Email breach chronicles: RSA's infiltration—the spear phishing incident of 2011

In March 2011, RSA Security, a leading provider of cybersecurity solutions, fell victim to a significant cyberattack. The attack was sophisticated and carried out by a highly skilled group of hackers, who were believed to be state-sponsored. It involved the use of a spear phishing email campaign as the initial entry point, where they enticed the users to click on a malicious attachment. 

The attackers exploited a zero-day vulnerability threat on Adobe Flash, and a variant of the advanced persistent threat (APT) known as the "Poison Ivy" malware was installed on their system. The attackers then gradually escalated their privileges, moved laterally across the network, and gained unauthorized access to RSA's SecurID tokens, which were widely used by organizations for two-factor authentication. The incident highlighted the potential vulnerabilities that even well-established companies could face and served as a wake-up call for organizations worldwide. 

Type of attack

The incident involved different types of attacks carried out by the perpetrator, such as:

• Spear phishing: The RSA cyberattack was initiated with a targeted phishing campaign. The attackers crafted convincing emails and sent them to specific RSA employees, aiming to trick them into opening malicious attachments.

• Advanced persistent threat (APT): Once inside the network, the attackers exploited a zero-day vulnerability threat on Adobe Flash, and deployed a variant of the APT known as the "Poison Ivy" malware. This APT allowed the attackers to establish persistence within RSA's infrastructure and maintain access for an extended period while evading detection.

• Lateral movement: The attackers skillfully moved laterally within RSA's network. They extracted credentials from the machine's memory, used them to log into other network machines, and subsequently scraped those computers' memories for additional usernames and passwords, including those belonging to privileged administrators.

• Credential theft and data exfiltration: The attackers then sought to compromise the integrity of RSA's SecurID tokens and their underlying algorithms. They successfully exfiltrated a significant amount of stolen data to potentially undermine the security of organizations relying on RSA's technology.

Timeline 

• Initial breach: The attackers gain entry to RSA's network through a malicious file containing a script that exploits a zero-day vulnerability in Adobe Flash. They use this entry point to launch their attack.

• Lateral movement: The attackers move laterally within the network, compromise multiple systems, access more privileged accounts, and escalate their privileges.

• Discovery of two hacker groups: RSA executives suspect the presence of two groups of hackers in their network, with one group potentially exploiting the other's access for their own purposes.

• Targeting of SecurID seeds: The attackers specifically target and gain access to the SecurID seed database, which forms a critical component of RSA's two-factor authentication (2FA) system.

• Exfiltration of seeds: The attackers exfiltrate the SecurID seeds from three compromised servers, transmitting them to a remote server.

• Damage mitigation: RSA's security team takes immediate action to limit the damage, physically cutting off network connections and severing connections to the manufacturing facility and other critical parts of the network.

• Public disclosure: RSA publicly acknowledges the breach, informing customers and providing guidance on strengthening security.

• Two months after public disclosure: News reports come out stating that US government defense contractors such as Lockheed Martin, Northrop Gruman, and L-3 were targeted by hackers with SecurID seed values.

Origin 

The origin of the RSA cyberattack can be traced back to a spear phishing campaign launched by the attackers specifically targeting RSA employees. Through social engineering techniques, the attackers enticed the employees to click on a malicious attachment named "2011 Recruitment plan.xls"

Initial publication 

• On March 17, 2011, an article in WIRED stated that RSA had become the victim of an "extremely sophisticated" hack.
• In late May 2011, Reuters revealed that the hackers attempted to hack US defense contractor Lockheed Martin.
• On May 31, 2011, WIRED revealed that defense contractors Northrop Grumman and L-3 were also targeted by hackers.
• The New York Times published an article claiming that a Chinese state hacker group believed to be People’s Liberation Army Unit 61398 was behind the attack.

Geographical spread 

The geographical spread of the RSA cyberattack was not specifically disclosed. It affected the US government defense contractors mentioned above. However, because the attack targeted RSA's internal systems and compromised sensitive information, the breach had the potential to affect organizations globally that utilized RSA's 2FA tokens.

Attack vectors 

The attack vectors utilized by the hackers include:

• Spear phishing

• Zero-day exploit

• Lateral movement

• Targeted exploitation

Vulnerability exploited 

The attacker exploited the following vulnerabilities:

• Zero-day vulnerability: The attackers exploited the CVE-2011-0609 vulnerability in Adobe Flash to execute the code and to drop a Poison Ivy backdoor to the system.
• Exploitation of outdated software and privileged access: The victim's lack of an updated version of Windows or Microsoft Office, coupled with their privileged installation rights on their PCs, presented a vulnerability for exploitation. Taking advantage of this weakness, the attacker used a tool to extract credentials from the victim's machine's memory. Subsequently, the attacker reused these stolen usernames and passwords to gain unauthorized access to other machines within the network.

Perpetrators 

The perpetrators behind the attack have been attributed to a Chinese state hacker group believed to be People’s Liberation Army Unit 61398.

Motive 

The intent of the attackers, who were later identified to be a Chinese hacker group was to break into Lockheed Martin, Northrop Grumman, and L-3. Because these organizations depended on RSA's SecurID tokens for network authentication, the attackers compromised the integrity of RSA's SecurID tokens, undermining the security of numerous organizations relying on RSA's technology.

