The Chinese RSA Hack from 2011

[German]In 2011, a hack of the security provider shook up the security scene. This was because Chinese hackers had managed to have the RSA servers and the seed keys to generate SecurIDs for two-factor authentication (2FA). After 10 years, the non-disclosure agreement (NDA) to which parties were subject has now expired. Used Andy Greenberg to publish a post from the information he received.


The RSA hack in 2011

In 2011, it became known that unknown persons were able to penetrate servers of the manufacturer RSA and steal data. RSA sells crypto solutions based on the manufacturer's SecureID solution. Wikipedia writes about this:

RSA SecurID, formerly referred to as SecurID, is a mechanism developed by RSA (a subsidiary of Dell Technologies) for performing two-factor authentication for a user to a network resource. The RSA SecurID authentication mechanism consists of a "token" — either hardware (e.g. a key fob) or software (a soft token) — which is assigned to a computer user and which creates an authentication code at fixed intervals (usually 60 seconds) using a built-in clock and the card's factory-encoded almost random key (known as the "seed"). The seed is different for each token, and is loaded into the corresponding RSA SecurID server (RSA Authentication Manager, formerly ACE/Server) as the tokens are purchased. On-demand tokens are also available, which provide a tokencode via email or SMS delivery, eliminating the need to provision a token to the user.

RSA SecureID-Lösung
RSA SecureID solution, Source: Alexander Kirk Wikimedia Creative Commons 3.0

There are various RSA SecureID solutions, such as the USB stick shown above. Various access solutions like VPN servers, firewalls or OpenSSH offer the possibility to use SecurID for authentication. And the paraphrase "data was siphoned from servers" later proved to be: The hackers siphoned the seeds and probably the serial numbers of the SecureID solutions issued by RSA.

With this information, arbitrary one-time passwords (OTP) can be calculated. In other words, the entire RAS SecuritID infrastructure was compromised. In May 2011, servers of defense manufacturer Lockheed Martin were hacked. According to WikiPadia, various sources assume a connection with the assumed theft of the seeds at RSA. Due to the attack, about 40 million SecurID tokens are exchanged worldwide.

10 years later

We are now 10 years on and write the year 2021. We have just experienced the nightmare of the supply chain attacks on SolarWinds Orion software or the hafnium attack on Microsoft Exchange vulnerabilities as well as other fat hacks and supply chain attacks. In 2011, the world was already looking into the security abyss, but 10 years later I realize "nothing has been learned from it".


The employees involved with the RSA incident in 2011 were subjected to a Non Disclosure Agreement (NDA) by the company, which was valid for 10 years. That period has now expired, allowing the employees to speak publicly about the case. Reporter Andy Greenberg, who already did the disclosures in the Snowden case, has now gotten more information from the group of people who were involved with the RSA hack. It appears to have been Chinese hackers who pulled the seeds or data from the RSA servers – and the whole thing ended up with the Chinese military's spy units, who then went hunting with it. I became aware of the issue the other day via the following tweet from Andi Greenberg. 

RSA-Hack 2011

Greenberg has compiled more details in this Wired article. If you open the article in the incognito mode of your browser, you should be able to read it without being asked to register.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *