The Simple Email Message That Brought Down RSA

Friday, August 26, 2011



In March of this year, RSA - the security division of EMC - had announced they suffered a breach stemming from a "sophisticated attack" on their network systems.

The attackers targeted proprietary information on RSA's SecurID two-factor authentication systems, a product designed to prevent unauthorized access to enterprise network systems.

The company released an open letter to RSA customers which suggested the overall damage would be minimal from attack on their network.

What did this sophisticated attack look like? According to researchers from F-Secure, it was most likely an email with a short message and an infected Excel spreadsheet file.

The messages read: "I forward this file to you for review. Please open and view it."

Timo Hirvonen, an F-Secure antimalware analyst, found the suspected email among millions of samples that had been submitted to the free file scanning service VirusTotal.

The message had been sent on March 3, but had not been submitted to VirusTotal until two days after the RSA breach was announced.

"The e-mail was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached Excel file. It was a spreadsheet titled "2011 Recruitment plan.xls," said an April 1 blog posting by RSA's Head of New Technologies, Uri Rivner.

Not much else has been revealed about the breach since then.

While few details have been released that could give analysts a better understanding of the scope and impact of the breach, the unauthorized access to sensitive material regarding SecurID is known to have had wide spread impact.

RSA's customers include government, military, financial, enterprise, healthcare and insurance companies.

In June, Lockheed disabled their employees remote access privileges while the company reissued new SecurID tokens to all telecommuting workers as well as requiring all employees with network access to change their passwords after detecting unauthorized access attempts.

Shortly after, defense contractor Northrop Grumman also reportedly disabled remote access to company networks, then L-3 Communications reported the company had suffered a network breach stemming from cloned RSA SecurID tokens.

Analysts have since debated whether or not the characterization of the attack as being "sophisticated" was accurate or not.

Given the revelations by F-Secure that one of the most serious attacks to date was accomplished with such a simple email message, perhaps it is the definition of a "sophisticated attack" that need to be debated.


Help Support Infosec Island by Tweeting and Stumbling our Articles - Thanks!

Possibly Related Articles:
Viruses & Malware
Email RSA malware Headlines hackers breach VirusTotal SecurID F-Secure
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.