Shadowbrokers Steal NSA Hacking Tools

Firewalk is one of 50+ expolits in the NSA Ant Catalog of hacking expoits reportedyly stolen 

Recently, a group with the moniker ShadowBrokers posted two encrypted dossiers on online file-sharing sites. One contained about 300 megabytes of tools and techniques to infiltrate computer systems’ firewalls, with the files dating to late 2013, according to Kaspersky Lab, a software security firm. The contents are open for the taking. The second trove, though, remains locked with the password up for auction.

In a post, Kaspersky said that several hundred tools from the leak "share a strong connection" with what it calls the Equation Group, a hacking entity it’s been tracking that other analysts have said is the NSA. The NSA isn’t talking.

Cybersecurity analysts are still poring over the material, which raised questions about whether the leak poses a threat to national security or was just a warning from US adversaries. Meanwhile, on the day of the leak, much of the NSA’s public website was down.

For now, here’s what people are asking:

Who’s behind it?

The “suspect list” of actors who could likely get this kind of data as well as publicise it points to Russia and China, according to Nicholas Weaver, a senior researcher at the International Computer Science Institute at University of California at Berkeley. Both nations have repeatedly denied hacking accusations.

But it is also possible that an NSA worker left behind a toolkit in a server the agency hacked into - and did a sloppy job covering his or her tracks, according to Jason Healey, a senior cyber research scholar at Columbia University’s School of International and Public Affairs. Or, more nefariously, an insider could have used removable media, such as a USB drive, to take the content from the NSA and disclose it.

Lance James, chief scientist at cybersecurity firm Flashpoint, said an Internet protocol address found in one of the leaked files pointed to a Defense Department-owned "non-routable IP address space," which he said suggests the material came from a testing server rather than an operational one.

"That to me is a red flag," James said via e-mail. "This could indicate this was not stolen from outside the network but within and could have been taken from a source code repository where this software resided before it was launched."

Is it a big deal?

The short answer: probably. The leak contains scripts and means to "attack, disable, alter and bypass firewalls from vendors" such as Cisco Systems Inc., Fortinet Inc. and Juniper Networks Inc., according to Justin Harvey, chief security officer at Fidelis Cybersecurity.

Because time-stamps on the files date to 2013, some of the software weaknesses could have since been fixed. In a statement Wednesday, Cisco said it investigated the information from the breach and found exploits of two Cisco product vulnerabilities, one of which is a newly discovered defect. The company says it’s patching those gaps.

Yet the leak does provide new ideas and concepts that hackers could build on.

"You’re releasing these very advanced tools in the wild," said Bob Stasio, a fellow at the Truman National Security Project and former chief of operations at the NSA’s Cyber Operations Center, who likened it to a new weapons arsenal at hackers’ fingertips. "What this does is actually severely increases the risk to the US private sector, especially for financial institutions" that are less prepared than the government to respond to such threats, he said in an interview.

Why did they do it?

"The message is: ‘Hey, NSA we hacked you and we want the world to know," Weaver said. "We can damage you further because we have all this other information and you don’t even know what it is."

In a series of recent tweets, Snowden echoed that idea, saying, "This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server." Snowden also backed the idea that Russia, where he resides in exile, could be behind the hack.

What’s next?

The NSA will likely be doing a “thorough examination” to see if there are any remnants of the code revealed in the leak in their current operations, and if so, they’ll stop using it, Paulo Shakarian, chief executive officer of IntelliSpyre Inc. and director of the Cyber-Socio Intelligent Systems Laboratory at Arizona State University in Tempe.

Cyber analysts will also watch for any malware from the auctioned files and if those tools end up on sale on the dark web. They’ll also monitor whether the group releases additional material from the NSA.

“They said there is more stuff coming," Shakarian said.

Information-Management:

 

« UK Police Hire Law Firms To Tackle Cyber Criminals
Uber’s First Self-Driving Cars »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

iXsystems

iXsystems

iXsystems is a leader in Open-Source enterprise server and storage solutions including Backup & Recovery to protect critical data.

Nexusguard

Nexusguard

Nexusguard is at the forefront of the fight against malicious Internet attacks, protecting organizations worldwide from threats to their websites, services, and reputations.

Redstor

Redstor

Redstor's complete data management helps you discover, manage and control your data from a single control centre, unifying backup and recovery, disaster recovery, archiving and search and insight.

S4x Events

S4x Events

S4x are the most advanced and largest ICS cyber security events in the world.

Prompt

Prompt

Prompt supports the creation of partnerships and the setting up of industrial-institutional applied R&D projects for all ICT sectors.

DataNumen

DataNumen

The fundamental mission of DataNumen is to recover as much data from inadvertent data disasters as possible.

DisruptOps

DisruptOps

Built for today’s cloud-scale enterprises, DisruptOps’ Cloud Detection and Response platform automates assessment and remediation procedures of critical cloud security issues.

WidePoint

WidePoint

WidePoint Corporation is an innovative provider of Trusted Mobility Management (TM2) solutions.

Synamic Technologies

Synamic Technologies

Synamic Technologies was founded in 2018 as a start-up to automate cyber security processes. Our CISOSCOPE product automates vulnerability management, risk management and compliance.

comforte AG

comforte AG

comforte AG is a leading provider of data-centric security technology. Organizations worldwide rely on our tokenization and format-preserving encryption capabilities to secure personal, sensitive data

Venustech

Venustech

Venustech is a leading provider of network security products, trusted security management platforms, specialized security services and solutions.

HACKNER Security Intelligence

HACKNER Security Intelligence

HACKNER Security Intelligence is an independent security consultancy delivering comprehensive security assessments across IT security, physical security, and social engineering.

Tychon

Tychon

Tychon develops advanced enterprise endpoint management technology that enables commercial and government organizations to bridge the gap between security and IT operations.

SafeLiShare

SafeLiShare

SafeLiShare’s data security platform unifies encryption strategies for organizations with hybrid and multi-cloud infrastructures, ensuring data is secure regardless of its location.

ITButler e-Services

ITButler e-Services

At IT Butler, our mission is crystal clear: we are dedicated to providing top-tier cybersecurity solutions and best-practice methodologies to secure and enhance your digital infrastructure’s resilienc

Amtivo Group

Amtivo Group

Amtivo provides Certification, Inspection and Training services to national and local Government bodies, multi-nationals, enterprise clients and SMEs.