This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

F-Secure identify spear phishing email that impacted RSA

Share this article:

The malicious file that brought down RSA in March and breached the seed data of its SecurID tokens has been detected by F-Secure.

According to F-Secure, the file was an Excel spreadsheet called '2011 Recruitment Plan' and was discovered by labs analyst Timo Hirvonen five months the incident. Chief research officer at F-Secure, Mikko Hypponen, said that Hirvonen had been checking its tens of millions of malware samples and to find the specific file and had been unsuccessful until this week.

Hypponen said: “Timo wrote a data analysis tool that analysed samples for flash objects. We knew the XLS file in question used a Flash object to take over the system and the new tool located several relevant samples.

“However one of them was not an Excel file, it was an Outlook message file (MSG) and when Timo opened it up, he knew he was onto something. The message file turned out to be the original email that was sent to RSA on 3rd of March, complete with the attachment 2011 Recruitment plan.xls.”

Hypponen also said that it had the email that had been sent to RSA. It said that someone had uploaded the email and attachment to the Virustotal online scanning service on 19th of March. The email was spoofed to appear to have come from recruiting website It had the subject ‘2011 Recruitment plan' and one line of text content, that said: “I forward this file to you for review. Please open and view it.” F-Secure said that the message was sent to one EMC employee and cc'd to three others.

When opened, the attachment is a blank Excel spreadsheet with a boxed ‘X' in the A1 window, which is an embedded Flash object that is executed by Excel. “The Flash object then uses the CVE-2011-0609 vulnerability to execute code and to drop a Poison Ivy backdoor to the system. The exploit code then closes Excel and the infection is over,” said Hypponen. 

“After this, Poison Ivy connects back to it's server at The domain has been used in similar espionage attacks over an extended period of time.”

Once the connection is made, the attacker has full remote access to the infected workstation and the network drives that the user can access.

F-Secure said that the attack email does not look too complicated, however, the exploit inside Excel was a zero-day at the time and RSA could not have protected against it by patching their systems.

Hypponen also denied that the attack, email, exploit and backdoor were not advanced, yet the ultimate target of the attacker was advanced.

He said: “If somebody hacks a security vendor just to gain access to their customers systems, we'd say the attack is advanced, even if some of the interim steps weren't very complicated.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

NCA wants security pros to become cybercrime fighters

NCA wants security pros to become cybercrime fighters

The UK's National Crime Agency is on the hunt for cyber security professionals to "join the fight against some of the world's most significant cyber criminals" on salaries ranging from ...

GCHQ head says agency was 'never involved in mass surveillance'

GCHQ head says agency was 'never involved in ...

Sir Iain Lobban says GCHQ staff "are normal decent human beings who watch EastEnders and Spooks".

Apple Mac OS criticised for sending search results to third parties

Apple Mac OS criticised for sending search results ...

Apple is under pressure to make changes to the Spotlight feature on the new Mac OS X Yosemite 10.10, which tracks location and sends data back to the firm and ...