Chinese Hackers Manage to Bypass 2FA

Apt20 Hacking Featured

Two-Factor Authentication (2FA) has always been a near-surefire way to protect your accounts from hacking. After all, as long as you have the token generator on your person and don’t let anybody else touch it, how can a hacker gain access to your accounts?

Recently, however, it was revealed that a group of Chinese hackers could avoid 2FA countermeasures. This was a worrying development in the cybersecurity world, as 2FA is regarded as one of the easiest yet strongest ways to secure an account.

Who Performed the Attack?

The group behind this attack is no stranger to cybersecurity. They’re called APT20, and they’re a Chinese hacking group. They’ve made claims to have attachments to the Chinese government and have been spotted in the wild for the past ten years. As such, they’re definitely not new kids on the block – these are some of the most notorious hackers in the world.

How Did the 2FA Attacks Happen?

Apt20 Hacking 2fa

When you watch a 2FA code generator, it looks like it’s giving you random numbers generated out of nowhere. If this was true, however, it would be very hard for the system on the other end to verify that your code is legitimate!

To keep your 2FA device and the verification server in sync, they both share a seed between them. This seed tells both sides which codes will be generated in the future. With this seed, both the user’s device and the verification server are in sync with one another.

Therein lies the entryway for hackers. If they can get their hands on a working seed for the 2FA system, they can use it to generate codes for themselves. It’s as if they had their own 2FA device set up for that specific user.

A Dutch security team, Fox-IT, currently believes that this is what happened. They’re still unsure of the exact methods APT20 used to defeat the 2FA system, but they believe the hackers gained access to a compromised seed and used it to breach 2FA systems that used it.

Are Your Accounts Under Fire?

Apt20 Hacking Facebook

At the time of writing, APT20 wasn’t targeting civilian accounts. They were more interested in breaking into important governmental accounts, presumably due to their ties with the Chinese government. As such, you probably shouldn’t worry too much about your personal accounts being hacked by this group.

However, it is a good example of how 2FA isn’t always perfect. There are ways to circumvent the system, so it’s good to use additional lines of defense rather than purely relying on 2FA’s strength.

For example, just because your accounts have 2FA enabled, doesn’t mean you can skimp on the password strength! Make sure you have a solid password that’s hard to crack, as it’s an effective way of preventing hackers from even getting to the 2FA step.

Relying Less on 2FA

2FA is a useful tool for securing your account, but it isn’t 100 percent foolproof. The recent hacking attack by APT20 is proof that the system can be beaten. However, by refusing to depend entirely on 2FA, you can keep yourself safe even if someone can crack your 2FA.

Does this attack make you less confident in using 2FA? Let us know below.

Image credit: Wikimedia

Simon Batt Simon Batt

Simon Batt is a Computer Science graduate with a passion for cybersecurity.


  1. The question now is how long have various countries’ cybersecurity forces have had this hack.

    No security paradigm is secure for very long. As soon as a scheme is introduced, it starts being attacked by the black hats and the white hats. The black hats want to find the vulnerabilities to break it and the white hats want to find the vulnerabilities to patch them and make the scheme stronger.

    Let’s not forget that WEP, at one time, was considered “the latest protection”. Now, the efficacy of WPA2 is being questioned and WPA3 is about to go public.

    “it is a good example of how 2FA isn’t always perfect”
    It never was perfect. Since the seed was/is not totally random, it is predictable or discoverable therefore, hackable.

    “2FA is a useful tool for securing your account, but it isn’t 100 percent foolproof. ”
    There is no 100% security. A “security” tool only delays a bad actor, it does not stop him.

  2. This “seed” is it the same for all 2FA code generators or does every computer, phone and so on have individual “seed”? Is it somehow stored on the computer or is it a algorithm?

  3. Just a few words …
    May this article is a bit confusing at first….!! Let’s say that every machine or particularly a server that is connected to the Internet and provide those kind of services is a potential target on the hacking world.
    As for hacking 2FA is not possible when it concerns tokens.! As a 2FA protocols are a lot so we do not know what the hacker group actually succeeded at. What I am saying is that a lot of people when they hear about 2FA actually mean the generating codes – numbers of this little hand devices called token generators or code generators name it as you wish , but also a 2fa is a combination of a Bank account and a Bank Account Card with a pin number.!!! Also 2FA is the OTP -> one time password. Also a youbikey is a 2FA if using it with a login account. Well these things can be hacked easily if you GAIN ACCESS to the server who is responsible for generating these codes. !!! Of course the system itself , I mean the 2fA in all it’s aspect , is bulletproof enough and the most secure system world wild. The problem lies on how secure is the server !!!!!
    The 2FA token generator system is unhackable from different points of view because the hacker has to brake in to the server of course AT FIRST using other services and not the system 2FA directly because he has to know the code sequence of the next generated number…of course even if he brakes in to the system (server) he must steal all the generated codes so far if they are any or he must try to understand the algorithm that the program is using ….so you have to be so dam good on cracking programs like these and of course good luck because these kind of generating algorithms are changing over time and they are not the same.So you need a cracker and not a hacker to work on the program itself doing reverse engineering- decompiling. Well this acquires a LOT OF TIME , the best hardware in the world and before you even try that , the company or the Bank will use different algorithms in no time if they understand the hacking on the server..!! So it is nearly impossible for someone to copy or to be close enough to make the exact code generator algorithm as the one the server is using. Not even close…!!! So if the dirty work is quick enough and left no trace at all , THEN IT MUST BE AN INSIDE JOB.! In simple words , from someone who actually knows the code …and that one is the programmer himself or the company or someone inside of the company. I mean the company which is trusted enough to make the generating tokens.
    In other words even if you are presented with the algorithms which they are making these code numbers YOU have to be a very expert mathematician to understand the cycles and the maths that are behind it. Similar systems from different companies cannot give you any clue so ever of finding the codes yourself. You have to know all the previous codes given so far and you may guess a number or so…not all the numbers. It is very complicated and always evolving using algorithms not widely known or use a combination of those. I have to remind you that respected companies or banks are using different code generators very year , so this is very very very difficult for someone to gain access though the 2FA system.
    In the end we need more info , I mean from this article I did not understand witch type of 2FA this group of hackers managed to brake..!!!!!!!!!!!!!!!!!!!!! ????????????

    1. “The 2FA token generator system is unhackable”
      NOTHING is unhackable. Some things just haven’t been hacked, YET.

      ” I have to remind you that respected companies or banks are using different code generators very year ,”
      And I have to remind you that respectable companies and banks are being breached almost on daily basis. Apparently using different code generators every year is not so effective.

Comments are closed.