The Master Key Heist: RSA SecurID
RSA SecurID: The Master Key Heist
It was one of the most trusted objects in corporate security — a small plastic fob, roughly the size of a USB drive, its face displaying a six-digit number that changed every sixty seconds. Millions of people carried one. Bank employees. Defense contractors. CIA analysts. Intelligence officers. Government workers with top-secret clearances.
The number was called a one-time passcode. The idea was elegant and seemingly unbreakable: even if a password was stolen, an attacker would still need the second factor — the physical token — to get in. By the time you’d typed a stolen code, the clock had already turned and the number was dead.
The physical token, the reasoning went, is the one thing you can’t remotely steal.
On the morning of March 17, 2011, RSA Security — the division of EMC Corporation that manufactured those tokens under the SecurID brand, and that had spent thirty years building the authentication infrastructure of governments and corporations worldwide — sent a letter to its customers. The letter was brief, oblique, and terrifying in its implications.
“Recently, our security systems identified an extremely sophisticated cyber attack in progress.”
RSA had been breached. And whoever had broken in had not been after money, credentials, or source code for resale. They had been after something far more precise, and far more dangerous: the raw mathematical seeds that made SecurID tokens work.
They had stolen the master keys to an unknown fraction of the world’s most secure networks.
Threat Actor Profile: APT1 / Comment Crew
Designation: APT1 (Mandiant); Comment Crew (industry consensus); Byzantine Candor (US government); PLA Unit 61398
Attribution: People’s Liberation Army, Unit 61398 — 2nd Bureau, 3rd Department of the PLA’s General Staff Department; operating from a twelve-story building in the Pudong New Area of Shanghai
Origin: Shanghai, People’s Republic of China
Primary Mission: Large-scale, sustained theft of intellectual property, trade secrets, and national security intelligence from US and allied organizations
Known Tradecraft: Spear phishing, custom RAT implants, encrypted C2 channels via legitimate web services, long dwell times, systematic data exfiltration, use of compromised intermediary networks
Notorious Operations:
- GhostNet (2009): A network of over 1,295 compromised computers in 103 countries, targeting Tibetan government-in-exile offices, embassies, and foreign ministries. Discovered by Citizen Lab at the University of Toronto.
- Operation Shady RAT (2011): A sustained campaign spanning five years and targeting 72 organizations globally, including defense contractors, the United Nations, and national Olympic committees. Documented by McAfee’s Dmitri Alperovitch.
- RSA SecurID (2011): Theft of seed values enabling impersonation of SecurID tokens, subsequently used in attacks against US defense contractors. The most significant supply chain attack on authentication infrastructure ever publicly documented.
- Lockheed Martin (2011): A follow-on attack using stolen RSA seed data to impersonate SecurID tokens and attempt intrusion into America’s largest defense contractor. Lockheed detected and thwarted the attempt — but the door had been opened by RSA’s compromise.
- New York Times (2012): A months-long campaign compromising NYT journalist accounts during their investigation of Chinese Premier Wen Jiabao’s family finances.
The Anatomy of SecurID: Why It Mattered
To understand why stealing RSA’s data was catastrophic, you need to understand how SecurID tokens actually worked.
Each physical fob was initialized with a unique seed value — a long random number generated and stored by RSA at the time of manufacture. That seed, combined with the current timestamp, was fed into a cryptographic algorithm (originally based on DES, later AES) to produce the six-digit code displayed on the token’s screen. RSA’s server, authenticating a login attempt, ran the same calculation with the same seed and the same timestamp. If the numbers matched, the user was who they claimed to be.
The security of this system depended entirely on the secrecy of the seed values. RSA stored a mapping of every token’s serial number to its seed, used to provision the server-side authentication databases that companies ran to verify codes. Customers — banks, defense contractors, government agencies — had their server-side seed databases provisioned by RSA.
The brilliant, terrible implication: whoever possessed RSA’s seed database could generate valid SecurID codes for any token in the world, without possessing the physical token.
The authentication tokens that protected some of the world’s most sensitive networks — including classified US defense contractor systems — were only as secure as RSA’s internal servers.
The Intrusion: A Spreadsheet That Opened the Door
The attack began with a single phishing email. In late February or early March 2011, a small number of RSA employees received an email with the subject line: “2011 Recruitment Plan.”
The email was crafted to appear as a legitimate business communication. It contained an Excel spreadsheet as an attachment. The spreadsheet itself was genuine-looking — a human resources document of the kind circulated inside any large organization.
Embedded inside it was a zero-day exploit targeting Adobe Flash, specifically an unpatched vulnerability in Flash’s rendering engine (CVE-2011-0609). When an employee opened the spreadsheet, Excel attempted to render the embedded Flash object. The exploit fired. A remote access Trojan called Poison Ivy was silently installed on the employee’s workstation.
The employee’s account was low-privilege. But it was a foothold.
From that initial infection, the attackers moved with methodical precision:
Privilege Escalation: The Poison Ivy implant harvested credentials from the compromised machine’s memory. These credentials were used to authenticate to other systems. More accounts were compromised. Higher-privilege accounts came within reach.
Lateral Movement: The attackers progressively worked through RSA’s internal network, using compromised credentials to authenticate to system after system. Security tooling saw legitimate authentication events. Nothing looked anomalous.
Staging: The attackers identified the systems storing the SecurID seed data. They aggregated the data onto a staging server inside RSA’s network — compressing it for exfiltration.
Exfiltration: The compressed files were uploaded via FTP to an external server hosted on a cloud provider. The transfer was complete before RSA’s security team detected anything.
The entire operation, from initial phishing email to exfiltration completion, had taken an estimated two to three weeks.
