Skip to product menu
close
  • Sales
    Press Space or Enter to display list of options
EXPLORE ALL PRODUCTS

Sales

 
CRM

Comprehensive CRM platform for customer-facing teams.

CRM
 
Bigin

Simple CRM for small businesses moving from spreadsheets.

Bigin
 
Forms

Build online forms for every business need.

Forms
 
SalesIQ

Live chat app to engage and convert website visitors.

SalesIQ
 
Bookings

Appointment scheduling app for consultations with customers.

Bookings
 
Sign

Digital signature app for businesses.

Sign
 
RouteIQ

Comprehensive sales map visualization and optimal route planning solution.

RouteIQ
 
Thrive

Complete loyalty and affiliate management platform.

Thrive
 
Voice

Cloud Contact Center Software for businesses.

Voice
 
Suites
CRM Plus

Unified platform to deliver top-notch customer experience.

CRM Plus

Marketing

 
Social

All-in-one social media management software.

Social
 
Campaigns

Create, send, and track targeted email campaigns that drive sales.

Campaigns
 
Forms

Build online forms for every business need.

Forms
 
Survey

Design surveys to reach and interact with your audience.

Survey
 
Sites

Online website builder with extensive customisation options.

Sites
 
PageSense

Website conversion optimization and personalisation platform.

PageSense
 
Backstage

End-to-end event management software.

Backstage
 
Webinar

Webinar platform for webcasting online webinars.

Webinar
 
Marketing Automation

All-in-one marketing automation software.

Marketing Automation
 
LandingPage

Smart landing page builder to increase conversion rates

LandingPage
 
Publish

Manage all your local business listings on a single platform.

Publish
 
SalesIQ

Live chat app to engage and convert website visitors.

SalesIQ
 
Sign

Digital signature app for businesses.

Sign
 
Thrive

Complete loyalty and affiliate management platform.

Thrive
 
Voice

Cloud Contact Center Software for businesses.

Voice
 
NEW
LeadChain

Sync, manage, and convert leads across channels seamlessly.

LeadChain
 
NEW
CommunitySpaces

Online community platform for individuals and businesses to grow their network and brand.

CommunitySpaces
 
Suites
Marketing Plus

Unified marketing platform for marketing teams.

Marketing Plus

Commerce and POS

 
Commerce

eCommerce platform to manage and market your online store.

Commerce

Service

 
Desk

Helpdesk software to deliver great customer support.

Desk
 
Assist

Remote support and unattended remote access software.

Assist
 
Lens

Interactive remote assistance software with augmented reality.

Lens
 
FSM

End-to-end field service management platform for service businesses.

FSM
 
SalesIQ

Live chat app to engage and convert website visitors.

SalesIQ
 
Voice

Cloud Contact Center Software for businesses.

Voice
 
Solo

The all-in-one toolkit for solopreneurs.

Solo
 
Bookings

Appointment scheduling app for consultations with customers.

Bookings
 
Suites
Service Plus

Unified platform for customer service and support teams.

Service Plus

Finance

 
Books

Powerful accounting platform for growing businesses.

Books
 
FREE
Invoice

100% Free invoicing solution.

Invoice
 
Expense

Effortless expense reporting platform.

Expense
 
Inventory

Powerful stock management and inventory control software.

Inventory
 
Billing

End-to-end billing solution for your business.

Billing
 
Checkout

Collect payments online with custom branded pages.

Checkout
 
NEW
Payroll

Payroll software with automated tax payments and filing.

Payroll
 
Solo

The all-in-one toolkit for solopreneurs.

Solo
 
Practice

Practice management software for accounting firms.

Practice
 
Sign

Digital signature app for businesses.

Sign
 
Commerce

eCommerce platform to manage and market your online store.

Commerce
 
Suites
Finance Plus

All-in-one suite to manage your operations and finances.

Finance Plus

Email and Collaboration

 
Mail

Secure email service for teams of all sizes.

Mail
 
Meeting

Online meeting software for all your video conferencing & webinar needs.

Meeting
 
Writer

Word processor for focused writing and discussions.

Writer
 
Sheet

Spreadsheet software for collaborative teams.

