Shadowbrokers Steal NSA Hacking Tools

Uploaded on 2016-08-30 in TECHNOLOGY--Hackers, INTELLIGENCE--USA, INTELLIGENCE--International, FREE TO VIEW

Firewalk is one of 50+ expolits in the NSA Ant Catalog of hacking expoits reportedyly stolen 

Recently, a group with the moniker ShadowBrokers posted two encrypted dossiers on online file-sharing sites. One contained about 300 megabytes of tools and techniques to infiltrate computer systems’ firewalls, with the files dating to late 2013, according to Kaspersky Lab, a software security firm. The contents are open for the taking. The second trove, though, remains locked with the password up for auction.

In a post, Kaspersky said that several hundred tools from the leak "share a strong connection" with what it calls the Equation Group, a hacking entity it’s been tracking that other analysts have said is the NSA. The NSA isn’t talking.

Cybersecurity analysts are still poring over the material, which raised questions about whether the leak poses a threat to national security or was just a warning from US adversaries. Meanwhile, on the day of the leak, much of the NSA’s public website was down.

For now, here’s what people are asking:

Who’s behind it?

The “suspect list” of actors who could likely get this kind of data as well as publicise it points to Russia and China, according to Nicholas Weaver, a senior researcher at the International Computer Science Institute at University of California at Berkeley. Both nations have repeatedly denied hacking accusations.

But it is also possible that an NSA worker left behind a toolkit in a server the agency hacked into - and did a sloppy job covering his or her tracks, according to Jason Healey, a senior cyber research scholar at Columbia University’s School of International and Public Affairs. Or, more nefariously, an insider could have used removable media, such as a USB drive, to take the content from the NSA and disclose it.

Lance James, chief scientist at cybersecurity firm Flashpoint, said an Internet protocol address found in one of the leaked files pointed to a Defense Department-owned "non-routable IP address space," which he said suggests the material came from a testing server rather than an operational one.

"That to me is a red flag," James said via e-mail. "This could indicate this was not stolen from outside the network but within and could have been taken from a source code repository where this software resided before it was launched."

Is it a big deal?

The short answer: probably. The leak contains scripts and means to "attack, disable, alter and bypass firewalls from vendors" such as Cisco Systems Inc., Fortinet Inc. and Juniper Networks Inc., according to Justin Harvey, chief security officer at Fidelis Cybersecurity.

Because time-stamps on the files date to 2013, some of the software weaknesses could have since been fixed. In a statement Wednesday, Cisco said it investigated the information from the breach and found exploits of two Cisco product vulnerabilities, one of which is a newly discovered defect. The company says it’s patching those gaps.

Yet the leak does provide new ideas and concepts that hackers could build on.

"You’re releasing these very advanced tools in the wild," said Bob Stasio, a fellow at the Truman National Security Project and former chief of operations at the NSA’s Cyber Operations Center, who likened it to a new weapons arsenal at hackers’ fingertips. "What this does is actually severely increases the risk to the US private sector, especially for financial institutions" that are less prepared than the government to respond to such threats, he said in an interview.

Why did they do it?

"The message is: ‘Hey, NSA we hacked you and we want the world to know," Weaver said. "We can damage you further because we have all this other information and you don’t even know what it is."

In a series of recent tweets, Snowden echoed that idea, saying, "This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server." Snowden also backed the idea that Russia, where he resides in exile, could be behind the hack.

What’s next?

The NSA will likely be doing a “thorough examination” to see if there are any remnants of the code revealed in the leak in their current operations, and if so, they’ll stop using it, Paulo Shakarian, chief executive officer of IntelliSpyre Inc. and director of the Cyber-Socio Intelligent Systems Laboratory at Arizona State University in Tempe.

Cyber analysts will also watch for any malware from the auctioned files and if those tools end up on sale on the dark web. They’ll also monitor whether the group releases additional material from the NSA.

“They said there is more stuff coming," Shakarian said.

Information-Management:

 

« UK Police Hire Law Firms To Tackle Cyber Criminals
Uber’s First Self-Driving Cars »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

KPMG

KPMG

KPMG s a leading provider of professional services including information technology and cyber security consulting.

Certification Europe

Certification Europe

Certification Europe (now Amtivo Ireland) is an accredited certification body which provides ISO management system certification, including ISO 27001.

NowSecure

NowSecure

NowSecure are the experts in mobile app security testing software and services.

Veriato

Veriato

Veriato develops intelligent solutions that provide companies with visibility into the human behaviors and activities occurring within their network, making them more secure and productive.

OEDIV SecuSys

OEDIV SecuSys

OEDIV SecuSys (formerly iSM Secu-Sys) develops high-quality IT software solutions, setting standards as a technology leader in the area of identity and access management.

Caulis

Caulis

Caulis FraudAlert is a cyber security solution. It can detect fraud and identity theft based on users’ online behaviour.

Bloc Ventures

Bloc Ventures

Bloc Ventures is an investment company providing long-term, ‘patient’ equity capital to early stage unquoted deep technology companies.

Pacific Cyber Security Operational Network (PaCSON)

Pacific Cyber Security Operational Network (PaCSON)

PaCSON is an operational cyber security network of regional working-level cyber security experts in the Pacific.

Cyber Readiness Institute (CRI)

Cyber Readiness Institute (CRI)

At the Cyber Readiness Institute, our mission is simple: empower small and medium-sized enterprises with free tools and resources to help them become more secure and resilient.

Cegeka

Cegeka

Cegeka is a family-owned IT company providing end-to-end IT solutions, services & consultancy.

Zaviant Consulting

Zaviant Consulting

Zaviant Consulting is a leading data security and privacy consulting firm assisting organizations comply with constantly evolving security frameworks and privacy regulations.

Alpha Mountain AI (alphaMountain)

Alpha Mountain AI (alphaMountain)

alphaMountain provides up-to-date domain and IP intelligence for cybersecurity investigational and protection platforms.

InfoSec4TC

InfoSec4TC

InfoSec4tc is an online Information Security Courses, Training, and Consultancy provider.

ThreatCaptain

ThreatCaptain

ThreatCaptain is a Cybersecurity Leadership Development Company driven to enhance and illuminate cybersecurity risk through strategic alignment and informed business decision-making.

ABPGroup

ABPGroup

ABPGroup is Asia’s leading cybersecurity technology provider focusing on providing best-of-breed solutions that address today’s pressing challenges.

Cyber Castellum

Cyber Castellum

Cyber Castellum is a cybersecurity consulting firm that specializes in the identification of security vulnerabilities in an organization’s technology landscape.