In 2011, Chinese spies stole the crown jewels of cybersecurity—stripping protections from firms and government agencies worldwide. Here’s how it happened.
AMID ALL THE sleepless hours that Todd Leetham spent hunting ghosts inside his company’s network in early 2011, the experience that sticks with him most vividly all these years later is the moment he caught up with them. Or almost did.
It was a spring evening, he says, three days—maybe four, time had become a blur—after he had first begun tracking the hackers who were rummaging through the computer systems of RSA, the corporate security giant where he worked. Leetham—a bald, bearded, and curmudgeonly analyst one coworker described to me as a “carbon-based hacker-finding machine”—had been glued to his laptop along with the rest of the company’s incident response team, assembled around the company’s glass-encased operations center in a nonstop, 24-hours-a-day hunt. And with a growing sense of dread, Leetham had finally traced the intruders’ footprints to their final targets: the secret keys known as “seeds,” a collection of numbers that represented a foundational layer of the security promises RSA made to its customers, including tens of millions of users in government and military agencies, defense contractors, banks, and countless corporations around the world.
RSA kept those seeds on a single, well-protected server, which the company called the “seed warehouse.” They served as a crucial ingredient in one of RSA’s core products: SecurID tokens—little fobs you carried in a pocket and pulled out to prove your identity by entering the six-digit codes that were constantly updated on the fob’s screen. If someone could steal the seed values stored in that warehouse, they could potentially clone those SecurID tokens and silently break the two-factor authentication they offered, allowing hackers to instantly bypass that security system anywhere in the world, accessing anything from bank accounts to national security secrets.
Now, staring at the network logs on his screen, it looked to Leetham like these keys to RSA’s global kingdom had already been stolen.
Leetham saw with dismay that the hackers had spent nine hours methodically siphoning the seeds out of the warehouse server and sending them via file-transfer protocol to a hacked server hosted by Rackspace, a cloud-hosting provider. But then he spotted something that gave him a flash of hope: The logs included the stolen username and password for that hacked server. The thieves had left their hiding place wide open, in plain sight. Leetham connected to the faraway Rackspace machine and typed in the stolen credentials. And there it was: The server’s directory still contained the entire pilfered seed collection as a compressed .rar file.
Using hacked credentials to log into a server that belongs to another company and mess with the data stored there is, Leetham admits, an unorthodox move at best—and a violation of US hacking laws at worst. But looking at RSA’s stolen holiest of holies on that Rackspace server, he didn’t hesitate. “I was going to take the heat,” he says. “Either way, I’m saving our shit.” He typed in the command to delete the file and hit enter.
Moments later, his computer’s command line came back with a response: “File not found.” He examined the Rackspace server’s contents again. It was empty. Leetham’s heart fell through the floor: The hackers had pulled the seed database off the server seconds before he was able to delete it.
After hunting these data thieves day and night, he had “taken a swipe at their jacket as they were running out the door,” as he says today. They had slipped through his fingers, escaping into the ether with his company’s most precious information. And though Leetham didn’t yet know it, those secrets were now in the hands of the Chinese military.
THE RSA BREACH, when it became public days later, would redefine the cybersecurity landscape. The company’s nightmare was a wake-up call not only for the information security industry—the worst-ever hack of a cybersecurity firm to date—but also a warning to the rest of the world. Timo Hirvonen, a researcher at security firm F-Secure, which published an outside analysis of the breach, saw it as a disturbing demonstration of the growing threat posed by a new class of state-sponsored hackers. “If a security company like RSA cannot protect itself,” Hirvonen remembers thinking at the time, “how can the rest of the world?”
The question was quite literal. The theft of the company’s seed values meant that a critical safeguard had been removed from thousands of its customers’ networks. RSA’s SecurID tokens were designed so that institutions from banks to the Pentagon could demand a second form of authentication from their employees and customers beyond a username and password—something physical in their pocket that they could prove they possessed, thus proving their identity. Only after typing in the code that appeared on their SecurID token (a code that typically changed every 60 seconds) could they gain access to their account.
