cyber espionage attack often referred to today as an '"advanced persistent threat (APT)."

The definition of APT can vary, but to Stewart it means cyber-espionage activity targeted at government or industry.


Two malware components known to have been used in the RSA breach are based on a common hacker tool called "HTran" that can disguise the location of command-and-control servers used to siphon off sensitive stolen data back to the attackers. When installed on a target host (often hacked third party servers), the HTran malware will bounce incoming connections back to the more concealed command-and-control server operated by the attacker.

The HTran malware tool was originally written by the well known Chinese hacker with the handle 'lion' who reportedly founded the Honker Union of China, a nationalist hacking group in the People's Republic of China.

HTran currently is used to conceal the hacker's intended network destination in terms of IP address. But in his research, Stewart says he's found that HTran releases error messages that reveal the true IP address of the attacker's hidden command-and-controllers.

China link

In the case of the RSA breach, based on related samples analysed by Stewart that use command-and-control components disclosed by CERT, two of the HTran malware components were redirecting traffic to just a few networks in mainland China, Stewart says. These appear to be ISPs in Beijing and Shanghai, including China Unicom, the state-owned telecommunications carrier.

The Dell SecureWorks report notes, "It's not surprising that hackers using a Chinese hacking tool might be operating from IP addresses in the PRC. Most of the Chinese destination IPs belong to large ISPs, making further attribution of the hacking activity difficult or impossible without the cooperation of the PRC government."

Stewart points out that hackers who have been using HTran to hit RSA and likely other targets will certainly want to change the HTran system, as these attackers realise it's known how to trace IP addresses through HTran error messages.

SecureWorks is releasing not only details about its findings in a report, but also some Snort-based signatures for general use to detect this APT Trojan. Secureworks says its own service for customers is using this type of defence to detect and block APT malware that's identified.

The APT attack against RSA has been costly to the company, with EMC recently disclosing that it had taken a $66 million charge to cover costs associated with coping with the breach of last March in which sensitive information about SecurID was stolen.

Another security firm, McAfee, also released a report on the topic of APT this week. In the report, entitled "Operation Shady RAT," McAfee alleges more than 70 corporations and government organisations since 2006 have also suffered cyber-espionage intrusions, though it didn't name a source of these attacks.


More from Techworld

More relevant IT news


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *