This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

F-Secure identify spear phishing email that impacted RSA

Share this article:

The malicious file that brought down RSA in March and breached the seed data of its SecurID tokens has been detected by F-Secure.

According to F-Secure, the file was an Excel spreadsheet called '2011 Recruitment Plan' and was discovered by labs analyst Timo Hirvonen five months the incident. Chief research officer at F-Secure, Mikko Hypponen, said that Hirvonen had been checking its tens of millions of malware samples and to find the specific file and had been unsuccessful until this week.

Hypponen said: “Timo wrote a data analysis tool that analysed samples for flash objects. We knew the XLS file in question used a Flash object to take over the system and the new tool located several relevant samples.

“However one of them was not an Excel file, it was an Outlook message file (MSG) and when Timo opened it up, he knew he was onto something. The message file turned out to be the original email that was sent to RSA on 3rd of March, complete with the attachment 2011 Recruitment plan.xls.”

Hypponen also said that it had the email that had been sent to RSA. It said that someone had uploaded the email and attachment to the Virustotal online scanning service on 19th of March. The email was spoofed to appear to have come from recruiting website It had the subject ‘2011 Recruitment plan' and one line of text content, that said: “I forward this file to you for review. Please open and view it.” F-Secure said that the message was sent to one EMC employee and cc'd to three others.

When opened, the attachment is a blank Excel spreadsheet with a boxed ‘X' in the A1 window, which is an embedded Flash object that is executed by Excel. “The Flash object then uses the CVE-2011-0609 vulnerability to execute code and to drop a Poison Ivy backdoor to the system. The exploit code then closes Excel and the infection is over,” said Hypponen. 

“After this, Poison Ivy connects back to it's server at The domain has been used in similar espionage attacks over an extended period of time.”

Once the connection is made, the attacker has full remote access to the infected workstation and the network drives that the user can access.

F-Secure said that the attack email does not look too complicated, however, the exploit inside Excel was a zero-day at the time and RSA could not have protected against it by patching their systems.

Hypponen also denied that the attack, email, exploit and backdoor were not advanced, yet the ultimate target of the attacker was advanced.

He said: “If somebody hacks a security vendor just to gain access to their customers systems, we'd say the attack is advanced, even if some of the interim steps weren't very complicated.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

VC cyber security funding tops £850 million

VC cyber security funding tops £850 million

A new study from US-based research firm CBI Insights reveals that corporate cyber security investments have risen five-fold since 2009, with 30 percent growth in the last year alone.

Russian/Chinese cyber-security pact raises concerns

Russian/Chinese cyber-security pact raises concerns

News that Russia and China are set to sign a cyber-security treaty next month have left Western cyber experts unsure whether it is a threat or a promising development.

UK police arrest trio over £1.6 million cyber theft from cash machines

UK police arrest trio over £1.6 million cyber ...

London Police have arrested three suspected members of an Eastern European cyber-crime gang who installed malware on more than 50 bank ATM machines across the UK to steal £1.6 million.