The SecurID seeds that RSA generated and carefully distributed to its customers allowed those customers’ network administrators to set up servers that could generate the same codes, then check the ones users entered into login prompts to see if they were correct. Now, after stealing those seeds, sophisticated cyberspies had the keys to generate those codes without the physical tokens, opening an avenue into any account for which someone’s username or password was guessable, had already been stolen, or had been reused from another compromised account. RSA had added an extra, unique padlock to millions of doors around the internet, and these hackers now potentially knew the combination to every one.
This past December, when it became public that the company SolarWinds was hacked by Russian spies, the world woke up to the notion of a “supply chain attack”: a technique in which an adversary compromises a point of vulnerability in a software or hardware supplier positioned upstream from—and out of sight of—its target, a blind spot in the victim’s view of their cybersecurity risks. The Kremlin operatives who hacked SolarWinds hid espionage code in an IT management tool called Orion, used by as many as 18,000 companies and institutions globally.
Using the SolarWinds supply chain compromise, Russia’s foreign intelligence agency, known as the SVR, penetrated deep into at least nine US federal agencies, including the State Department, the US Treasury, the Department of Justice, and NASA. In another world-shaking supply chain attack just a few years earlier, Russia’s military intelligence agency, known as the GRU, hijacked a piece of obscure Ukrainian accounting software to push out a data-destroying worm known as NotPetya, inflicting $10 billion in damage worldwide in the worst cyberattack in history.
For those with a longer memory, though, the RSA breach was the original massive supply chain attack. State cyberspies—who were later revealed to be working in the service of China’s People’s Liberation Army—penetrated infrastructure relied on across the globe to protect the internet. And in doing so, they pulled the rug out from under the entire world’s model of digital security. “It opened my eyes to supply chain attacks,” says Mikko Hypponen, chief research officer at F-Secure, who worked with Hirvonen on the company’s analysis of the RSA breach. “It changed my view of the world: the fact that, if you can’t break into your target, you find the technology that they use and break in there instead.”
In the decade that followed, many key RSA executives involved in the company’s breach have held their silence, bound by 10-year nondisclosure agreements. Now those agreements have expired, allowing them to tell me their stories in new detail. Their accounts capture the experience of being targeted by sophisticated state hackers who patiently and persistently take on their most high-value networked targets on a global scale, where an adversary sometimes understands the interdependencies of its victims’ systems better than victims do themselves, and is willing to exploit those hidden relationships.
After 10 years of rampant state-sponsored hacking and supply chain hijacks, the RSA breach can now be seen as the herald of our current era of digital insecurity—and a lesson about how a determined adversary can undermine the things we trust most.
ON MARCH 8, 2011, a brisk late-winter day, Todd Leetham finished a smoke break and was walking back into RSA’s headquarters in Bedford, Massachusetts—a pair of connected buildings on the edge of a forest in the Boston suburbs—when a systems administrator pulled him aside and asked him to take a look at something strange.
The admin had noticed that one user had accessed a server from a PC that the user didn’t typically work on, and that the permissions setting on the account seemed unusual. A technical director investigating the anomalous login with Leetham and the admin asked Bill Duane, a veteran RSA engineer, to take a look. To Duane, who was busy working on a cryptographic algorithm at the time, the anomaly hardly looked like cause for alarm. “I frankly thought this administrator was crazy,” he remembers. “Fortunately he was stubborn enough to insist that something was wrong.”
Leetham and the company’s security incident responders started to trace the aberrant behavior and analyze the forensics of every machine the anomalous account had touched. They began to see more telltale oddities in employees’ credentials, stretching back days. The admin had been right. “Sure enough,” Duane says, “this was the tip of the iceberg.”
Over the next several days, the security team at RSA’s security operations center—a NASA- style control room with rows of desks and monitors covering one wall—meticulously traced the interlopers’ fingerprints. The RSA staffers began putting in nearly 20-hour workdays, driven by the chilling knowledge that the breach they were tracking was still unfolding. Management demanded updates on their findings every four hours, day or night.