What the NSA hack tells us about cybercrime
An extensive suite of offensive surveillance tools has been dumped online, allegedly hacked from the NSA. What does this tell us about the state of cybersecurity?
Just a few weeks ago a group calling itself the ‘Shadow Brokers’ released the source code for a range of powerful digital surveillance tools into the web. The group further announced an auction for more powerful tools from the same set, and promised more free uploads if the auction reaches one million bitcoin.
So far, so everyday, but the source of the code appears to be the NSA. Whether leaked in error, or gained via more aggressive means is impossible to say, but the internet is lining up to collaborate their genuine nature. The Shadow Brokers themselves claim to have gained the tools by attacking an NSA-affiliated group, The Equation Group, which looks to have been part of the NSA’s offensive hacking setup at some point. “Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group”, said the hackers in a post. Some speculate that the hackers are Russian-sponsored, the intention being to warn or embarrass the NSA, while others have speculated that the toolkit was accidentally left on a staging server after an offensive operation.
The Intercept has confirmed that at least some of the weapons appear to be genuine.
“The Intercept can confirm that the arsenal contains authentic NSA software, part of a powerful constellation of tools used to covertly infect computers worldwide. The malware is covered with the NSA’s virtual fingerprints and clearly originates from the agency.”
One offensive tool in particular, dubbed ‘Secondate’, was cross-referenced with a top secret NSA manual provided to the Intercept by whistleblower Edward Snowden. The tool is designed to redirect a target’s browser to an NSA controlled server which then infects the target computer with malware. “The draft manual instructs NSA operators to track their use of one malware program using a specific 16-character string, “ace02468bdf13579.” That exact same string appears throughout the Shadow Brokers leak in code associated with the same program, Secondate”, said the Intercept.
As Edward Snowden points out on Twitter, the fact that his manuals concur so accurately with the data in this ‘new’ hack probably means that the data was actually obtained before June 2013: “When I came forward, NSA would have migrated offensive operations to new servers as a precaution - it's cheap and easy.”
The offensive tools profiled by researchers so far mainly rely on zero day vulnerabilities, or vulnerabilities in software that the vendor doesn’t know about and has therefore had “zero days” to fix. Among many others, the tools exploit specific zero day vulnerabilities in both Cisco and Fortinet firewalls, which by this logic have probably been unpatched for more than three years, since pre 2013.
This is doubly bad news for businesses and consumers, not only has the US government likely been hoarding zero-day bugs for years, leaving those same vulnerabilities wide open for malicious use by criminals, but now those criminals have had a powerful suite of offensive tools handed to them as well. The US government is technically supposed to follow an official process called an ‘equities review’ to judge when it will tell software makers about security problems it discovers in their products, although there are no published guidelines for this process, and it’s not known to what extent this process has been followed here.
Michael Daniel, Special Assistant to the President and Cybersecurity Coordinator, has acknowledged in the past that, "Building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest."
The takeaways here don’t make great reading. The fact that these tools have been released publicly isn’t good for overall security, and also goes to demonstrate that even the NSA’s hard-won, costly toolkit can be leaked in an instant by a lack of care, a rogue employee, or a carefully-crafted attack by a well funded adversary. It would be an unusual enterprise that could say confidently none of those applied to it too.
As Edward Snowden tweeted at the time, the existence of the tools and their eventual discovery isn’t really surprising, but their public revealing is unusual, and clearly intended to send a message. A small part of that message is a wake up call for enterprise, perhaps - when did you last test your servers? Maybe today would be a good time (and it’s free).