Shadow Brokers: How the NSA Leak Affects Your Business

You’ve been desensitized. Not to unfortunate and unnecessary violence this time, but to security breaches, hacks and damaging data leaks. It’s not your fault. There have been many.

But don’t overlook this one. It’s different, and could be the precipice of a new cyber security reality. Here’s why you should pay attention.

What is the NSA leak?
First, the details: in mid-August, a self-proclaimed hacking team called the Shadow Brokers purported to have stolen specific National Security Agency (NSA) surveillance and cyber security tools from the Equation Group, an elite hacking faction with rumored ties to the NSA, according to Politico and Forbes.

The infamous 2013 NSA leaks, published by Edward Snowden, confirm the compromise and theft for which the Shadow Brokers are now claiming responsibility, reports The Intercept.

The Shadow Brokers state they have released only 40 percent of the toolset; they put the other 60 percent up for auction via online markets and forums, complete with a manifesto, FAQ and screenshots of the “prize.”

Interestingly, Wired is reporting that the group isn’t getting any bidders on the high-priced cyber arsenal.

Equation Group - Cyber Weapons Auction

Who are the Shadow Brokers?
The group that carried out this attack is shrouded in mystery. It popped up several places on the Web: Twitter, Imgur, GitHub, Tumblr and Reddit. Since then, some of those accounts have been taken down, though it appears they still operate the @theshadowbrokers Twitter handle.

The enigmatic hacking group, while mostly unknown, is believed to take its name from the widely popular video game Mass Effect 2, which features a character named “the shadow broker,” an 8-foot alien who discretely deals in black-market information.

The Shadow Brokers responsible for the NSA leak couldn’t contrast their video game namesake more starkly. Where their other-worldly contemporary works quietly, and with great care, these Shadow Brokers are bold, boastful and brazen.

There is a host of theories about their true identities. Some former NSA staffers posited that the Shadow Brokers is merely one disgruntled, rogue NSA insider.

“My colleagues and I are fairly certain that this was no hack, or group for that matter,” a former NSA employee told Motherboard. “This ‘Shadow Brokers’ character is one guy, an insider employee.”

Meanwhile, the most popular theory is the Shadow Brokers are a group of Russian hackers, with Edward Snowden declaring on Twitter that “circumstantial evidence and conventional wisdom indicates Russian responsibility.”

 

 

"'This is probably some Russian mind game, down to the bogus accent' of some of the messages sent to media organizations by the Shadow Brokers group, delivered in broken English that seemed right out of a bad spy movie,” James A. Lewis, an expert at Washington think tank the Center for Strategic and International Studies told The New York Times.

Why is this NSA leak different?
It’s not so much that the leak came from the NSA — though that is concerning in its own right — rather the sophistication of the technology stolen and what it signifies as a potential change in strategy: attacking network infrastructure and related appliances.

Targeting network devices, switches, routers and programmable logic controllers (PLC) is nothing new for nation-states (e.g., Stuxnet), but delivering that level of payload for public use drastically increases the technical and malicious ability of B- and C-level threat actors.

Johns Hopkins University cryptographer Matthew Green explained to The Intercept why the fallout from this issue could be widespread.

“The danger of these exploits is that they can be used to target anyone who is using a vulnerable router. This is the equivalent of leaving lock-picking tools lying around a high school cafeteria,” Green said. “It’s worse, in fact, because many of these exploits are not available through any other means, so they’re just now coming to the attention of the firewall and router manufacturers that need to fix them, as well as the customers that are vulnerable.”

NSA toolkits already being tested in the wild
Green was right. It was just a matter of days before hackers, script kiddies, criminals and curious coders tested the exploits in the wild.

First reported by Wired, NYU security researcher Brendan Dolan-Gavitt deployed a honeypot that used known vulnerabilities from the NSA leak, was easy to find and had weak/default password authentication. Within 24 hours, unknown sources were already probing the honeypot with NSA exploits. Each day, more and more hits occurred. 

How does the NSA leak affect your business?
This level of compromise has both a lateral and downhill effect on vendor-specific solutions, specifically end-point security products.

The leak forced security companies across the industry, including Cisco, Juniper and Fortinet, to investigate and patch hardware and software solutions, confirmed Forbes.

Further, this could potentially damage an already-rocky “relationship” between the government and the private cyber security sector. Many of these tools date back to 2013. Some, even 2006.

Did the NSA know about their effectiveness against popular network devices and fail to inform manufacturers? Unfortunately, it’s been long assumed that nation-states, from across the globe, hoard zero-day threats for future use.

Georgia Weidman, founder and CTO of Shevirah, a cyber security and penetration testing company, opined about this very issue. In her editorial on The Hill, “No more hoarding zero days,” Weidman calls for a change to this practice and states that it’s a risk to all users when zero-day risks are purposely left unmitigated.

“But if the NSA can find a zero day, then independent attackers can probably find the same surveillance window and take advantage of it for their own malicious purposes,” she states.

The landscape becomes even more convoluted when nation-states, including the U.S. government, purchase zero-day exploits, as occurred in the Apple-FBI case earlier this year.

Noted and vocal cyber security researcher Nicholas Weaver, from the International Computer Science Institute in Berkeley, Calif., echoed these concerns.

In a lengthy Lawfare editorial, “Nick asks the NSA,” Weaver offers pointed questions for the RSA. Three of the most critical queries are:

  • When did NSA become aware of the breach?
  • If the NSA was aware of the breach in 2013, why didn't they contact Fortinet and Cisco?
  • Has NSA identified the source of the breach?


“The whole episode raises a host of oversight questions,” wrote Weaver. “How and why did NSA lose 280MB of Top Secret attack tools, including multiple zero day exploits and un-obfuscated implants?”

Admittedly, Weaver and the rest of the industry know they’ll likely never be answered.

Required: Changes in cyber security strategies
The NSA-sourced exploits target specific rack appliances — down to the very model number — to gain access, manage, disrupt or simply take offline. Whether the exploits are purchased via auction or released publicly for free in the coming months or years is moot. They will be available in the wild, which makes enterprise cyber security that much more difficult.

On one hand, a proactive organization attempts to consolidate security solutions with a single vendor to simplify operations and reduce costs. On the other, it may want to build multi-layered security with various solutions to reduce vendor-specific vulnerabilities, but then significantly increase complexity. It’s the worst kind of Catch 22.

There is good news, however. If and when the full leak becomes available, it will enable cyber security vendors to patch, improve and strengthen current and future security tools and services.

On Twitter, Green gave the most basic — yet critical — advice for mitigating vulnerabilities from the NSA exploits. 

 

 

While not an exhaustive list, it’s always sound practice to follow proven baselines, including the key point from Green above.

  • Keep operating systems, software, end-point devices, appliances and other hardware patched and up to date
  • Map your network data to understand what’s most valuable and what requires the strongest defenses
  • Diligently scan for malicious traffic or intrusions — both inbound and outbound
  • Employ strategic user policies around authentication, remote access, facility access, data confidentiality, compliance, etc.