Sheet
 
Show

Create, edit, and share slides with a sleek presentation app.

Show
 
Notebook

Beautiful home for all your notes.

Notebook
 
Cliq

Stay in touch with teams no matter where you are.

Cliq
 
Connect

Employee experience platform to communicate, engage, and build positive employee relations.

Connect
 
Bookings

Appointment scheduling app for consultations with customers.

Bookings
 
TeamInbox

Shared inboxes for teams.

TeamInbox
 
WorkDrive

Online file management for teams.

WorkDrive
 
Sign

Digital signature app for businesses.

Sign
 
Office Suite

Powerful collaborative work platform for teams.

Office Suite
 
Office Integrator

Built in document editors for web apps.

Office Integrator
 
ZeptoMail

Secure and reliable transactional email sending service.

ZeptoMail
 
Calendar

Online business calendar to manage events and schedule appointments.

Calendar
 
Learn

Knowledge and learning management platform.

Learn
 
Voice

Cloud Contact Center Software for businesses.

Voice
 
ToDo

Collaborative task management for individuals and teams.

ToDo
 
Tables

Work management tool to connect people, processes, and information.

Tables
 
FREE
PDF Editor

Collaborative online PDF editing tool.

PDF Editor
 
Suites
Workplace

Application suite built to improve team productivity and collaboration.

Workplace

Human Resources

 
People

Organize, automate, and simplify your HR processes.

People
 
Recruit

Intuitive recruiting platform built to provide hiring solutions.

Recruit
 
Expense

Effortless expense reporting platform.

Expense
 
Workerly

Manage temporary staffing with an employee scheduling solution.

Workerly
 
NEW
Payroll

Payroll software with automated tax payments and filing.

Payroll
 
Shifts

Employee scheduling and time tracking app.

Shifts
 
Sign

Digital signature app for businesses.

Sign
 
Suites
People Plus

Comprehensive HR platform for seamless employee experiences.

People Plus

Security and IT Management

 
Creator

Build custom apps to simplify business processes.

Creator
 
Directory

Workforce identity and access management solution for cloud businesses.

Directory
 
FREE
OneAuth

Secure multi-factor authenticator (MFA) for all your online accounts.

OneAuth
 
Vault

Online password manager for teams.

Vault
 
Catalyst

Pro-code platform to build and deploy your apps.

Catalyst
 
Toolkit

Complete resource for any admin-related lookup queries.

Toolkit
 
Lens

Interactive remote assistance software with augmented reality.

Lens
 
Assist

Remote support and unattended remote access software.

Assist
 
QEngine

Test automation software to build, manage, execute, and report testcases.

QEngine
 
NEW
RPA

Automate manual, tedious, and repetitive tasks easily.

RPA

BI and Analytics

 
Analytics

Modern self-service BI and analytics platform.

Analytics
 
Embedded BI

Embedded analytics and white label BI solutions, tailored for your needs.

Embedded BI
 
DataPrep

AI-powered data preparation service for your data-driven organization.

DataPrep
 
NEW
IoT

Harnessing IoT analytics for real-time operational intelligence.

IoT

Project Management

 
Projects

Manage, track, and collaborate on projects with teams.

Projects
 
Sprints

Planning and tracking tool for scrum teams.

Sprints
 
BugTracker

Automatic bug tracking software for managing bugs.

BugTracker
 
Solo

The all-in-one toolkit for solopreneurs.

Solo

Developer Platforms

 
Creator

Build custom apps to simplify business processes.

Creator
 
Flow

Automate business workflows by creating smart integrations.

Flow
 
Catalyst

Pro-code platform to build and deploy your apps.

Catalyst
 
Office Integrator

Built in document editors for web apps.

Office Integrator
 
ZeptoMail

Secure and reliable transactional email sending service.

ZeptoMail
 
QEngine

Test automation software to build, manage, execute, and report testcases.

QEngine
 
Tables

Work management tool to connect people, processes, and information.

Tables
 
NEW
RPA

Automate manual, tedious, and repetitive tasks easily.

RPA
 
NEW
Apptics

Application analytics for all apps.

Apptics
 
Embedded BI

Embedded analytics and white label BI solutions, tailored for your needs.

