"According to our data, RSA was just one of the targets," said Bernardo Quintero, the founder of malware analysis site VirusTotal. Attackers "used the same malware to try to penetrate other networks," he said in an email interview.
VirusTotal is a popular site with security professionals who use it to get a quick industry consensus take on suspicious files. It runs any file through a battery of antivirus scanning engines and spits out a report within minutes. Someone at EMC used the service on March 19 to analyze an email message that contained that spearphishing attack that was used to break into RSA.
But according to Quintero, before the attack was publicly disclosed in mid-March, the same maliciously encoded Excel spreadsheet had already been uploaded to VirusTotal 16 times from 15 different sources. The first was on March 4 -- the day after the message was sent to RSA -- and the malware was detected by none of the site's 42 antivirus engines.
Because it relies on anonymous submissions, VirusTotal won't say who uploaded the documents. But according to Quintero's analysis, two of the targets were entities related to U.S. national security.
Buried in the metadata of the attack files is another clue: a sign that whoever created the attack used a Chinese language version of Excel -- Windows Simplified Chinese (PRC, Singapore). The attackers could have deliberately changed the file's settings to make it look like it came from China, but Quintero believes it "was a simple oversight" on the part of the hackers.