Moving on with his “Online Espionage” talk, Mikko Hypponen is providing a number of specific examples of attacks through email attachments containing backdoors for implementing subsequent contamination of the targeted systems. Mr. Hypponen is also giving an insight into the RSA hack issue, outlining the particular scheme that was employed by the criminals.So, let’s have look at the different documents. We saw examples of the emails, they look convincing. What about the documents themselves? And this actually is interesting because it tells us quite a bit about the targets if you just look at the files that were used. So here is an example (see image). That’s a PDF file sent to a defense contractor, some technical specs about a high efficiency DC-to-DC converter1. Looks pretty normal, that looks like a real file to the recipient, highly relevant and all that. But it’s fake, it has a backdoor and an exploit. By the time you see it on your screen, you’re already owned.
Another one was sent to EU parliament members, or people working at the EU parliament. It talks about EU topic, looks fairly real. It isn’t. Another one we got was called ‘Federal Tax Law Changes’, that’s a PDF file as well. Yet another spoofed PDF file – talking about World Bank things, looks pretty real to me. Some of the infected files are Word documents though. Most of these, about 60% are PDF files targeting Adobe Reader. If you open it with another reader – you are fine.But here you go, one of the files we received talks about some UNICEF2 meetings, it’s Word file, like I said. We also got an Excel file containing a list of people working apparently with defense things – their phone numbers and stuff, looks like a real file. It isn’t, contains a backdoor, contains an exploit. Another one – list of different journalists. We don’t know who was targeted by this attack, maybe somebody to whom this would be relevant. One more, some Secretariat stuff from France, also Department of the Air Force – I wonder who the target was, I don’t know. Here is a PowerPoint file (see image), so these are slides saying about visiting some organization, probably fairly convincing to whoever’s receiving the email. Another one was a Word document about Operations in Afghanistan – I wonder who was targeted by this.
Well, this was interesting (see image). This was an invitation to a conference, which ran last June, and we actually intercepted this in, I think, April, like 2 months before this. And it says: “Strategic and Tactical Missile Systems Conference”. And if you actually look closer at who is the target group for the conference, well, it’s actually classified secret. So who would be receiving an email with an attachment like this, and to him it would be perfectly normal and usual?
Another one was an invitation to an ISSA3 meeting in North Alabama. When discussing that particular file, somebody pointed out to me that most of the members in this organization work with computer security inside NASA, which might have something to do with it, but I don’t know.
And of course we get these not just in English but in all the languages. And not all of them are business kind of content, like most of the stuff we’ve seen here. We also get all kinds of stuff, but what they all have in common is that by the time you have it on your screen, you already have a backdoor on your system. And of course, like I said, all these different languages, so we intercepted a Chinese PowerPoint file containing a backdoor. There was also a Russian PDF file bundled with a backdoor; a German Excel file containing a backdoor; a German PDF file with a backdoor. One sample was Arabic, I don’t read Arabic but guess it’s convincing as well.So, what happened at RSA4 then? Well, RSA was hacked in late February or early March, something like that. What we believe happened was that somebody wanted to gain access not to RSA but to Lockheed Martin5. And they failed, because Lockheed Martin was using RSA SecurID6 tokens for their network access (see image). So, since the attacker failed in getting inside, then they tried hacking SecurID, and this is why RSA was hacked.
We don’t know all the details of the story, but RSA made an announcement, they explained that they had been breached. And they were breached with a highly advanced and a targeted attack. They never made the actual backdoor available to the research community, and they never released the email that they were hit with.
So the mistake made by the RSA was not about the patching, because they could not have patch for this. Why did they have Flash embedded and enabled inside Excel? Maybe it was enabled by default, maybe there was some internal system which required it. But as Outlook is trying to load the file, it just fails in actually getting it on the screen. When it finally then opens up the file, the Excel file has no content, it’s an empty file, but by this time there is already a backdoor on the hard drive, it’s already executed. So that’s the ‘highly advanced attack’ that hit RSA. Who was attacking them? We don’t know.
1 – DC-to-DC converter is an electronic device used to change direct current electrical power from one voltage level to another.
2 – UNICEF (United Nations International Children’s Emergency Fund) is an international organization providing long-term humanitarian and developmental assistance to children and mothers in developing countries.
3 – ISSA (Information Systems Security Association) is a non-profit international professional organization of information security professionals and practitioners.
4 – RSA is an American computer and network security company, currently operated as a subsidiary of EMC Corporation. RSA was named after the initials of its co-founders, Ron Rivest, Adi Shamir, and Len Adleman.
5 – Lockheed Martin is an American global aerospace, defense, security, and advanced technology company with worldwide interests
6 – RSA SecurID is a mechanism developed by Security Dynamics (later RSA Security and now RSA) for performing two-factor authentication for a user to a network resource.