“The Full Story of the Stunning RSA Hack Can Finally Be Told”
WIRED, May 20, 2021
By Andy Greenberg
“In 2011, Chinese spies stole the crown jewels of cybersecurity—stripping protections from firms and government agencies worldwide. Here’s how it happened.”
Amid all the sleepless hours that Todd Leetham spent hunting ghosts inside his company’s network in early 2011, the experience that sticks with him most vividly all these years later is the moment he caught up with them. Or almost did.
It was a spring evening, he says, three days—maybe four, time had become a blur—after he had first begun tracking the hackers who were rummaging through the computer systems of RSA, the corporate security giant where he worked. Leetham—a bald, bearded, and curmudgeonly analyst one coworker described to me as a “carbon-based hacker-finding machine”—had been glued to his laptop along with the rest of the company’s incident response team, assembled around the company’s glass-encased operations center in a nonstop, 24-hours-a-day hunt. And with a growing sense of dread, Leetham had finally traced the intruders’ footprints to their final targets: the secret keys known as “seeds,” a collection of numbers that represented a foundational layer of the security promises RSA made to its customers, including tens of millions of users in government and military agencies, defense contractors, banks, and countless corporations around the world.
RSA kept those seeds on a single, well-protected server, which the company called the “seed warehouse.” They served as a crucial ingredient in one of RSA’s core products: SecurID tokens—little fobs you carried in a pocket and pulled out to prove your identity by entering the six-digit codes that were constantly updated on the fob’s screen. If someone could steal the seed values stored in that warehouse, they could potentially clone those SecurID tokens and silently break the two-factor authentication they offered, allowing hackers to instantly bypass that security system anywhere in the world, accessing anything from bank accounts to national security secrets.
Now, staring at the network logs on his screen, it looked to Leetham like these keys to RSA’s global kingdom had already been stolen.
Leetham saw with dismay that the hackers had spent nine hours methodically siphoning the seeds out of the warehouse server and sending them via file-transfer protocol to a hacked server hosted by Rackspace, a cloud-hosting provider. But then he spotted something that gave him a flash of hope: The logs included the stolen username and password for that hacked server. The thieves had left their hiding place wide open, in plain sight. Leetham connected to the faraway Rackspace machine and typed in the stolen credentials. And there it was: The server’s directory still contained the entire pilfered seed collection as a compressed .rar file.
Using hacked credentials to log into a server that belongs to another company and mess with the data stored there is, Leetham admits, an unorthodox move at best—and a violation of US hacking laws at worst. But looking at RSA’s stolen holiest of holies on that Rackspace server, he didn’t hesitate. “I was going to take the heat,” he says. “Either way, I’m saving our shit.” He typed in the command to delete the file and hit enter.
Moments later, his computer’s command line came back with a response: “File not found.” He examined the Rackspace server’s contents again. It was empty. Leetham’s heart fell through the floor: The hackers had pulled the seed database off the server seconds before he was able to delete it.
After hunting these data thieves day and night, he had “taken a swipe at their jacket as they were running out the door,” as he says today. They had slipped through his fingers, escaping into the ether with his company’s most precious information. And though Leetham didn’t yet know it, those secrets were now in the hands of the Chinese military.
The RSA breach, when it became public days later, would redefine the cybersecurity landscape. The company’s nightmare was a wake-up call not only for the information security industry—the worst-ever hack of a cybersecurity firm to date—but also a warning to the rest of the world. Timo Hirvonen, a researcher at security firm F-Secure, which published an outside analysis of the breach, saw it as a disturbing demonstration of the growing threat posed by a new class of state-sponsored hackers. “If a security company like RSA cannot protect itself,” Hirvonen remembers thinking at the time, “how can the rest of the world?”
The question was quite literal. The theft of the company’s seed values meant that a critical safeguard had been removed from thousands of its customers’ networks. RSA’s SecurID tokens were designed so that institutions from banks to the Pentagon could demand a second form of authentication from their employees and customers beyond a username and password—something physical in their pocket that they could prove they possessed, thus proving their identity. Only after typing in the code that appeared on their SecurID token (a code that typically changed every 60 seconds) could they gain access to their account.
About the Author:
Andy Greenberg is a senior writer for WIRED, covering security, privacy, and information freedom. He’s the author of the forthcoming book Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency. His last book was Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers. The book and excerpts from it published in WIRED won a Gerald Loeb Award for International Reporting, a Sigma Delta Chi Award from the Society of Professional Journalists, two Deadline Club Awards from the New York Society of Professional Journalists, and the Cornelius Ryan Citation for Excellence from the Overseas Press Club. Greenberg works in WIRED’s New York office.