Was this the email that took down RSA?

A spear phishing email that has surfaced in a security database looks like it may have been the one to hit RSA

"I forward this file to you for review. Please open and view it."

As a ploy to get a hapless EMC recruiter to open up a booby trapped Excel spreadsheet, it may not be the most sophisticated piece of work. But researchers at F-Secure believe that it was enough to break into one of the most respected computer security companies on the planet, and a first step in a complex attack that ultimately threatened the security of major US defense contractors including Lockheed Martin, L-3, and Northrop Grumman.

The email was sent on March 3 and uploaded to VirusTotal a free service used to scan suspicious messages, on March 19, two days after RSA went public with the news that it had been hacked in one of the worst security breaches ever.

Researchers at F-Secure, the company that discovered the message Monday, believe that it was very likely the message that led to the RSA compromise. If true, the finding sheds light on the kind of trickery, called social engineering by security pros, it takes to break into a major security company.

F-Secure antimalware analyst Timo Hirvonen discovered the e-mail message buried in the millions of submissions stored in this crowd-sourced database of malicious or potentially malicious files. VirusTotal lets computer users upload a suspicious file, say an Excel spreadsheet that might be infected, and have it scanned by over 40 of the world's top antivirus companies. In return for the free scan, the AV vendors get to examine the files, making the service a great way of learning about malicious software after the fact.

Hirvonen had been searching VirusTotal's database for the RSA attack file ever since RSA acknowledged that it had been compromised. The hackers had sent two different phishing e-mails to small groups of company employees over a two day period, but nobody outside of RSA and its parent company EMC knew the full contents of those messages. It wasn't even clear if they were included in VirusTotal's data.

RSA has released some details about the attack, but Hirvonen's find is a first look at just what it took to get an EMC employee to open that dangerous attachment.

"The email was crafted well enough to trick one of the employees to retrieve it from their Junk mail folder, and open the attached Excel file," wrote RSA Head of New Technologies Uri Rivner in the April 1 blog posting that laid out most of what RSA has said publicly about the e-mail. "It was a spreadsheet titled "2011 Recruitment plan.xls."

Hirvonen didn't know for sure he'd find the email in VirusTotal, but he thought that there was a chance that someone at RSA had uploaded to see what it was. Searching for the 2011 Recruitment Plan spreadsheet yielded nothing, however.

But this month Hirvonen finished up a data analysis tool that allowed him to find his needle in the Virus Total haystack. His technique: he scoured the data for flash objects -- software written to run in Adobe's Flash Player -- that looked like they may have been used in the RSA attack. RSA had previously said that the hackers used software that took advantage of a bug in Adobe Flash and offered some technical details on the attack.

"It was a difficult one to find," Hirvonen said. "We had to work really hard to find it."

With his new tool, Hirvonen quickly discovered a Microsoft Outlook .msg file. When he opened it up, he knew he was onto something. Inside was a message that had been spoofed to look like it had come from recruiting website Beyond.com. "I forward this file to you for review. Please open and view it," the message read. The subject: "2011 Recruitment plan." The attachment: an Excel spreadsheet entitled "2011 Recruitment plan.xls"

Looking closer, Hirvonen found that the file seemed to match RSA's description in possible every way. The Excel file contained the same Flash attack code; It used the same remote control software, called Poison Ivy, and it tried to connect to the same Internet address as RSA's attacker.

The email was sent to EMC employees, apparently in the human resources department, and looked like it came from webmaster@beyond.com, a generic address from a website that has listed EMC jobs in the past. But that was a spoofed address, Hirvonen said. In reality the e-mail wasn't sent from the Beyond.com servers.

F-Secure believes that it's one of the two spearphishing emails used to target RSA.

In the past, RSA characterized the hacking incident as an "extremely sophisticated cyber attack," but if this is indeed the e-mail used to break in, it illustrates a guiding principle of these cyber espionage attacks -- the hackers will use anything that works, even simple tricks. If they fail, they will try again and again until they break through.

The key, security experts say, is in spotting the attackers and keeping them from moving around the network once they've broken in.

Reached Thursday, EMC's RSA Security group was reluctant to say anything about the message. RSA wouldn't say if there were any differences between Hirvonen's e-mail and the one that compromised the company. The company wouldn't confirm that it was the one that got the attackers in, either. "Can we validate that this is the actual e-mail?" said RSA spokeswoman Helen Stefan. "No."

If this was the attack that wedged open RSA's security, it wasn't as sophisticated as others have been, said Alex Stamos, a partner with iSec Partners, a security consultancy that is part of NCC Group. "That's a pretty embarrassing example for RSA," he said. "It tells you that in any reasonably sized company, including a security company, there's someone who will do something really dumb."

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com

Join the CSO newsletter!

Error: Please check your email address.

Tags securitylegalemccybercrime

More about Adobe SystemsBeyond.comEMC CorporationetworkExcelF-SecureIDGLockheed MartinMicrosoftNorthrop GrummanRSAVirus Total

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Robert McMillan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts