Found: the missing link in RSA SecurID hack
Security researchers have finally discovered the back-door file that allowed hackers to break into RSA and subsequently hack defence specialists Lockheed-Martin and Northrop-Grumman.
The malware has been the subject of the viral equivalent of a witch-hunt since the attacks, with security researchers baffled by its identity. It transpires, however, that the file was lurking in the security industry’s common database all along.
It was an email that was spoofed to look like it was coming from recruiting website Beyond.com
According to security firm F-Secure, the quest to identify the file that allowed access ended right beneath researchers’ noses. “We knew that the attack was launched with a targeted email to EMC employees (EMC owns RSA), and that the email contained an attachment called 2011 Recruitment plan.xls,” said the company’s chief research officer Mikko Hypponen on the company blog.
“Problem was, we didn’t have the file. It seemed like nobody did.”
According to Hypponen, colleagues spent months looking for the file and eventually created a data analysis tool to search for samples of XLS files that included Flash objects among millions of known infections, and finally came up with a match hidden within an email sent to the VirusTotal repository that’s shared among AV companies.
“So, we all had the file already. We just didn’t know we did, and we couldn’t find it amongst the millions of other samples,” Hypponen said.
According to F-Secure, the infection relied on classic social-engineering trickery to target individual users within the company. “It was an email that was spoofed to look like it was coming from recruiting website Beyond.com,” Hypponen said. “It had the subject ‘2011 Recruitment plan’ and one line of content: ‘I forward this file to you for review. Please open and view it.’ The message was sent to one EMC employee and cc’d to three others.”
Once the email was opened by an EMC employee, the attacker would have had full remote access to the infected workstation, the research showed, as well as any attached network drives, which it’s believed led to critical SecurID data.
Security experts believe the attack on RSA was a preliminary attack that had to be completed in order to gain access to the Lockheed-Martin and Northrop-Grumman systems, which were protected by SecurID and were the real targets of the attacks.