Researchers Uncover the File That Triggered RSA SecurID Breach

Researchers have located an infected email that cyberspies in March sent personnel at federal contractor EMC to steal security-sensitive information from the maker of widely-used RSA SecurID network login products, said officials at F-Secure Security Labs Friday. Apparently, an EMC employee, again, was responsible for the data exposure.

In March, unknown attackers tricked EMC staff with a legitimate-looking hiring message that contained a "backdoor," or code allowing the culprits to invisibly lurk inside the company's computer systems until they found the sought-after keys to the kingdom. A May network siege at defense supplier Lockheed Martin Corp. was traced back to information that the cyber thieves pocketed. Although RSA had disclosed that the email contained an attachment called "2011 Recruitment plan.xls," the firm did not publish the poisonous file.

This week F-Secure analyst Timo Hirvonen discovered the file in an e-library of virus samples, says Mikko H. Hypponen, chief research officer for F-Secure.

"Turns out somebody (most likely an EMC/RSA employee) had uploaded the email and attachment to the Virustotal online scanning service on 19th of March," Hypponen writes on F-Secure's blog. "And, as stated in the Virustotal terms, the uploaded files will be shared to relevant parties in the anti-malware and security industry."

The sophisticated breach left governments and corporations worldwide uncertain about the strength of their network locks and sent shockwaves throughout the antivirus community.

"So, what did the email look like? It was an email that was spoofed to look like it was coming from recruiting website Beyond.com," Hypponen explains. "It had the subject '2011 Recruitment plan' and one line of content: 'I forward this file to you for review. Please open and view it.' "

F-Secure is showcasing the message on its website, along with a YouTube video that takes viewers through the EMC employee's accidental steps that led to the March exploit.

When that staffer opened the malicious message, the file deposited a backdoor that gave the outsider "full remote access to the infected workstation," Mikko writes. "Even worse, [the virus] has full access to network drives that the user can access. Apparently the attackers were able to leverage this vector further until they gained access to the critical SecurID data they were looking for."