It’s not been a great few years for the NSA when it comes to breaches.
Of course, the highest profile breach by far was caused by Edward Snowden, the former contractor who in 2013 blew a massive hole in the agency’s credibility when he leaked documented proof of programs like PRISM, Tempura, Upstream and XKeyscore, through which the agency collected troves of data – phone records, emails, texts, browsing, chats, images and more – not just on foreign targets but American citizens as well.
But more recently, there was the breach by the group that calls itself Shadow Brokers – not as well known but still causing major damage. Since the summer of 2016, the group has been dumping exploits and tools collected, hoarded and used by the NSA hacking group Tailored Access Operations (TAO).
Among other things, those dumps have so far exposed major vulnerabilities in Cisco routers, Microsoft Windows and Linux mail servers and provided the exploit that the authors of the WannaCry ransomware used to infect an estimated 400,000 computers in more than 150 countries – launching what was probably the biggest ransomware outbreak in history.
Of course, the NSA had wanted to keep all of those exploits and hacking tools secret, to be used for its own surveillance purposes. Now, they are being used by criminals and hostile nation states.
So while the breaches are old news, the regular dumps mean the bad news keeps piling up. So far, the agency has been unable to track down the group. The New York Times noted this week that 15 months into an investigation of the breach by the NSA’s counterintelligence arm, known as Q Group, and the FBI, they still don’t know if the agency is:
…the victim of a brilliantly executed hack, with Russia as the most likely perpetrator, an insider’s leak, or both. Three employees have been arrested since 2015 for taking classified files, but there is fear that one or more leakers may still be in place.
The damage from Shadow Brokers is very different from that caused by Snowden. It did not expose illegal surveillance, but it made the hacking tools used by the NSA worthless – at least to them – and undermined its reputation that it could effectively guard its secrets. As the Times put it:
Current and former agency officials say the Shadow Brokers disclosures, which began in August 2016, have been catastrophic for the NSA, calling into question its ability to protect potent cyberweapons and its very value to national security. The agency regarded as the world’s leader in breaking into adversaries’ computer networks failed to protect its own.
The cyberweapons already leaked have been used against millions of average citizens and thousands of businesses including factories and hospitals. And there are more expected.
Ironically, while Shadow Brokers generated international headlines, it doesn’t look like the group made big money – which was apparently one of the goals. Naked Security’s Paul Ducklin noted that when the group first went public they contended that what they had was worth as much as $600 million – a number they rapidly began to discount.
Estimates this past August suggest the group made as little as $90,000 through “subscriptions” for what they called a “monthly dump service” of stolen NSA exploits.
They continue to communicate regularly with online rants that, as Ducklin put it last year, are written…
…in a curious style, as though native speakers of English had gone out of their way to create a document that reads in a carefully and consistently stilted way, fusing a sort of fake and vaguely insulting pidgin with the faintly annoying diction of Yoda out of Star Wars.
In the group’s most recent diatribe, on 16 October, they mocked the agency, writing, “Is NSA chasing shadowses?” and regularly refers to its audience as ThePeoples, as in, “ThePeoples is no believing. ThePeoples is got jokes.”
But while the identity of the Brokers is yet to be revealed, there are some educated guesses about where they are from. Bruce Schneier, CTO of IBM Resilient, in a blog post last May, said he thought it was unlikely that it was a whistleblower, since most of the tools and other cyberweapons were stolen in 2013, and it would be unlikely for someone like that to, “sit on attack tools for three years before publishing.”
He said criminals, rather than publishing the tools, would use them. And random, lucky hackers wouldn’t hoard them either, since they would be, “in danger from half the intelligence agencies in the world.”
That leaves a nation state, he wrote, and given that he doubts Israel or France would do it, and North Korea and Iran don’t have the capability, that means:
The obvious list of countries who fit my two criteria is small: Russia, China, and – I’m out of ideas. And China is currently trying to make nice with the US.
But even Russia as the villain doesn’t make sense, he wrote, since, “these leaked tools are much more valuable if kept secret.”
So there remains plenty of suspicion within the NSA that an insider is involved. One of the three charged so far, contractor Harold T. Martin III, was arrested last year after FBI agents found what they called a “breathtaking” stash of documents and storage devices in his home, garden shed and car – 50 terabytes of classified intelligence data.
He had much of what Shadow Brokers published, but investigators say he may have been hacked himself.