Embedded BI
 
NEW
IoT

Build, deploy, and scale IoT solutions for connected businesses.

IoT
 
DataPrep

AI-powered data preparation service for your data-driven organization.

DataPrep

IoT

 
NEW
IoT

Low-code IoT platform and solutions for connected businesses.

IoT

Search Result

 
CRM Plus

Unified platform to deliver top-notch customer experience.

Try now
CRM Plus
 
Service Plus

Unified platform for customer service and support teams.

Try now
Service Plus
 
Finance Plus

All-in-one suite to manage your operations and finances.

Try now
Finance Plus
 
People Plus

Comprehensive HR platform for seamless employee experiences.

Try now
People Plus
 
Workplace

Application suite built to improve team productivity and collaboration.

Try now
Workplace
 
Marketing Plus

Unified marketing platform for marketing teams.

Try now
Marketing Plus
 
All-in-one suite

Zoho One

The Operating System for Business

Run your entire business on Zoho with our unified cloud software, designed to help you break down silos between departments and increase organizational efficiency.

TRY ZOHO ONE
Zoho One
Zoho Marketplace

With over 2000 ready-to-use extensions across 40+ categories, connect your favorite business tools with the Zoho products you already use.

EXPLORE MARKETPLACE
Marketplace
Skip to main content

Email breach chronicles: RSA's infiltration—the spear phishing incident of 2011

  • Published : November 15, 2023
  • Last Updated : November 15, 2023
  • 1.3K Views
  • 8 Min Read

In March 2011, RSA Security, a leading provider of cybersecurity solutions, fell victim to a significant cyberattack. The attack was sophisticated and carried out by a highly skilled group of hackers, who were believed to be state-sponsored. It involved the use of a spear phishing email campaign as the initial entry point, where they enticed the users to click on a malicious attachment. 

The attackers exploited a zero-day vulnerability threat on Adobe Flash, and a variant of the advanced persistent threat (APT) known as the "Poison Ivy" malware was installed on their system. The attackers then gradually escalated their privileges, moved laterally across the network, and gained unauthorized access to RSA's SecurID tokens, which were widely used by organizations for two-factor authentication. The incident highlighted the potential vulnerabilities that even well-established companies could face and served as a wake-up call for organizations worldwide. 

All you need to know about the RSA cyberattack

Type of attack

The incident involved different types of attacks carried out by the perpetrator, such as:

  • Spear phishing: The RSA cyberattack was initiated with a targeted phishing campaign. The attackers crafted convincing emails and sent them to specific RSA employees, aiming to trick them into opening malicious attachments.

  • Advanced persistent threat (APT): Once inside the network, the attackers exploited a zero-day vulnerability threat on Adobe Flash, and deployed a variant of the APT known as the "Poison Ivy" malware. This APT allowed the attackers to establish persistence within RSA's infrastructure and maintain access for an extended period while evading detection.

  • Lateral movement: The attackers skillfully moved laterally within RSA's network. They extracted credentials from the machine's memory, used them to log into other network machines, and subsequently scraped those computers' memories for additional usernames and passwords, including those belonging to privileged administrators.

  • Credential theft and data exfiltration: The attackers then sought to compromise the integrity of RSA's SecurID tokens and their underlying algorithms. They successfully exfiltrated a significant amount of stolen data to potentially undermine the security of organizations relying on RSA's technology.

Timeline 

  • Initial breach: The attackers gain entry to RSA's network through a malicious file containing a script that exploits a zero-day vulnerability in Adobe Flash. They use this entry point to launch their attack.

  • Lateral movement: The attackers move laterally within the network, compromise multiple systems, access more privileged accounts, and escalate their privileges.

  • Discovery of two hacker groups: RSA executives suspect the presence of two groups of hackers in their network, with one group potentially exploiting the other's access for their own purposes.

  • Targeting of SecurID seeds: The attackers specifically target and gain access to the SecurID seed database, which forms a critical component of RSA's two-factor authentication (2FA) system.

  • Exfiltration of seeds: The attackers exfiltrate the SecurID seeds from three compromised servers, transmitting them to a remote server.

