Skip to content
Cyber Breaches
Search
EspionageResolved

RSA SecurID seed compromise

A spear-phishing email carrying a Flash zero-day gave attackers a foothold inside RSA, from which they exfiltrated data tied to the SecurID two-factor authentication system — data later used in an intrusion attempt against Lockheed Martin.

Victim
RSA Security (EMC)
Loss
$66.0M
users
40.0M
SectorTechnologyDefense
CountryUnited States
Threat actorSuspected China-nexus APT (RSA-assessed nation-state)
CVECVE-2011-0609

In March 2011, the security vendor RSA — the division of EMC whose SecurID tokens secured logins at banks, governments, and defense contractors worldwide — disclosed that it had been breached. The attackers had stolen information tied to the SecurID two-factor authentication system itself, undermining a product trusted by some 40 million token users to protect their most sensitive networks. Two months later, that stolen data surfaced in an intrusion attempt against Lockheed Martin.

What happened

The intrusion began with one of the most studied spear-phishing emails in security history. Attackers sent a small number of RSA employees a message with the subject line "2011 Recruitment Plan" and an attached Excel spreadsheet. The file carried an embedded Flash object exploiting CVE-2011-0609, a zero-day vulnerability in Adobe Flash Player.

When an employee — whose message had been pulled out of a junk folder — opened the attachment, the exploit installed a remote-access tool (a variant of Poison Ivy), giving the attackers a foothold inside RSA's network. They then moved laterally, harvested credentials, and escalated privileges, ultimately reaching systems holding data related to SecurID and exfiltrating it to external staging servers.

The SecurID problem

SecurID tokens generate a rotating numeric code derived from a secret "seed" value unique to each token, combined with the current time. If an attacker knows a token's seed, the code it displays becomes predictable — collapsing the second authentication factor. RSA never published exactly what was taken, but the breach was severe enough that RSA warned customers their SecurID protection was diminished and ultimately offered to replace tokens across its customer base.

Impact

  • Data tied to the SecurID system — affecting an installed base of roughly 40 million tokens — was exfiltrated.
  • In May 2011, Lockheed Martin detected and blocked an intrusion attempt that RSA confirmed was linked to the stolen SecurID information.
  • Parent company EMC reported spending about $66 million in the quarter following the breach, largely on token replacement and monitoring.
  • RSA characterized the intrusion as an Advanced Persistent Threat (APT) consistent with a nation-state actor.

Why it matters

The RSA breach is a foundational case study in two ideas now treated as doctrine. First, it showed that the security vendor is itself a high-value target — compromising the maker of an authentication product can undermine every downstream customer at once, a textbook supply-chain attack. Second, it demonstrated that two-factor authentication is only as trustworthy as the secrets behind it: a single phishing email, one zero-day, and patient lateral movement were enough to erode confidence in a product that millions relied on as a last line of defense. The episode accelerated industry moves toward phishing-resistant, public-key-based authentication.

Financial impact

Reported costs in USD

Total reported loss
66.0M
USD · $66,000,000
  • Business loss$66.0M

Timeline

  1. Attackers send spear-phishing emails titled '2011 Recruitment Plan' with a malicious Excel attachment to small groups of RSA employees.

  2. An employee opens the attachment, triggering a Flash Player zero-day (CVE-2011-0609) that installs a remote-access tool and gives the attackers an internal foothold.

  3. The attackers move laterally, escalate privileges, and exfiltrate data related to RSA's SecurID two-factor authentication product.

  4. RSA executive chairman Art Coviello publicly discloses the breach in an open letter to customers, warning of reduced SecurID effectiveness.

  5. Lockheed Martin detects and blocks an intrusion attempt later linked to information stolen in the RSA breach.

  6. RSA offers to replace SecurID tokens for customers and confirms the SecurID link to the Lockheed Martin attack.

  7. Parent company EMC reports spending roughly $66 million on breach remediation, largely on token replacement.

Sources

  1. darkreading.comhttps://www.darkreading.com/cyberattacks-data-breaches/rsa-securid-breach-cost-66-million
  2. bankinfosecurity.comhttps://www.bankinfosecurity.com/rsa-breach-costs-parent-emc-663-million-a-3913
  3. sec.govhttps://www.sec.gov/Archives/edgar/data/0000936468/000114420411059333/v237835_ex-99.htm
  4. theregister.comhttps://www.theregister.com/2011/07/27/rsa_security_breach/

Related incidents

EspionageContained

Microsoft Storm-0558 signing-key theft and US government email access (2023)

China-based Storm-0558 forged authentication tokens using a stolen Microsoft consumer signing key and read email at approximately 25 organisations — including the US State Department, the Department of Commerce, and the U.S. Ambassador to China. The 'cascade of errors' that enabled it became a defining case for cloud-provider key custody.

Victim
Microsoft customers (US State Department, Department of Commerce, ~25 organisations)
EspionageContained

Salt Typhoon US telecom espionage campaign (2024)

China-linked Salt Typhoon infiltrated at least nine U.S. telecom providers — Verizon, AT&T, T-Mobile, Spectrum, Lumen, Consolidated, Windstream — including the CALEA lawful-intercept systems used for court-authorised wiretaps. Metadata for over a million users was exposed; the U.S. Treasury sanctioned a linked PRC contractor.

Victim
U.S. telecommunications providers (Verizon, AT&T, T-Mobile, Spectrum, Lumen, Consolidated Communications, Windstream)