That afternoon, Coviello printed an open letter to RSA’s prospects on the corporate’s web site. “Lately, our safety methods recognized a particularly refined cyberattack in progress,” the letter learn. “Whereas right now we’re assured that the data extracted doesn’t allow a profitable direct assault on any of our RSA SecurID prospects, this info may probably be used to cut back the effectiveness of a present two-factor authentication implementation as a part of a broader assault,” the letter continued—considerably downplaying the disaster.
In Bedford, Castignola was given a convention room and the authority to ask for as many volunteers from the corporate as he wanted. A rotating group of practically 90 staffers started the weeks-long, day-and-night technique of arranging one-on-one cellphone calls with each buyer. They labored from a script, strolling prospects via protecting measures like including or lengthening a PIN quantity as a part of their SecurID logins, to make them tougher for hackers to copy. Castignola remembers strolling down the halls of the constructing at 10 pm and listening to calls on speaker telephones behind each closed door. In lots of instances prospects had been shouting. Castignola, Curry, and Coviello every did a whole lot of these calls; Curry started to joke that his title was “chief apology officer.”
On the similar time, paranoia was starting to take maintain within the firm. The primary night time after the announcement, Castignola remembers strolling by a wiring closet and seeing an absurd variety of folks strolling out of it, way over he imagined may have ever match. “Who’re these folks?” he requested one other close by government. “That’s the federal government,” the chief responded vaguely.
In truth, by the point Castignola had landed in Massachusetts, each the NSA and the FBI had been referred to as to assist the corporate’s investigation, as had protection contractor Northrop Grumman and incident response agency Mandiant. (By probability, workers of Mandiant had already been on-site previous to the breach, putting in safety sensor gear on RSA’s community.)
RSA workers started to take drastic measures. Nervous that their cellphone system is perhaps compromised, the corporate switched carriers, shifting from AT&T to Verizon telephones. Executives, not trusting even the brand new telephones, held conferences in particular person and shared paper copies of paperwork. The FBI, fearing an confederate in RSA’s ranks due to the obvious degree of information the intruders appeared to have of firm methods, began doing background checks. “I made positive that each one members of the workforce—I do not care who they had been, what fame they’d—had been investigated, as a result of you must make certain,” Duane says.
The home windows of some executives’ places of work and convention rooms had been lined in layers of butcher paper, to stop laser microphone surveillance—a long-distance eavesdropping approach that picks up conversations from vibrations in window panes—by imagined spies within the surrounding woods. The constructing was swept for bugs. A number of executives insisted that they did discover hidden listening units—although some had been so previous that their batteries had been lifeless. It was by no means clear if these bugs had any relation to the breach.
In the meantime, RSA’s safety workforce and the investigators introduced in to assist had been “tearing the home right down to the studs,” as Curry put it. In each a part of the community that the hackers touched, he says, they scrubbed the contents of doubtless compromised machines—and even ones adjoining to them. “We bodily went round and, if there was a field they had been on, it received wiped,” Curry says. “For those who misplaced information, too dangerous.”