  • Damage mitigation: RSA's security team takes immediate action to limit the damage, physically cutting off network connections and severing connections to the manufacturing facility and other critical parts of the network.

  • Public disclosure: RSA publicly acknowledges the breach, informing customers and providing guidance on strengthening security.

  • Two months after public disclosure: News reports come out stating that US government defense contractors such as Lockheed Martin, Northrop Gruman, and L-3 were targeted by hackers with SecurID seed values.

Origin 

The origin of the RSA cyberattack can be traced back to a spear phishing campaign launched by the attackers specifically targeting RSA employees. Through social engineering techniques, the attackers enticed the employees to click on a malicious attachment named "2011 Recruitment plan.xls"

Initial publication 

  • On March 17, 2011, an article in WIRED stated that RSA had become the victim of an "extremely sophisticated" hack.
  • In late May 2011, Reuters revealed that the hackers attempted to hack US defense contractor Lockheed Martin.
  • On May 31, 2011, WIRED revealed that defense contractors Northrop Grumman and L-3 were also targeted by hackers.
  • The New York Times published an article claiming that a Chinese state hacker group believed to be People’s Liberation Army Unit 61398 was behind the attack.

Geographical spread 

The geographical spread of the RSA cyberattack was not specifically disclosed. It affected the US government defense contractors mentioned above. However, because the attack targeted RSA's internal systems and compromised sensitive information, the breach had the potential to affect organizations globally that utilized RSA's 2FA tokens.

Attack vectors 

The attack vectors utilized by the hackers include:

  • Spear phishing

  • Zero-day exploit

  • Lateral movement

  • Targeted exploitation

Vulnerability exploited 

The attacker exploited the following vulnerabilities:

  • Zero-day vulnerability: The attackers exploited the CVE-2011-0609 vulnerability in Adobe Flash to execute the code and to drop a Poison Ivy backdoor to the system.
  • Exploitation of outdated software and privileged access: The victim's lack of an updated version of Windows or Microsoft Office, coupled with their privileged installation rights on their PCs, presented a vulnerability for exploitation. Taking advantage of this weakness, the attacker used a tool to extract credentials from the victim's machine's memory. Subsequently, the attacker reused these stolen usernames and passwords to gain unauthorized access to other machines within the network.

Perpetrators 

The perpetrators behind the attack have been attributed to a Chinese state hacker group believed to be People’s Liberation Army Unit 61398.

Motive 

The intent of the attackers, who were later identified to be a Chinese hacker group was to break into Lockheed Martin, Northrop Grumman, and L-3. Because these organizations depended on RSA's SecurID tokens for network authentication, the attackers compromised the integrity of RSA's SecurID tokens, undermining the security of numerous organizations relying on RSA's technology.

Forensic analysis

  • Initial compromise: The attack began with an RSA employee in Australia receiving an email with a malicious Excel spreadsheet attachment titled "2011 Recruitment plan." Upon opening the attachment, a script exploiting a zero-day vulnerability, CVE-2011-0609, in Adobe Flash was executed, allowing the attackers to gain a foothold on the employee's PC.

  • Credential harvesting and lateral movement: The attackers used a tool to extract credentials from the compromised machine's memory and used those credentials to log into other machines on the network. Then they scraped the memories of those computers for more usernames and passwords, gradually escalating their privileges and moving laterally across the network.

  • Dual attack groups: RSA's security analysts discovered evidence suggesting the presence of at least two different attack groups operating within the network simultaneously. It appeared that one group with lower skills may have been exploited by a more sophisticated group, potentially leveraging their access without their knowledge.

  • Targeting the seed warehouse: The attackers identified and targeted a server connected to the seed warehouse, which was responsible for manufacturing RSA's SecurID hardware tokens. Despite the server being protected by an "air gap," a server on RSA's internet-connected network was linked to it through a firewall, allowing the attackers to gain access to the seeds used for encryption.

  • Data exfiltration and encryption: The attackers exfiltrated the stolen seed data by collecting it from three compromised servers, relaying requests through the connected machine. They packaged the collected seeds and transferred them to a remote server, effectively obtaining a complete database of every seed stored in RSA's seed warehouse.

