Researchers at the security firm F-Secure say they have found the original phishing email used to breach business security provider RSA, a hack that ultimately threatened the security of three major U.S. defense contractors.
The email, sent to the Microsoft Outlook inbox of an employee of RSA's parent company EMC on March 3, read, "I forward this file to you for review. Please open and view it," F-Secure's Mikko Hypponen wrote.
It was a simple request, but one with disastrous consequences. By opening this email and downloading the attached — and corrupted — Microsoft Excel spreadsheet titled "Recruitment plan," the attackers were able to gain unauthorized, full remote access to RSA's servers.
More importantly, the breach allowed the attackers to compromise RSA's SecurID authentication tokens, hardware mechanisms used by 40 million employees at large corporations and government agencies to log into secure computer networks.
The aftershocks of the devastating RSA breach were felt far and wide: in late May, the compromised SecurID tokens were used to penetrate the networks of Northrop Grumman, L-3 Communications and Lockheed Martin, the largest provider of IT services to the U.S. government and military.
Hypponen wrote that while the phishing e-mail that kicked off the whole hack was "very simple," the technology hiding behind the welcome message was sophisticated, and because the rigged Excel document targeted a zero-day exploit, "RSA could not have protected against it by patching their systems."
"The email wasn't advanced," Hypponen added. "The backdoor they dropped wasn't advanced. But the exploit was advanced. And the ultimate target of the attacker was advanced."