Online Espionage 2: email backdoors and RSA hack

Moving on with his “Online Espionage” talk, Mikko Hypponen is providing a number of specific examples of attacks through email attachments containing backdoors for implementing subsequent contamination of the targeted systems. Mr. Hypponen is also giving an insight into the RSA hack issue, outlining the particular scheme that was employed by the criminals.

Infected PDF file sample

Infected PDF file sample

So, let’s have look at the different documents. We saw examples of the emails, they look convincing. What about the documents themselves? And this actually is interesting because it tells us quite a bit about the targets if you just look at the files that were used. So here is an example (see image). That’s a PDF file sent to a defense contractor, some technical specs about a high efficiency DC-to-DC converter1. Looks pretty normal, that looks like a real file to the recipient, highly relevant and all that. But it’s fake, it has a backdoor and an exploit. By the time you see it on your screen, you’re already owned.

Another one was sent to EU parliament members, or people working at the EU parliament. It talks about EU topic, looks fairly real. It isn’t. Another one we got was called ‘Federal Tax Law Changes’, that’s a PDF file as well. Yet another spoofed PDF file – talking about World Bank things, looks pretty real to me. Some of the infected files are Word documents though. Most of these, about 60% are PDF files targeting Adobe Reader. If you open it with another reader – you are fine.

PowerPoint file containing a backdoor and an exploit

PowerPoint file containing a backdoor and an exploit

But here you go, one of the files we received talks about some UNICEF2 meetings, it’s Word file, like I said. We also got an Excel file containing a list of people working apparently with defense things – their phone numbers and stuff, looks like a real file. It isn’t, contains a backdoor, contains an exploit. Another one – list of different journalists. We don’t know who was targeted by this attack, maybe somebody to whom this would be relevant. One more, some Secretariat stuff from France, also Department of the Air Force – I wonder who the target was, I don’t know. Here is a PowerPoint file (see image), so these are slides saying about visiting some organization, probably fairly convincing to whoever’s receiving the email. Another one was a Word document about Operations in Afghanistan – I wonder who was targeted by this.

Infected invitation sent to a classified target group of recepients Well, this was interesting (see image). This was an invitation to a conference, which ran last June, and we actually intercepted this in, I think, April, like 2 months before this. And it says: “Strategic and Tactical Missile Systems Conference”. And if you actually look closer at who is the target group for the conference, well, it’s actually classified secret. So who would be receiving an email with an attachment like this, and to him it would be perfectly normal and usual?

Another one was an invitation to an ISSA3 meeting in North Alabama. When discussing that particular file, somebody pointed out to me that most of the members in this organization work with computer security inside NASA, which might have something to do with it, but I don’t know.

And of course we get these not just in English but in all the languages. And not all of them are business kind of content, like most of the stuff we’ve seen here. We also get all kinds of stuff, but what they all have in common is that by the time you have it on your screen, you already have a backdoor on your system. And of course, like I said, all these different languages, so we intercepted a Chinese PowerPoint file containing a backdoor. There was also a Russian PDF file bundled with a backdoor; a German Excel file containing a backdoor; a German PDF file with a backdoor. One sample was Arabic, I don’t read Arabic but guess it’s convincing as well.

RSA SecurID tokens used at Lockheed Martin

RSA SecurID tokens used at Lockheed Martin

So, what happened at RSA4 then? Well, RSA was hacked in late February or early March, something like that. What we believe happened was that somebody wanted to gain access not to RSA but to Lockheed Martin5. And they failed, because Lockheed Martin was using RSA SecurID6 tokens for their network access (see image). So, since the attacker failed in getting inside, then they tried hacking SecurID, and this is why RSA was hacked.

We don’t know all the details of the story, but RSA made an announcement, they explained that they had been breached. And they were breached with a highly advanced and a targeted attack. They never made the actual backdoor available to the research community, and they never released the email that they were hit with.

But we have one guy in our labs who just wouldn’t let this go. He would go back every other week and search the virus sample collections, convinced that we have this sample somewhere in our system, we just don’t know which one it is. And then he eventually was going through the system, going through our sample collection of tens of millions of samples, went through all the infected files we have, exported all the Flash components and tried to find the exploit from the Flash components, because we knew what exploit was being targeted. And after basically half a year, he found the sample.

Spoofed email RSA was hit by

Spoofed email RSA was hit by

We have it right now. This is the email (see image). This is the ‘highly advanced targeted attack’ that burned RSA. It says: “I forward this file to you for review. Please open and view it”. It actually freezes for quite a while when you try to open the attached Excel file, it’s using javascript. Well, it actually even fails in opening up on your screen. So if you take that Excel file – nothing happens, you never get the file on your screen, but you get a backdoor on your system. It’s an Excel file with an exploit. There was a Flash exploit inside of Excel which was a zero-day at the time they got burned.

So the mistake made by the RSA was not about the patching, because they could not have patch for this. Why did they have Flash embedded and enabled inside Excel? Maybe it was enabled by default, maybe there was some internal system which required it. But as Outlook is trying to load the file, it just fails in actually getting it on the screen. When it finally then opens up the file, the Excel file has no content, it’s an empty file, but by this time there is already a backdoor on the hard drive, it’s already executed. So that’s the ‘highly advanced attack’ that hit RSA. Who was attacking them? We don’t know.

Read previous: Online Espionage: Mikko Hypponen at SecTor IT security conference


1DC-to-DC converter is an electronic device used to change direct current electrical power from one voltage level to another.

2UNICEF (United Nations International Children’s Emergency Fund) is an international organization providing long-term humanitarian and developmental assistance to children and mothers in developing countries.

3ISSA (Information Systems Security Association) is a non-profit international professional organization of information security professionals and practitioners.

4RSA is an American computer and network security company, currently operated as a subsidiary of EMC Corporation. RSA was named after the initials of its co-founders, Ron Rivest, Adi Shamir, and Len Adleman.

5Lockheed Martin is an American global aerospace, defense, security, and advanced technology company with worldwide interests

6RSA SecurID is a mechanism developed by Security Dynamics (later RSA Security and now RSA) for performing two-factor authentication for a user to a network resource.

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: