A U.S. cyber security company charged with protecting computers for the U.S. government and thousands of private clients has itself been the target of a hacking attack, potentially compromising the security of software used by the Department of Defense and major defense contractor Lockheed Martin.
While the U.S. government has been aware of the attack and working with the company on plugging the security breach for more than a week, according to sources familiar with the investigation, it was only Thursday that Massachusetts-based company RSA alerted the public. RSA, the security division of EMC, claims over 25,000 clients and 40 million users of its security token technology worldwide.
"Recently our security systems identified an extremely sophisticated cyber attack in progress being mounted against RSA," said executive chairman Arthur Coviello in a statement posted on the company's website and in a filing to the SEC notifying shareholders of an adverse event. "Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products."
In addition to the U.S. government, according to its website, RSA SecurID customers include major American corporations, healthcare institutions and charities, as well as banks and institutions that cater to high net worth individuals, like Rolls Royce and Bentley Motors. The state of Kansas is also listed as a SecureID customer. Other RSA clients include the FBI, Northrop Grumman and German government.
"This is a very major security compromise that has possibly put at risk numerous sensitive government sites and private industry as well" said former U.S. National Security Advisor Richard Clarke, an ABC News consultant.
Coviello said that that while some information relating to RSA's token authentication system had been "extracted" by the intruders, RSA is "confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers."
Sources familiar with the investigation tell ABC News the company and the U.S. government have been working to try to determine the extent of the damage and to build a patch to plug the leak.
"Working with RSA, we are leveraging the technical, investigative, and mitigation expertise of U.S. government agencies to address this issue," Department of Homeland Security spokesperson Amy Kudwa said. "U.S. Government Agencies and Departments have been informed of this vulnerability and provided with mitigation measures, in coordination with RSA.
"With our partners in industry, the U.S. Government is working toward one goal: securing the networks and systems that are critical to the everyday functions of our society and economy."
In its statement Thursday, the company described the attack as an "extremely sophisticated" APT (Advanced Persistent Threat) attack, which cyber-experts say sounds similar to a 2009 attack on Google suspected to come from Chinese hackers.
"These hackers are not kids sitting in basements having fun," said Larry Clinton, President of the Internet Security Alliance. "An APT threat comes from highly organized, highly sophisticated, well-funded thieves. There is some evidence that this is state sponsored, and some attacks have come from China."
A company spokesman would not comment on reports of a delay in alerting the public, but in his online statement RSA executive chairman Coviello said, "We took a variety of aggressive measures against the threat to protect our business and our customers, including further hardening of our IT infrastructure".