Incident detection 

Anomalous network activity: The RSA admin noticed unauthorized server access from an unfamiliar PC with abnormal account permissions. This prompted a comprehensive investigation by the security incident response team, which uncovered further anomalies in employees' credentials.

Impact 

  • Compromised SecurID tokens: The attackers gained access to sensitive information related to RSA's SecurID authentication tokens, which were widely used by clients of various organizations for secure access. Using the data, the attackers tried to obtain military secrets by breaking into Lockheed Martin, Northrop Grumman, and L-3, three major US government defense contractors.

  • Reputation damage: The fact that hackers were able to penetrate into a major security solution provider and steal the source code for the SecurID system raised concerns about the effectiveness of RSA's cybersecurity measures and served as a wake-up call for organizations to reassess their security practices.  

 Mitigation 

  • Network isolation: The security team at RSA physically severed network connections to limit the damage and prevent further theft of data from the compromised seed warehouse.

  • Open communication: RSA's CEO addressed the security breach through an open letter on the company's website, informing customers about the incident.

  • Customer support: Approximately 90 RSA staffers engaged in one-on-one phone calls with each customer, providing guidance on protective measures like adding or lengthening PIN numbers for SecurID logins to enhance security against hackers.

  • Enhanced phone security: To mitigate concerns of compromised phone systems, RSA switched carriers, transitioning from AT&T to Verizon phones.

  • Increased physical security: The meetings at RSA were conducted in person, and paper copies of documents were shared instead of digital files. The windows of executives' offices and conference rooms were covered with layers of butcher paper to prevent potential laser microphone surveillance.

Collaborative efforts 

Key collaborative actions included:

  • Coordination with customers: RSA engaged in one-on-one phone calls with every customer, providing personalized guidance and support to strengthen security measures, such as implementing or lengthening PIN numbers for SecurID logins.

  • Government support: The National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) were called upon to provide expertise and assistance in addressing the cyberattack.

  • Industry experts: RSA engaged with incident response firm Mandiant and defense contractor Northrop Grumman to assist in the investigation.

Legal and regulatory implications 

Though the attack was speculated to be executed by a Chinese state hacker group (People’s Liberation Army Unit 61398) and believed to be part of a larger campaign of cyber-espionage by the Chinese government, there were no legal or regulatory actions taken against RSA or the hackers involved in the cyberattack.

 Lessons learned for organizations 

  • Continuous security monitoring: The attack emphasized the importance of robust monitoring systems and technologies to detect and respond to potential threats in real-time, enabling proactive defense against sophisticated attacks.

  • Multi-factor authentication (MFA): The incident highlighted the significance of implementing strong authentication measures, such as MFA, to protect sensitive systems and accounts.

  • Supply chain security: The attack brought attention to the risks associated with supply chain security. Organizations realized the need to assess the security posture of their vendors and partners, establish stringent security requirements, and implement effective controls to ensure the integrity and trustworthiness of the products and services they rely on.

  • Employee awareness and training: The incident emphasized the critical role of employees in maintaining cybersecurity. Organizations learned the importance of ongoing security awareness and training programs to educate employees about phishing attacks, social engineering techniques, and best practices for maintaining a secure computing environment.


This article is co-authored by Sandeep Kotla and Vignesh S.

Sandeep is an accomplished inbound marketer at Zoho Corporation, specializing in digital workplace strategies, digital transformation initiatives, and enhancing employee experiences. Previously, he handled analyst relations and corporate marketing for Manage Engine (a division of Zoho Corp) and its suite of IT management products. He currently spends most of his time re-imagining and writing about how work gets done in large organizations, reading numerous newsletters, and Marie Kondo-ing his inbox.

Vignesh works as a Marketing Analyst at Zoho Corporation, specializing in content initiatives and digital workplace strategies. He's a passionate creator with a penchant for marketing and growth. In his free time, you can see him shuffling between books, movies, music, sports, and traveling, not necessarily in the same order.

Related Topics

Leave a Reply

Your email address will not be published. Required fields are marked

The comment language code.
By submitting this form, you agree to the processing of personal data according to our Privacy Policy.

You may also like