PC World is reporting that the malware which was used in the spearphishing attack that compromised the RSA security token may have been used to attack US defense organizations.
PC World quotes Bernardo Quintero, the founder of malware analysis site VirusTotal. “According to our data, RSA was just one of the targets.
VirusTotal is a popular site with security professionals who use it to get a quick industry consensus take on suspicious files. It runs any file through a battery of antivirus scanning engines and spits out a report within minutes. Someone at EMC used the service on March 19 to analyze an email message that contained that spearphishing attack that was used to break into RSA.
But according to Quintero, before the attack was publicly disclosed in mid-March, the same maliciously encoded Excel spreadsheet had already been uploaded to VirusTotal 16 times from 15 different sources. The first was on March 4 — the day after the message was sent to RSA — and the malware was detected by none of the site’s 42 antivirus engines.
Because it relies on anonymous submissions, VirusTotal won’t say who uploaded the documents. But according to Quintero’s analysis, two of the targets were entities related to U.S. national security.
The malware was introduced into the targeted victims by spearphishing — cleverly constructed emails that are designed to deceive the recipient into action.
According to Dmitri Alperovitch, McAfee’s vice president of threat research, McAfee’s research shows that other defense organizations were targeted with the attack, although not necessarily at the same time as the RSA incident. He said, “After that vulnerability became known a lot of people started leveraging it, and that continued through April.”