Summary
In 2011, attackers breached RSA Security, the company whose entire business was selling the SecurID tokens that millions of people used as their second factor of authentication. The irony was total: the maker of the security key got hacked, and the way in was an email. Two small batches of spear-phishing messages, subject-lined "2011 Recruitment Plan," went to low-profile employees with an Excel file attached. The email was caught by the spam filter; the breach happened only because an employee fished it back out of the junk folder and opened it, triggering a hidden Flash zero-day that installed a backdoor. From that one foothold the attackers worked their way to the crown jewels: the secret seed data behind SecurID. That stolen data was then turned against RSA's own customers, including the defense contractor Lockheed Martin. It is the canonical case of one opened attachment cascading into a supply-chain-grade compromise.
How it happened
The entry point was spear-phishing. Two small batches of emails subject-lined "2011 Recruitment Plan" were sent over two days to low-profile RSA employees, deliberately not executives, who would draw less scrutiny. The email was actually caught by RSA's spam filter; the breach happened only because an employee retrieved it from the junk folder and opened the Excel attachment, which triggered an Adobe Flash zero-day (CVE-2011-0609) embedded in the spreadsheet and installed a Poison Ivy backdoor on the machine.
From that single foothold, the attackers, a sophisticated and likely state-linked APT, escalated privileges, moved toward higher-value accounts, identified and stole privileged-user credentials, and ultimately exfiltrated data related to RSA's SecurID two-factor tokens, the seed data (secrets) that generates the rotating codes. A SecurID token's security rests entirely on the secrecy of that seed and the database mapping each token's serial number to its seed, so stealing that quietly undermined the tokens everywhere. The attackers staged the data in RAR-compressed, encrypted archives and FTP'd it out through a compromised hosting provider.
The damage and the supply-chain angle
The stolen seed-related data weakened the security of SecurID tokens worldwide, and it did not stay theoretical: weeks later, on 21 May 2011, it was used in an attempted intrusion at Lockheed Martin, a major US defense contractor, which detected the "significant and tenacious" attack, cut remote access, reset passwords, and reissued tokens, its intrusion-kill-chain model credited with stopping it. In other words, the breach of RSA became an attack on RSA's customers, a supply-chain compromise through a security vendor. RSA ultimately offered to replace SecurID tokens for affected customers (about 40 million in circulation, across more than 30,000 customers), and EMC took a $66.3 million remediation charge against its second-quarter 2011 earnings, a staggering admission of how deep the compromise went.
Why RSA SecurID still matters
It teaches three lessons at once. First, spear-phishing plus a document zero-day can defeat even a security company, and this attack deliberately targeted low-profile employees, so security awareness cannot be just for executives. Second, a two-factor system is only as secure as the secrecy of its seeds, which means that seed material, like signing keys, must be guarded as the crown jewels it is, in an HSM, segmented, and tightly access-logged. Third, compromising a security vendor is a path to all of its customers, the same logic that would define SolarWinds a decade later. The practical defences: patch or disable risky client runtimes (Flash, legacy macros) and detonate attachments in a sandbox, deploy EDR to catch backdoor behaviour, and least-privilege the secret material so one phished workstation cannot reach it. It shares the spear-phishing-with-outsized-impact pattern of the DNC and Podesta hack.
How to fix it
- Assume the SecurID seed data is compromised and reissue or replace affected tokens (RSA did exactly this), and rotate the credentials the attacker reached.
- Rebuild the backdoored hosts from clean media, hunt for the RAT and lateral movement, and isolate the seed and secret material.
- Warn and support downstream customers whose tokens depend on the stolen seeds, since the breach is now their risk too.
How to avoid it
- Patch or disable risky client-side runtimes (Flash, legacy Office macros) and detonate attachments in a sandbox.
- Deploy EDR to catch RAT and backdoor behavior rather than relying on signature antivirus alone.
- Segment and least-privilege seed and secret material so one phished workstation cannot reach it.
- Hold high-value secrets (token seeds, signing keys) in an HSM with tight access logging.
- Train all staff, not just executives; this attack deliberately targeted low-profile employees.
