That afternoon, Coviello published an open letter to RSA’s customers on the company’s website. “Recently, our security systems identified an extremely sophisticated cyberattack in progress,” the letter read. “While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack,” the letter continued—somewhat downplaying the crisis.
In Bedford, Castignola was given a conference room and the authority to ask for as many volunteers from the company as he needed. A rotating group of nearly 90 staffers began the weeks-long, day-and-night process of arranging one-on-one phone calls with every customer. They worked from a script, walking customers through protective measures like adding or lengthening a PIN number as part of their SecurID logins, to make them harder for hackers to replicate. Castignola remembers walking down the halls of the building at 10 pm and hearing calls on speaker phones behind every closed door. In many cases customers were shouting. Castignola, Curry, and Coviello each did hundreds of those calls; Curry began to joke that his title was “chief apology officer.”
At the same time, paranoia was beginning to take hold in the company. The first night after the announcement, Castignola remembers walking by a wiring closet and seeing an absurd number of people walking out of it, far more than he imagined could have ever fit. “Who are those people?” he asked another nearby executive. “That’s the government,” the executive responded vaguely.
In fact, by the time Castignola had landed in Massachusetts, both the NSA and the FBI had been called to help the company’s investigation, as had defense contractor Northrup Grumman and incident response firm Mandiant. (By chance, employees of Mandiant had already been on-site prior to the breach, installing security sensor equipment on RSA’s network.)
RSA staff began to take drastic measures. Worried that their phone system might be compromised, the company switched carriers, moving from AT&T to Verizon phones. Executives, not trusting even the new phones, held meetings in person and shared paper copies of documents. The FBI, fearing an accomplice in RSA’s ranks because of the apparent level of knowledge the intruders seemed to have of company systems, started doing background checks. “I made sure that all members of the team—I don’t care who they were, what reputation they had—were investigated, because you have to be sure,” Duane says.
The windows of some executives’ offices and conference rooms were covered in layers of butcher paper, to prevent laser microphone surveillance—a long-distance eavesdropping technique that picks up conversations from vibrations in window panes—by imagined spies in the surrounding woods. The building was swept for bugs. Multiple executives insisted that they did find hidden listening devices—though some were so old that their batteries were dead. It was never clear if those bugs had any relation to the breach.
Meanwhile, RSA’s security team and the investigators brought in to help were “tearing the house down to the studs,” as Curry put it. In every part of the network that the hackers touched, he says, they scrubbed the contents of potentially compromised machines—and even ones adjacent to them. “We physically went around and, if there was a box they were on, it got wiped,” Curry says. “If you lost data, too bad.”