> series: anatomy_of_a_breach —— part: 029 —— target: lockheed_martin —— method: cloned_rsa_tokens —— origin: rsa_breach_cascade<span class="cursor-blink">_</span>_
On 21 May 2011, Lockheed Martin detected and thwarted an intrusion into its information systems network. The company later confirmed that the attackers had leveraged data stolen during the RSA SecurID breach two months earlier — using the compromised token seeds to generate valid one-time codes and authenticate to Lockheed's VPN as if they were legitimate employees. The attack confirmed the security industry's worst fears: the RSA breach was not an isolated incident but the opening move in a supply chain attack targeting the organisations that depended on SecurID.
Lockheed Martin stated that it detected the attack 'almost immediately' and that no customer, programme, or employee data was compromised. Other defence contractors, including Northrop Grumman and L-3 Communications, were also reported to have been targeted using the same stolen RSA data. The cascade demonstrated a chilling principle: compromise the authentication vendor, and you compromise every organisation that trusts it. As Wired reported, RSA ultimately replaced 40 million tokens at enormous cost. Our defence supply chain analysis examines why this pattern persists.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call| Stage | Target | Objective |
|---|---|---|
| Stage 1 | RSA Security (March 2011) | Steal SecurID token seeds — the secret values that generate one-time codes. Compromise the authentication infrastructure used by thousands of organisations. |
| Stage 2 | Lockheed Martin (May 2011) | Use stolen seeds to clone RSA tokens, authenticate to Lockheed's VPN, and access the defence contractor's internal network. The ultimate target was defence programme data. |
| Parallel | Northrop Grumman, L-3 Communications | Reported to have been targeted using the same method — suggesting a coordinated campaign against the US defence industrial base. |
The RSA-to-Lockheed cascade demonstrates that sophisticated adversaries — in this case, widely attributed to Chinese state-sponsored actors — plan attacks in stages, targeting the supply chain before the ultimate objective. The initial RSA breach made no sense in isolation — why steal authentication token seeds? The Lockheed breach provided the answer: the seeds were the keys to the kingdom.
For organisations in the UK defence supply chain, this lesson is directly applicable. Cyber Essentials Plus — mandatory for MoD contracts — addresses authentication controls and supply chain baseline. Our infrastructure penetration testing validates that your authentication mechanisms, VPN access controls, and monitoring would detect token-cloning attacks. SOC in a Box for Defence and Engineering monitors for the anomalous authentication patterns that cloned tokens produce. And UK Cyber Defence's threat intelligence provides early warning of campaigns targeting the defence supply chain.
Our <a href="/penetration-testing/infrastructure">penetration testing</a> validates your authentication mechanisms against supply chain attack scenarios. <a href="/cyber-essentials">Cyber Essentials Plus</a> certifies your baseline. <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects anomalous authentication. Because the lesson of Lockheed is that your MFA is only as strong as the vendor who provides it.
We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.
Free Scoping Call