References
- https://www.wired.com/story/the-full-story-of-the-stunning-rsa-hack-can-finally-be-told/
- https://threatpost.com/rsa-securid-attack-was-phishing-excel-spreadsheet-040111/75099/
- https://www.theregister.com/2011/07/27/rsa_security_breach/
- https://www.darkreading.com/cyberattacks-data-breaches/rsa-details-securid-attack-mechanics
Related vulnerabilities
All Phishing →- MEDIUMPHISH-QUISHING
Quishing delivers the phishing link as a QR code instead of a clickable URL, usually embedded in an email body, a PDF, or an image so it survives URL-reputation and link-scanning filters that only parse text. Scanning the code moves the victim onto a personal phone, outside enterprise EDR, proxy, and email controls, where a fake login page harvests credentials and is frequently chained with adversary-in-the-middle to steal the session. Adoption is rising fast: Microsoft reported QR-code phishing up roughly 146% and said pre-delivery scanning blocked about 1.5 million quishing attempts per day in 2024, and kits increasingly fold QR codes into OAuth device-code phishing flows.
- CRITICALPHISH-BEC
Business email compromise is a social-engineering fraud in which an attacker impersonates a trusted party (an executive, a supplier, an attorney, payroll) over email to trick staff into wiring money or changing payment details. No malware is required; it abuses trust and weak payment process. Attackers either spoof a lookalike domain or take over a real mailbox and watch threads to time the request to a live invoice. The FBI's Internet Crime Complaint Center ranks BEC the costliest cybercrime category by dollar losses, identifying roughly $51 billion in exposed losses globally between October 2013 and December 2022, rising to about $55 billion by 2023, reported across more than 177 countries. Common variants are CEO/wire fraud, vendor and invoice fraud, payroll diversion, and real-estate closing fraud.
- HIGHPHISH-SPEAR-PHISHING
Spear phishing is a phishing attack crafted for a specific person or organization using reconnaissance (role, current projects, colleagues, vendors) so the lure looks legitimate, unlike high-volume bulk phishing. The payload is usually a credential-harvesting login page or a weaponized attachment. It is the dominant initial-access vector behind major breaches (RSA in 2011, the 2016 Clinton-campaign compromise) and the entry point for most ransomware and BEC. Because it exploits human trust rather than a software flaw, technical controls alone do not stop it: defense pairs detonation and email authentication with phishing-resistant MFA and least privilege so a single phished account is contained.
- CRITICALPHISH-GOOGLE-FACEBOOK-BEC-2019
Between roughly 2013 and 2015, Lithuanian national Evaldas Rimasauskas ran a business email compromise scheme that defrauded Google and Facebook of about $120 million. He registered a company in Latvia under the same name as Quanta Computer, a Taiwan-based hardware maker both firms genuinely did business with, then emailed forged invoices, contracts, and letters on spoofed corporate letterhead to employees who routinely paid Quanta. The companies wired payments to attacker-controlled bank accounts (Facebook nearly $100 million and Google over $23 million) before the fraud was detected. Rimasauskas was arrested in March 2017, pleaded guilty to wire fraud in March 2019, and was sentenced to five years in prison and ordered to forfeit nearly $50 million. Both companies recovered most of the funds. It remains the textbook large-scale vendor-impersonation BEC.
- HIGHPHISH-DNC-PODESTA-2016
In March 2016, the chairman of Hillary Clinton's presidential campaign got an email that looked like a routine Google security alert: someone has your password, change it now. He clicked, entered his password on the page it linked to, and that page belonged to Russian military intelligence. There was no malware and no software exploit, just one convincing fake login page and one click. The attackers, Fancy Bear, stole more than 50,000 of John Podesta's emails, a trove WikiLeaks then drip-fed in waves through the final weeks of the US election. It is the canonical example of how a single phishing email, aimed at the right person, can alter history.
- HIGHPHISH-AITM
Adversary-in-the-middle phishing defeats most multi-factor authentication by proxying the real login page. The victim is lured to a reverse-proxy site (Evilginx, EvilProxy, Tycoon 2FA) that relays every request to the genuine service, so the user completes username, password, and the MFA challenge against the real site while the proxy silently captures the resulting session cookie. With that cookie the attacker replays an already-authenticated session and skips MFA entirely, then often pivots to business email compromise. Microsoft tracked an AiTM campaign that attempted to target more than 10,000 organizations from September 2021. One-time-code and push MFA do not stop it; only phishing-resistant, origin-bound credentials do.