How we found the file that was used to Hack RSA
Already in April, we knew that the attack was launched with a targeted email to EMC employees (EMC owns RSA), and that the email contained an attachment called “2011 Recruitment plan.xls”. RSA disclosed this information in their blog post. Problem was, we didn’t have the file. It seemed like nobody did, and the antivirus researcher mailing lists were buzzing with discussion about where to find the file. Nobody had it, and eventually the discussion quieted down.
This bothered Timo Hirvonen. Timo is an analyst in our labs and he was convinced that he could find this file. Every few weeks since April, Timo would go back to our collections of tens of millions of malware samples and try to mine it to find this one file - with no luck. Until this week.
Timo wrote a data analysis tool that analysed samples for flash objects. We knew the XLS file in question used a Flash object to take over the system. The new tool located several relevant samples. However, one of them was not an Excel file. It was an Outlook message file (MSG). When Timo opened it up, he knew he was onto something. The message file turned out to be the original email that was sent to RSA on 3rd of March, complete with the attachment 2011 Recruitment plan.xls
After five months, we finally had the file.
And not only that, we had the original email. Turns out somebody (most likely an EMC/RSA employee) had uploaded the email and attachment to the Virustotal online scanning service on 19th of March. And, as stated in the Virustotal terms, the uploaded files will be shared to relevant parties in the anti-malware and security industry. So, we all had the file already. We just didn’t know we did, and we couldn’t find it amongst the millions of other samples.