The post which is written by Uri Rivner, RSA’s head of new technologies and consumer identity protection, goes into great details. So if you have a minute to spare, it is well worth the read.
To summarize a bit:
- Attackers got their hands on specific employees’ publicly available information.
- Hackers sent specific employees a phishing email, entitled ’2011 Recruitment Plan’ with an Excel spreadsheet attached. The spreadsheet, called ’2011 Recruitment plan.xls’, hid an embedded Flash exploit, which took advantage of Adobe’s zero-day vulnerability: (CVE-2011-0609).
- A remote administration tool called Poison Ivy RAT variant was downloaded by the Trojan to give the attackers remote control of the computer.
- The attackers took the access credentials from the compromised victims. The attackers then performed “privilege escalation on non-administrative users in the targeted systems, and then moved on to gain access to key high value targets, which included process experts and IT and Non-IT specific server administrators.”
- The hackers went into the servers of interest, copied data and moved it to internal staging servers. The data was then aggregated, compressed and encrypted for extraction. FTP was used to transfer “many” password-protected RAR files from the RSA file server to an outside staging server at an external, compromised machine at a hosting provider.
- The files were subsequently pulled by the attackers and removed from the external compromised host to remove any traces of the attack.