Forensic analysis

• Initial compromise: The attack began with an RSA employee in Australia receiving an email with a malicious Excel spreadsheet attachment titled "2011 Recruitment plan." Upon opening the attachment, a script exploiting a zero-day vulnerability, CVE-2011-0609, in Adobe Flash was executed, allowing the attackers to gain a foothold on the employee's PC.

• Credential harvesting and lateral movement: The attackers used a tool to extract credentials from the compromised machine's memory and used those credentials to log into other machines on the network. Then they scraped the memories of those computers for more usernames and passwords, gradually escalating their privileges and moving laterally across the network.

• Dual attack groups: RSA's security analysts discovered evidence suggesting the presence of at least two different attack groups operating within the network simultaneously. It appeared that one group with lower skills may have been exploited by a more sophisticated group, potentially leveraging their access without their knowledge.

• Targeting the seed warehouse: The attackers identified and targeted a server connected to the seed warehouse, which was responsible for manufacturing RSA's SecurID hardware tokens. Despite the server being protected by an "air gap," a server on RSA's internet-connected network was linked to it through a firewall, allowing the attackers to gain access to the seeds used for encryption.

• Data exfiltration and encryption: The attackers exfiltrated the stolen seed data by collecting it from three compromised servers, relaying requests through the connected machine. They packaged the collected seeds and transferred them to a remote server, effectively obtaining a complete database of every seed stored in RSA's seed warehouse.

Incident detection 

Anomalous network activity: The RSA admin noticed unauthorized server access from an unfamiliar PC with abnormal account permissions. This prompted a comprehensive investigation by the security incident response team, which uncovered further anomalies in employees' credentials.

Impact 

• Compromised SecurID tokens: The attackers gained access to sensitive information related to RSA's SecurID authentication tokens, which were widely used by clients of various organizations for secure access. Using the data, the attackers tried to obtain military secrets by breaking into Lockheed Martin, Northrop Grumman, and L-3, three major US government defense contractors.

• Reputation damage: The fact that hackers were able to penetrate into a major security solution provider and steal the source code for the SecurID system raised concerns about the effectiveness of RSA's cybersecurity measures and served as a wake-up call for organizations to reassess their security practices.  

 Mitigation 

• Network isolation: The security team at RSA physically severed network connections to limit the damage and prevent further theft of data from the compromised seed warehouse.

• Open communication: RSA's CEO addressed the security breach through an open letter on the company's website, informing customers about the incident.

• Customer support: Approximately 90 RSA staffers engaged in one-on-one phone calls with each customer, providing guidance on protective measures like adding or lengthening PIN numbers for SecurID logins to enhance security against hackers.

• Enhanced phone security: To mitigate concerns of compromised phone systems, RSA switched carriers, transitioning from AT&T to Verizon phones.

• Increased physical security: The meetings at RSA were conducted in person, and paper copies of documents were shared instead of digital files. The windows of executives' offices and conference rooms were covered with layers of butcher paper to prevent potential laser microphone surveillance.

Collaborative efforts 

Key collaborative actions included:

• Coordination with customers: RSA engaged in one-on-one phone calls with every customer, providing personalized guidance and support to strengthen security measures, such as implementing or lengthening PIN numbers for SecurID logins.

• Government support: The National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) were called upon to provide expertise and assistance in addressing the cyberattack.

• Industry experts: RSA engaged with incident response firm Mandiant and defense contractor Northrop Grumman to assist in the investigation.

Legal and regulatory implications 

Though the attack was speculated to be executed by a Chinese state hacker group (People’s Liberation Army Unit 61398) and believed to be part of a larger campaign of cyber-espionage by the Chinese government, there were no legal or regulatory actions taken against RSA or the hackers involved in the cyberattack.

 Lessons learned for organizations 

• Continuous security monitoring: The attack emphasized the importance of robust monitoring systems and technologies to detect and respond to potential threats in real-time, enabling proactive defense against sophisticated attacks.

• Multi-factor authentication (MFA): The incident highlighted the significance of implementing strong authentication measures, such as MFA, to protect sensitive systems and accounts.

• Supply chain security: The attack brought attention to the risks associated with supply chain security. Organizations realized the need to assess the security posture of their vendors and partners, establish stringent security requirements, and implement effective controls to ensure the integrity and trustworthiness of the products and services they rely on.

• Employee awareness and training: The incident emphasized the critical role of employees in maintaining cybersecurity. Organizations learned the importance of ongoing security awareness and training programs to educate employees about phishing attacks, social engineering techniques, and best practices for maintaining a secure computing environment.

This article is co-authored by Sandeep Kotla and Vignesh S.

Sandeep is an accomplished inbound marketer at Zoho Corporation, specializing in digital workplace strategies, digital transformation initiatives, and enhancing employee experiences. Previously, he handled analyst relations and corporate marketing for Manage Engine (a division of Zoho Corp) and its suite of IT management products. He currently spends most of his time re-imagining and writing about how work gets done in large organizations, reading numerous newsletters, and Marie Kondo-ing his inbox.

Vignesh works as a Marketing Analyst at Zoho Corporation, specializing in content initiatives and digital workplace strategies. He's a passionate creator with a penchant for marketing and growth. In his free time, you can see him shuffling between books, movies, music, sports, and traveling, not necessarily in the same order.