How RSA was hacked
By Pulkit Sharma

EMC Corporation is the world’s leading developer and provider of information infrastructure technology and solutions. EMC’s Security Division is RSA whose security solutions are used by more than 90 percent of the Fortune 500 companies.  In March, 2011, I had written about how EMC’s RSA was hacked.  It was one of the biggest hacks of recent times.  As a consequence of the attack, RSA had to replace SecurID tokens for all their customers’ world wide.

This week, Online Security Company F-Secure tracked down the file used to hack RSA.  F-Secure had released details and a video of how a spreadsheet was used to compromise RSA

“
Already in April, we knew that the attack was launched with a targeted email to EMC employees (EMC owns RSA), and that the email contained an attachment called "2011 Recruitment plan.xls". RSA disclosed this information in their blog post. Problem was, we didn't have the file. It seemed like nobody did, and the antivirus researcher mailing lists were buzzing with discussion about where to find the file. Nobody had it, and eventually the discussion quieted down.

This bothered Timo Hirvonen. Timo is an analyst in our labs and he was convinced that he could find this file. Every few weeks since April, Timo would go back to our collections of tens of millions of malware samples and try to mine it to find this one file - with no luck. Until this week.

Timo wrote a data analysis tool that analysed samples for flash objects. We knew the XLS file in question used a Flash object to take over the system. The new tool located several relevant samples. However, one of them was not an Excel file. It was an Outlook message file (MSG). When Timo opened it up, he knew he was onto something. The message file turned out to be the original email that was sent to RSA on 3rd of March, complete with the attachment 2011 Recruitment plan.xls
“

The spreadsheet had the malware which allowed hackers to take control of the workstation and then onto RSA’s security data.  According to F-Secure,  the attack was a very simple one but utilized a zero-day software bug that no one had seen before.

(Techgoss had published the following on March 18, 2011)

EMC RSA hacked
By Pulkit Sharma

EMC Corporation is the world’s leading developer and provider of information infrastructure technology and solutions.  In its last Quarter, EMC had a consolidated revenue was $4.9 billion, an increase of 19% compared with the year-ago quarter.  Net income was up 32 percent.

EMC’s Security Division is RSA whose security solutions are used by more than 90 percent of the Fortune 500 companies.  EMC’s RSA has published the following letter on how its security software, used by tens of millions of companies and individuals, has been hacked

“
Like any large company, EMC experiences and successfully repels multiple cyber attacks on its IT infrastructure every day. Recently, our security systems identified an extremely sophisticated cyber attack in progress being mounted against RSA. We took a variety of aggressive measures against the threat to protect our business and our customers, including further hardening of our IT infrastructure. We also immediately began an extensive investigation of the attack and are working closely with the appropriate authorities.

Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT). Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products. While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack. We are very actively communicating this situation to RSA customers and providing immediate steps for them to take to strengthen their SecurID implementations.

We have no evidence that customer security related to other RSA products has been similarly impacted. We are also confident that no other EMC products were impacted by this attack. It is important to note that we do not believe that either customer or employee personally identifiable information was compromised as a result of this incident.

Our first priority is to ensure the security of our customers and their trust. We are committed to applying all necessary resources to give our SecurID customers the tools, processes and support they require to strengthen the security of their IT systems in the face of this incident. Our full support will include a range of RSA and EMC internal resources as well as close engagement with our partner ecosystems and our customers' relevant partners.

We regret any inconvenience or concern that this attack on RSA may cause for customers, and we strongly urge you to follow the steps we've outlined in our SecurCare Online Note. APT threats are becoming a significant challenge for all large corporations, and it's a topic I have discussed publicly many times. As appropriate, we will share our experiences from these attacks with our customers, partners and the rest of the security vendor ecosystem and work in concert with these organizations to develop means to better protect all of us from these growing and ever more sophisticated forms of cyber security threat.

Sincerely,

Art Coviello
Executive Chairman, RSA 
“