‘Very sophisticated attack’, as RSA had called the March hack attack, turned out to be a targeted email to EMC employees, says computer security firm
Hackers working for a "nation state" used a targeted ‘job offer’ email to EMC employees to breach the security of RSA to steal military secrets from US arms supplier Lockheed-Martin, according to F-Secure.
The computer security firm said that its researchers have found that a "nation-state" was behind the hack attack on EMC-owned RSA in March, considered to be one of the biggest hacks in history.
F-Secure said on its website, "As far as we know, a nation-state wanted to break in to Lockheed-Martin and Northrop-Grumman to steal military secrets. They couldn’t do it, since these companies were using RSA SecurID tokens for network authentication. So, the hackers broke into RSA with a targeted email attack."
Data storage company EMC owns RSA, which supplies coded security tokens — used for remote access to desktops — to millions of computer users across the world, including banks and defence companies. It is estimated that around 40 million SecurID tokens are in use across the world.
In March this year, EMC disclosed that hackers had stolen data from RSA in a "very sophisticated attack". The company had also warned that stolen IDs could be used by the hackers to launch a bigger attack on a client’s SecurID system.
In an open letter to its customers, RSA wrote, "On March 17, 2011, RSA publicly disclosed that it had detected a very sophisticated cyber attack on its systems, and that certain information related to the RSA SecurID product had been extracted."
"We immediately published best practices and our prioritised remediation steps, and proactively reached out to thousands of customers to help them implement those steps. We remain convinced that customers who implement these steps can be confident in their continued security, and customers in all industries have given us positive feedback on our remediation steps."
RSA also wrote on its blog that the attack was launched with a targeted email to EMC employees, and that the email contained an attachment called ‘2011 Recruitment plan.xls’.
In May, the US-based fighter planes and spy satellites maker Lockheed Martin revealed that its database had been attacked by hackers. The defence contractor said that it identified the breach quickly and prevented critical data theft, but later traced the breach to the hack attack on RSA in March.
RSA accepted Lockheed’s claim. It said, "Certain characteristics of the attack on RSA indicated that the perpetrator’s most likely motive was to obtain an element of security information that could be used to target defence secrets and related [information]."
Now, F-Secure claims that Timo Hirvonen, a security analyst working in its labs, has unravelled the modus operandi of the hackers after finding the original malware which attacked RSA.
The company said that the experts already knew in April about the email, but could not make a headway without the original file which was lost among millions of files with the security firm.
The company said, "Problem was, we didn’t have the file. It seemed like nobody did, and the antivirus researcher mailing lists were buzzing with discussion about where to find the file. Nobody had it, and eventually the discussion quieted down."
F-Secure continued, "Every few weeks since April, Timo would go back to our collections of tens of millions of malware samples and try to mine it to find this one file – with no luck. Until this week."
The company said that Timo analysed samples for flash objects and found that the actual malware was not an Excel file but an Outlook message file (MSG).
"The message file turned out to be the original email that was sent to RSA on 3rd of March, complete with the attachment 2011 Recruitment plan.xls," said F-Secure.
The company added that an EMC employee had probably uploaded the email and attachment to the Virustotal online scanning service on 19 March, and was shared to relevant parties in the anti-malware and security industry.
F-Secure said that the "email was disguised to look like it had come from recruiting website Beyond.com. It had the subject ‘2011 Recruitment plan’ and one line of content: ‘I forward this file to you for review. Please open and view it’. The message was sent to one EMC employee and cc’d to three others."
Opening the mail infected the workstation and attackers gained full remote access of the workstation and network drives. They used this exploit to get the critical SecurID data they were looking for, said F-Secure.
The company also said that the attack was not advanced as RSA has claimed it to be.
F-Secure said, "The email wasn’t advanced. The backdoor they dropped wasn’t advanced. The exploit was advanced. The ultimate target of the attacker was advanced. If somebody hacks a security vendor just to gain access to their customers systems, we’d say the attack is advanced, even if some of the interim steps weren’t very complicated."