This summer, hackers decided to skip the break for the holidays and merely intensified their efforts. We saw the unbeatable tech giant, Apple, setting its crown aside and institutions such as the London Stock Exchange paralyzed by an army of botnet zombies. And let’s not forget the legendary Eye of Sauron, who, after five years of discretion, recently decided to resurface. In this chain of cyber-attacks, the best was saved for last apparently.
On August 15, an unknown group of hackers that calls itself the “Shadow Brokers” published online an entire arsenal of cyber weapons belonging to the NSA, the National Security Agency of the United States. Stolen by means known only by those concerned parties, the tools belong to a group of digital spies that has been working for the agency since 2001 (according to Kaspersky).
Nicknamed the Equation Group, its relationship with the NSA was confirmed in 2015 by security experts. When Kaspersky confronted the encryption algorithms found in the archive of data stolen by the Shadow Brokers, it turned out they presented strong similarities to those used by Equation Group. And so the supposition was born that the latter is affialiated with the American agency.
Kaspersky had also previously identified the group as being responsible for the creation of Stuxnet, an APT designed by the United States to spy on Iran’s nuclear facilities.
Hacking tools made in NSA
With regard to the stolen tools, you will perhaps laugh at first, given the improbable names they bare: EpicBanana, ExtraBacon or EligibleBachelor, but make no mistake, this is no joke.
The vulnerabilities that can be exploited target network equipment widely distributed around the world, produced by leading manufacturers such as Cisco and Fortinet. As such, the NSA combat strategy against its so-called enemies proves to be more than controversial, as it turns out the agency kept for itself the knowledge of these flaws in order to create secret entry points.
Faced with this double-edged maneuvre, we cannot help but come back to a statement released in April by the CEO of Apple, Tim Cook, on the subject of the company’s disagreement with the FBI: building weapons that are capable of bypassing “security measures would create a backdoor. […] There is no way to ensure it does not end up in the wrong hands. ”
Well, It’s a little bit late for that now.
Currently, Cisco and Fortinet have already confirmed that their firewalls remain vulnerable in view of the public release of the NSA hacking tool. And seeing how these devices are made to protect a large number of companies, a general alert was issued as soon as manufacturers confirmed the authenticity of stolen data.
Exploitation of some of these released vulnerabilities would even allow cybercriminals to take remote control of safety equipment and to spy on all incoming and outgoing data within the targeted network. That is why organizations are now strongly advised to closely pay attention and follow the latest news on the support pages of Cisco / Fortinet, while patches are still pending.
0-day vulnerabilities: the snowball effect
Based solely on what we know today, it is easy to imagine how such a leak can cause collateral damage. The moment the hacking tools made in NSA were published online was the same moment the hacker community shouted out “JACKPOT”. Cybercriminals around the world gained access, just like that, to this precious informations, all ‘thanks’ to the generosity of a certain Shadow Broker Group. The incident comes as a hard blow to the NSA, who, it has become clear by now, it is not the only one not playing by the rules anymore in this games of spies.
The situation is even more problematic as the concerned network security equipment suppliers announced the detection of multiple 0-day vulnerabilities among the published files. In the case of Cisco, one of their blog notes confirmed that its products were affected by two vulnerabilities: (1) EpicBanana and (2) ExtraBacon.
The first one had already been patched in 2011, but the second one proved to be entirely unknown and particularly dangerous since it allows taking remote control of the Cisco PIX and Cisco ASA firewalls. At the same time, Fortinet also just discovered a vulnerability with no known fix, impacting the same way one of the older versions of their Fortigate firewall (through means of a booby-trapped webpage). In this case however, a simple firmware update would suffice to minimize the risk.
A new nickname: ‘Not Secure Agency’
Despite the relatively honorable goal that spy agencies may follow in their efforts to protect nations and civilians, the possession of an All-Mighty weapon remains a good idea only in theory, If the NSA is not able to properly protect these hacking tools and prevent them from falling into the wrong hands, the consequences can and already do impact gravely the very same target the agency is trying to defend.
As for the wrong hands waiting in the shadows, there are several hypotheses with concern to the perpretrators of this act: either a breach really occurred from the outside, or we are facing an internal leak, led by, why not, a second Edward Snowden.
Speaking of Snowden, he also formulated his own hypothesis on Twitter, pointing his finger at the Russian intelligence services. Finally, whatever the source of these cyber-weapons, do not underestimate hackers’ way of doing business. The strategy (if successful) will turn out to be very profitable in the case of the Shadow Brokers Group, which announced that it is keeping « the best tools » for last. Said tools are now up for sale in exchange for 1 million bitcoins (or $ 580 million USD).
That being said, we might ask ourselves: does the money even matter anymore? By creating this negative buzz around the NSA, the hackers completed at least one of their goals – the humiliation of the American agency, now nicknamed the «Not Secure Agency» by the international press.
Stuck in the middle of this Spy Game, where both parties aim for the annihilation of the enemy by all means, we can no longer tell who the true villain is: the NSA, which still hiding things from us, or the hackers responsable for the leak?
(This article originally appeared on Christina Ion's blog, which can be viewed here)
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access