And, as NSA employees told the Times, it could have been one or more of many, many others:
With thousands of employees pouring in and out of the gates, and the ability to store a library’s worth of data in a device that can fit on a key ring, it is impossible to prevent people from walking out with secrets.
Regardless of who is behind the dump, where does this leave businesses? While this debate and discussion rages on, companies of all size and industries remain vulnerable and at risk of attack, says Dan Schiappa, senior vice president and general manager of Products, Sophos.
We’ve reached a turning point. Traditional security methods are no longer enough to prevent cyberattacks. With Shadow Brokers’ ongoing release of stolen NSA tools that are mouthwatering for hackers, but incredibly dangerous for businesses, security as we know it must change.
Companies need to take a predictive approach to security, meaning they must adopt technologies that include defenses that expect and can stop sophisticated attacks. Predictive security includes early detection and prevention with deep learning technology, plus anti-ransomware capabilities that stops complex ransomware, like we’ve already seen with WannaCry, in its tracks.
With the pace at which cybercriminals are innovating, and considering how stealthy they are, you never know when you will get hit. Expect it at any moment and expect repeated, evolved attacks over time – businesses must pay attention to being prepared to stay secure.
Matt
“the victim of a brilliantly executed hack, with This Year’s Bogeyman as the most likely perpetrator, The Other Security Term We Know, or both.”
Fixed for the NYT. Can’t imagine why you’d bother quoting that.
Mahhn
The 2nd most offending thing to me about the NSA is that once their exploits were in the wild, they didn’t notify companies to patch/defend against them. Which is literally protecting and arming criminals. Their actions make it clear that the enemies of the NSA aren’t crooks, its people in general.
It’s likely the leak is all internal. Anyone who is a real patriot would do the best they could to expose this criminal runaway agency.
Wilderness
“The agency regarded as the world’s leader in breaking into adversaries’ computer networks failed to protect its own.”
It’s always easier to break in than to prevent people from breaking in. As the saying goes: our security sucks, but so does theirs.
jim
Businesses? F— businesses. They have the wherewithal to install the best and state of the art security systems, something that the average or even above-average Citizen cannot afford to do. They also have the ability to control and restrict access throughout their entire companies. Of course, they are not actually required by law to do that.
So, they don’t do that because it might cut into the bottom line, and even worse, into the fat checks the honchos get every year (see Experian).
And yet they don’t do that because it is too expensive, and because there are no legal consequences when their haphazard protection schemes fail. Just like Experian couldn’t be bothered to hire actually competent technical people and responsible management to ensure their systems and access points are protected.
Remember one thing folks, it ain’t your ass they’re protecting, it’s their bottom line – and their stock-sharing profits. They would rather have insurance and lawyers in place to ensure minimization of damage, especially from clients and data owners rather than making all that data safe. And it wouldn’t occur to them to spend a few nickels trying to chase down the bad guys who did it.
Oh, wait. They expect the FBI, NSA, and other gov’t agencies to do that. Therefore, anything that goes wrong isn’t their fault.
It’s our fault for letting them have our personal data in the first place.
Use cash, VPNs, and heavy security and then buy a good mattress and hope that they don’t make cash illegal in the next decade.
Anon
Shadow Factory is the name of a book on the NSA by James Bamford. The writing looks like something a native English speaker would write and pass it through an algorithm to randomly make changes but the changes (I.e poor English phrases) have a pattern to them vaguely detectable as several have pointed out. Shadow Brokers is quite possibly an official NSA project hyped up as a big security leak but a lot of it is outdated.
What is NSA’s goal? Possibly to put on a surveillance list anyone who tries to get at the hacks.
The world would be a better place without NSA and their counterparts in other countries.
Anonymous
If you think that the book “Shadow Factory” is written in anything other that grammatically-correct, idiomatic English then either you haven’t read the book or you aren’t fluent in English.
Anon
The post is not about shadow factory but shadow brokers :)
Anonymous
If the post isn’t about Shadow Factory, why does it start “Shadow Factory is a book. The writing looks like this…”
jenny
NSA is a waste of tax payer dollars. Their foolishness and incompetence is mind boggling. Secrecy hides incompetence as noted earlier. What started out with Tutte and Turing and all those great mathematicians of the forties has devolved into stupid agencies in every country taking advantage of the bad math PhD market to pretend they have the smartest people who know what they are doing. But those idealistic smart mathematicians end up turning into thieves shielded from the realities of what they are doing. While NSA chases ghosts the really destructive and evil folks in the world go about their business unchallenged.