F-Secure believes it has discovered the file and the email which helped infiltrate EMC’s security arm RSA earlier this year.
Timo Hirvonen, an F-Secure analyst, doggedly pursued the XLS [Excel] file used to hack RSA even after others had given up the chase.
Hirvonen created a tool to analyse samples for a Flash object, which was used to exploit the target’s system.
“The new tool located several relevant samples. However, one of them was not an Excel file. It was an Outlook message file (MSG),” an F-Secure blog read.
“When Timo opened it up, he knew he was onto something. The message file turned out to be the original email that was sent to RSA on 3 March, complete with the attachment 2011 Recruitment plan.xls.
"After five months, we finally had the file. And not only that, we had the original email.”
The email which was sent to a single EMC employee, with two others CC’d in, was made to look like it came from Beyond.com, a career network.
The subject line read "2011 Recruitment plan" and the body copy contained just one line: "I forward this file to you for review. Please open and view it."
Once the file was opened the Flash object was executed by Excel, using a vulnerability to write code on the victim’s machine and then drop a Poison Ivy backdoor to the system.
Excel was then closed automatically and the infection is done.
“After this, Poison Ivy connects back to its server at good.mincesur.com. The domain mincesur.com has been used in similar espionage attacks over an extended period of time,” F-Secure said.
“Once the connection is made, the attacker has full remote access to the infected workstation. Even worse, it has full access to network drives that the user can access.
"Apparently the attackers were able to leverage this vector further until they gained access to the critical SecurID data they were looking for.”
As F-Secure noted, the attack itself did not appear to be hugely sophisticated, although as the vulnerability was a zero-day there was no way RSA could have protected itself by patching.
“Was this an advanced attack? The email wasn't advanced. The backdoor they dropped wasn't advanced. But the exploit was advanced,” F-Secure added.
“And the ultimate target of the attacker was advanced. If somebody hacks a security vendor just to gain access to their customers systems, we'd say the attack is advanced, even if some of the interim steps weren't very complicated.”
The hackers who went after RSA wanted the company’s SecurID information so they could hit US Government contractors, including Lockheed Martin.
Following the Lockheed attacks, RSA offered token replacement for customers “with concentrated user bases typically focused on protecting intellectual property and corporate networks.”