2-factor authentication hacked: Italian users attacked

A group of Chinese hackers, probably linked to the government, seems to have managed to bypass two-factor authentication. Italy is also affected

Italy is among the ten countries attacked by Chinese hackers from the Apt20 collective, believed to be connected to the Government of the People's Republic of China. Apt20 managed to bypass the two-factor authentication (2FA) mechanism of many user accounts in strategic sectors. Sectors such as finance, insurance, public health, energy production and military supplies.

The countries affected by the attack, discovered by Fox-It and named Operation Wocao, are: United States, Mexico, Brazil, United Kingdom, France, Germany, Portugal, Spain, Italy and China itself. The attack, unfortunately, was a success for the hackers: they managed to enter the meanders of the virtual private networks (VPNs) that protected the attacked companies and entities and gain full control of the data. This episode highlights the limitations of two-factor account protection systems, which, however, currently remain among the most reliable systems to block access to an account by a hacker.

Bypassed 2FA

The interesting thing about this attack is that two-factor authentication, considered by many to be sufficient to protect accounts because it alerts the user when there is an attempt of suspicious access to his account, was completely bypassed by hackers. It is still unclear how this was possible: Fox-It assumes that the Apt20 collective managed to get hold of the tokens of RSA SecurID, one of the most widely used 2FA management software in the world. The 2FA, therefore, would have been disabled at the source and, as a result, no alert messages were sent to users. Fox-It explains how this was possible: "In short, all the actor has to do to use the 2-factor authentication codes is to steal an RSA SecurID software token and patch an instruction, which results in the generation of valid tokens."

Is 2FA secure?

This story shows that, when it comes to cyber security, no system is impenetrable. Not even the one deemed most secure: it's always a fight between guards and thieves, and occasionally the thieves win. The 2FA is, therefore, to be considered safe but not infallible and, therefore, it still remains an advisable method of account protection. Both Microsoft and Google offer two-factor authentication systems that, as far as is known at the moment, have never been hacked.