What Was Stolen: The Seeds of Everything
RSA did not disclose precisely what data was taken, and has never fully done so publicly. The company’s official statement acknowledged only that information “specifically related to RSA’s SecurID two-factor authentication products” had been exfiltrated — information that “could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.”
That careful corporate language translated, in practice, to something far more alarming: the attackers almost certainly obtained the seed values for some portion of the 40 million RSA SecurID tokens then deployed worldwide.
The implication cascaded through the security world. Every organization that used SecurID — and that list included the US Department of Defense, major intelligence agencies, the world’s largest banks, and dozens of top-tier defense contractors — now faced a question they could not definitively answer: are the attackers generating valid authentication codes for our systems right now?
The Target Behind the Target: Lockheed Martin
The full intent of the RSA breach became clear three months later.
In May 2011, Lockheed Martin — America’s largest defense contractor, manufacturer of the F-35 Lightning II, and a significant user of RSA SecurID for network access — detected a network intrusion attempt. The attack had used cloned SecurID token codes — codes that should have been impossible to generate without physical possession of the tokens.
Someone was using the stolen RSA seed data.
The Lockheed security team, to their credit, caught it. They had been on high alert since the RSA disclosure and had implemented additional monitoring. The attackers did not succeed in exfiltrating data from Lockheed’s systems.
But L-3 Communications — another major defense contractor — reported a similar attack in the same period. So did reports suggesting attempted intrusions at Northrop Grumman and other aerospace and defense firms. The RSA compromise had been, from the beginning, a supply chain attack aimed not at RSA itself but at everything RSA’s authentication infrastructure protected.
The attackers had stolen the master keys not because they wanted into RSA. They wanted into the buildings those keys locked.
The Reckoning: A $66 Million Disclosure
RSA’s parent company EMC disclosed in its August 2011 quarterly filing that the remediation costs had reached approximately $66 million — covering the cost of replacing tokens for customers most likely targeted by follow-on attacks, assisting affected organizations, and hardening its own systems.
The actual number was almost certainly higher. The indirect costs — in customer trust, in remediation by thousands of corporate and government customers who quietly replaced their token deployments, in security reviews across the defense industrial base — are incalculable.
RSA replaced all 40 million tokens in priority order for customers assessed to be at highest risk. The US government was at the front of that line.
For the authentication industry, the RSA breach forced a fundamental reassessment of centralized seed storage. The idea that a single company’s servers could be the custodian of the mathematical seeds protecting millions of the world’s most sensitive networks — and that compromise of that single company could therefore undermine authentication at global scale — was recognized as an architectural flaw that the breach had catastrophically exposed.
For supply chain security, the RSA attack became, alongside SolarWinds a decade later, the defining example of a trust-chain attack — breaking into a widely trusted vendor to reach its customers’ environments. The attacker doesn’t need to breach Lockheed directly. They breach RSA. RSA’s authentication sits in front of Lockheed. The math follows.
For China attribution, the RSA breach was among the first incidents where a major US security company’s breach was widely assessed by intelligence analysts and private-sector researchers to have been state-sponsored Chinese espionage. Mandiant’s landmark 2013 report on APT1 — detailing systematic intellectual property theft from over 140 organizations by a Shanghai-based PLA unit — validated the intelligence community’s attribution, even as the Chinese government denied involvement.
The building in Pudong remained operational. The fob in your pocket never quite felt the same.
Attack Chain: RSA SecurID — APT1 / Comment Crew
graph TD
A["🇨🇳 APT1 / Comment Crew\n(PLA Unit 61398 — Shanghai)"] --> B["Reconnaissance\nRSA Employee Identification\nLinkedIn / HR Research"]
B --> C["Phishing Email:\n'2011 Recruitment Plan'\nXLS Attachment with Embedded Flash"]
C --> D["Zero-Day: CVE-2011-0609\nAdobe Flash Exploit\nFires on XLS Open"]
D --> E["Poison Ivy RAT\nInstalled on Employee Workstation\nEncrypted C2 Channel Established"]
E --> F["Credential Harvesting\nLocal Account Cache\nBrowser Saved Passwords"]
F --> G["Lateral Movement\nAuthenticate to Adjacent Systems\nUsing Stolen Credentials"]
G --> H["Privilege Escalation\nHigher-Privilege Account Access\nDomain Admin Compromise"]
H --> I["Identify SecurID Infrastructure\nSeed Database Servers\nAuthentication Backend"]
I --> J["Data Aggregation\nSeed Values Collected\nCompressed to Archive"]
J --> K["Exfiltration\nFTP Upload to External\nCloud-Hosted Staging Server"]
K --> L["🔑 RSA SecurID Seeds\nExfiltrated\nEstimated: Millions of Token Seeds"]
L --> M["3-Month Gap\nSeed Data Analyzed\nTargets Selected"]
M --> N["Clone SecurID Codes\nGenerate Valid OTPs\nWithout Physical Tokens"]
N --> O["Follow-On Attack:\nLockheed Martin (May 2011)\nF-35 / Defense Programs"]
N --> P["Follow-On Attack:\nL-3 Communications\nAerospace / Defense"]
N --> Q["Additional Defense\nContractors Targeted\nNorthrop Grumman (reported)"]
O --> R["🛡️ Lockheed Detects + Blocks\nHigh-Alert Post-RSA Disclosure"]
P --> S["L-3 Intrusion\nScope Unknown"]
K --> T["RSA Discovers Breach\nMarch 17, 2011"]
T --> U["Customer Notification\nCryptic Public Disclosure\nNo Specifics on Stolen Data"]
U --> V["40 Million Tokens\nPriority Replacement Program\n$66M+ Remediation Costs"]
V --> W["Industry Reckoning:\nCentralized Seed Storage = Risk\nSupply Chain Trust Model Challenged"]