A massive cyberattack that led to avulnerability in RSA’s SecurID tags earlier this year also victimized Google, Facebook, Microsoft and many other big-named companies, according to a new analysis released this week.
A list of 760 organizations that were attacked was presented to Congress recently and published by security analyst Brian Krebs on his blogMonday.
The list is the first glimpse into the pervasiveness of the attack that brought RSA to its knees. Those in the security industry have long suspected that RSA was not the hack’s only victim, but no other companies have been willing to talk publicly about whether they had also been compromised.
The names mentioned on Krebs’ list include about a fifth of the Fortune 100, as well as many other massive corporations.
Tech giants like Amazon (AMZN, Fortune 500), IBM (IBM, Fortune 500), Intel (INTC, Fortune 500), Yahoo (YHOO, Fortune 500), Cisco (CSCO, Fortune 500), Google (GOOG, Fortune 500), Facebook, and Microsoft (MSFT, Fortune 500) are also included, as well as government agencies like the European Space Agency, the IRS, and the General Services Administration. Government security contractor Northrop Grumman (NOC, Fortune 500) was on the list, as was MIT.
The list of affected companies was obtained from a breached “command and control” server, the name for a machine that hackers use to direct the fleets of compromised PCs that they have gained control over. Krebs said he wasn’t at liberty to reveal how that server was discovered or who analyzed the data.
The names came to light after researchers traced back the corporate networks that were communicating with the server that attacked RSA. The first victims started “phoning home” as early as November 2010, Krebs said.
But there’s a big caveat: As Krebs was quick to note, many Internet service providers were on the list, most likely because their subscribers were attacked using their network, not because the companies themselves were compromised. That means that companies like Comcast (CMCSA,Fortune 500), Windstream (WIN), Verizon (VZ, Fortune 500), AT&T (T, Fortune 500) and Sprint (S, Fortune 500) may be off the hook.
But Google and Amazon, which host Domain Name System services to help people surf the Web, may also have made the list because of activity on their networks, not within their corporate walls. And some companies — especially security technology vendors like McAfee — could be named because they discovered the attack and intentionally compromised their own systems in an attempt to reverse-engineer the malware used in the hack.
One last footnote: It’s not clear how deeply the hackers were able to penetrate each compromised business’ systems. RSA got hammered — the attackers used the breach to plant malware that let them gain access to RSA’s systems — but other companies may have fended off the intrusion without any damage.
Microsoft, one of the few companies we contacted that was willing to talk on the record about the attack, said it has “not seen any evidence supporting the claim.” Wells Fargo also said it has “seen no evidence of attacks on our systems” associated with this exploit. Several other companies gave similar statements but asked not to be named in this story.
Still, experts say the revelation of the massive number of companies involved in the attack shouldn’t be taken lightly.
On his blog, Krebs noted that if this could happen to one of the largest and most integral security firms, organizations that aren’t focused on security had little hope of fending it off, let alone discovering it.
“If my blog post does anything, it’s to get people to pay attention to it,” Krebs told CNNMoney.
The sheer number of corporations mentioned in the list proves that no one is safe from attack.
“The only companies that haven’t been compromised in some way, shape, or form are either insanely small, lucky or secure,” said Dave Jevans, chairman of Ironkey, maker of a security-focused Web browser.
Hacks are almost a form of currency in the cybercrime economy. Hackers launch cyberattacks on as many victims as they can in order to sell their access to interested third parties.
For instance, a hack of MIT’s network may not be valuable to anyone right now. But if the university were to do something to rattle, say, Anonymousin a year or two, hacktivists could go on underground channels and attempt to buy access to MIT’s compromised systems.
RSA came forward in March and admitted that it had been hacked, even though it likely didn’t have to: regulations about public disclosure vary from state to state, and tend only to force companies to disclose hacks when customer data is revealed.
Companies don’t like admitting that they’ve been compromised, but the fact that no other company spoke up about this attack is not necessarily indicative of secrecy.
“I’m sure 90% of these companies are just finding out they’ve been hacked along with the rest of us,” Jevans said. “They don’t even know they’ve been penetrated.”
It’s not uncommon for companies to be unaware of attacks.
In August, McAfee uncovered a wide-ranging, global cyber attack that impacted 72 organizations. The security company noted that the attack had been going on, undetected, for the five years. McAfee actually discovered the attack when the hackers finally made a mistake: They left logs of their attacks on a command and control server that McAfee uncovered in 2009.