RSA SecurID 2011
An Excel attachment titled '2011 Recruitment Plan' was opened in HR. Three months later, the hardware tokens used by half the Fortune 500 had to be replaced.
In early 2011, an EMC-owned security company called RSA disclosed an "extremely sophisticated cyberattack" on its own systems. The disclosure was unusually opaque. The company said attackers had taken information related to its SecurID two-factor authentication product, but declined to specify what exactly that meant.
The phishing email and the spreadsheet
Reconstructed later by F-Secure and others, the intrusion began with a small-batch phishing campaign targeting a handful of RSA HR employees. The attached Excel file, titled "2011 Recruitment Plan", contained an embedded Flash exploit. One employee fished the message out of their spam folder and opened it. Within hours, a remote-access trojan was installed and the attackers were moving inside the network toward systems related to the SecurID seed values — the cryptographic secrets that bound each hardware token to its server.
The Lockheed sequel
In May, Lockheed Martin disclosed an intrusion attempt against its networks. The attackers had used cloned SecurID tokens. RSA, which had been studiously vague for months, was forced to publicly confirm that the SecurID seeds had indeed been part of the stolen data. The company offered to replace tokens for any customer that asked. Tens of millions did.
What the chronicle remembers
The RSA incident was an early, public case of an attacker compromising a security vendor specifically to use the vendor's product against the vendor's customers. The technique — targeting the keys to the kingdom rather than the kingdoms themselves — has been a fixture of nation-state operations ever since.