This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

F-Secure identify spear phishing email that impacted RSA

Share this article:

The malicious file that brought down RSA in March and breached the seed data of its SecurID tokens has been detected by F-Secure.

According to F-Secure, the file was an Excel spreadsheet called '2011 Recruitment Plan' and was discovered by labs analyst Timo Hirvonen five months the incident. Chief research officer at F-Secure, Mikko Hypponen, said that Hirvonen had been checking its tens of millions of malware samples and to find the specific file and had been unsuccessful until this week.

Hypponen said: “Timo wrote a data analysis tool that analysed samples for flash objects. We knew the XLS file in question used a Flash object to take over the system and the new tool located several relevant samples.

“However one of them was not an Excel file, it was an Outlook message file (MSG) and when Timo opened it up, he knew he was onto something. The message file turned out to be the original email that was sent to RSA on 3rd of March, complete with the attachment 2011 Recruitment plan.xls.”

Hypponen also said that it had the email that had been sent to RSA. It said that someone had uploaded the email and attachment to the Virustotal online scanning service on 19th of March. The email was spoofed to appear to have come from recruiting website Beyond.com. It had the subject ‘2011 Recruitment plan' and one line of text content, that said: “I forward this file to you for review. Please open and view it.” F-Secure said that the message was sent to one EMC employee and cc'd to three others.

When opened, the attachment is a blank Excel spreadsheet with a boxed ‘X' in the A1 window, which is an embedded Flash object that is executed by Excel. “The Flash object then uses the CVE-2011-0609 vulnerability to execute code and to drop a Poison Ivy backdoor to the system. The exploit code then closes Excel and the infection is over,” said Hypponen. 

“After this, Poison Ivy connects back to it's server at good.mincesur.com. The domain mincesur.com has been used in similar espionage attacks over an extended period of time.”

Once the connection is made, the attacker has full remote access to the infected workstation and the network drives that the user can access.

F-Secure said that the attack email does not look too complicated, however, the exploit inside Excel was a zero-day at the time and RSA could not have protected against it by patching their systems.

Hypponen also denied that the attack, email, exploit and backdoor were not advanced, yet the ultimate target of the attacker was advanced.

He said: “If somebody hacks a security vendor just to gain access to their customers systems, we'd say the attack is advanced, even if some of the interim steps weren't very complicated.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Queen's website hosts controversial tracking technique

Queen's website hosts controversial tracking technique

Advertising tracking called 'canvas fingerprinting' is used on many websites and identifies unique individuals and their browsing habits and works surreptitiously.

Could MH17 sanctions push Russia to cyber warfare?

Could MH17 sanctions push Russia to cyber warfare?

A leading cyber security academic has warned the US and European governments that tougher sanctions on Russia relating to the MH17 airplane crash could result in the start of cyber ...

Snowden, Ellsberg ask hackers to help obscure whistleblower activity

Snowden, Ellsberg ask hackers to help obscure whistleblower ...

Crowds of people came out to see Daniel Ellsberg chat with Edward Snowden at HOPE X conference.