Shadowbrokers Steal NSA Hacking Tools

Uploaded on 2016-08-30 in TECHNOLOGY--Hackers, INTELLIGENCE--USA, INTELLIGENCE--International, FREE TO VIEW

Firewalk is one of 50+ expolits in the NSA Ant Catalog of hacking expoits reportedyly stolen 

Recently, a group with the moniker ShadowBrokers posted two encrypted dossiers on online file-sharing sites. One contained about 300 megabytes of tools and techniques to infiltrate computer systems’ firewalls, with the files dating to late 2013, according to Kaspersky Lab, a software security firm. The contents are open for the taking. The second trove, though, remains locked with the password up for auction.

In a post, Kaspersky said that several hundred tools from the leak "share a strong connection" with what it calls the Equation Group, a hacking entity it’s been tracking that other analysts have said is the NSA. The NSA isn’t talking.

Cybersecurity analysts are still poring over the material, which raised questions about whether the leak poses a threat to national security or was just a warning from US adversaries. Meanwhile, on the day of the leak, much of the NSA’s public website was down.

For now, here’s what people are asking:

Who’s behind it?

The “suspect list” of actors who could likely get this kind of data as well as publicise it points to Russia and China, according to Nicholas Weaver, a senior researcher at the International Computer Science Institute at University of California at Berkeley. Both nations have repeatedly denied hacking accusations.

But it is also possible that an NSA worker left behind a toolkit in a server the agency hacked into - and did a sloppy job covering his or her tracks, according to Jason Healey, a senior cyber research scholar at Columbia University’s School of International and Public Affairs. Or, more nefariously, an insider could have used removable media, such as a USB drive, to take the content from the NSA and disclose it.

Lance James, chief scientist at cybersecurity firm Flashpoint, said an Internet protocol address found in one of the leaked files pointed to a Defense Department-owned "non-routable IP address space," which he said suggests the material came from a testing server rather than an operational one.

"That to me is a red flag," James said via e-mail. "This could indicate this was not stolen from outside the network but within and could have been taken from a source code repository where this software resided before it was launched."

Is it a big deal?

The short answer: probably. The leak contains scripts and means to "attack, disable, alter and bypass firewalls from vendors" such as Cisco Systems Inc., Fortinet Inc. and Juniper Networks Inc., according to Justin Harvey, chief security officer at Fidelis Cybersecurity.

Because time-stamps on the files date to 2013, some of the software weaknesses could have since been fixed. In a statement Wednesday, Cisco said it investigated the information from the breach and found exploits of two Cisco product vulnerabilities, one of which is a newly discovered defect. The company says it’s patching those gaps.

Yet the leak does provide new ideas and concepts that hackers could build on.

"You’re releasing these very advanced tools in the wild," said Bob Stasio, a fellow at the Truman National Security Project and former chief of operations at the NSA’s Cyber Operations Center, who likened it to a new weapons arsenal at hackers’ fingertips. "What this does is actually severely increases the risk to the US private sector, especially for financial institutions" that are less prepared than the government to respond to such threats, he said in an interview.

Why did they do it?

"The message is: ‘Hey, NSA we hacked you and we want the world to know," Weaver said. "We can damage you further because we have all this other information and you don’t even know what it is."

In a series of recent tweets, Snowden echoed that idea, saying, "This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server." Snowden also backed the idea that Russia, where he resides in exile, could be behind the hack.

What’s next?

The NSA will likely be doing a “thorough examination” to see if there are any remnants of the code revealed in the leak in their current operations, and if so, they’ll stop using it, Paulo Shakarian, chief executive officer of IntelliSpyre Inc. and director of the Cyber-Socio Intelligent Systems Laboratory at Arizona State University in Tempe.

Cyber analysts will also watch for any malware from the auctioned files and if those tools end up on sale on the dark web. They’ll also monitor whether the group releases additional material from the NSA.

“They said there is more stuff coming," Shakarian said.

Information-Management:

 

« UK Police Hire Law Firms To Tackle Cyber Criminals
Uber’s First Self-Driving Cars »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Cyber Security National Lab (CINI)

Cyber Security National Lab (CINI)

The Cyber Security National Lab brings together Italian academic excellence in Cyber Security research.

Coro Cybersecurity

Coro Cybersecurity

Coro (formerly Coronet) empowers organizations to protect against malware, ransomware, phishing, and botnets - across devices, users, and cloud applications.

CyberGuarded

CyberGuarded

CyberGuarded are an accredited vendor independent information security testing and auditing company.

Luxembourg Office of Accreditation & Surveillance (OLAS)

Luxembourg Office of Accreditation & Surveillance (OLAS)

OLAS is the national accreditation body for Luxembourg. The directory of members provides details of organisations offering certification services for ISO 27001.

First Point Group (FPG)

First Point Group (FPG)

First Point Group provide a global technological recruitment service worldwide. Within that we have a specialist team of Cyber Security recruiters.

Quantstamp

Quantstamp

Quantstamp are experts in Smart Contract Security Audits. We provide verification that your decentralized system works as intended.

British Blockchain Association (BBA)

British Blockchain Association (BBA)

British Blockchain Association (BBA) is a not-for-profit organisation that promotes evidence-based adoption of Blockchain and Distributed Ledger Technologies (DLT) across the public and private sector

GELLIFY

GELLIFY

GELLIFY is the first innovation platform dedicated to the high-tech B2B market, supporting start-ups and companies.

CyberCX

CyberCX

CyberCX provides services from strategic consulting, security testing and training to world-class managed services and engineering solutions.

Kainos

Kainos

Kainos is a leading provider of Digital Services and Platforms. Our services include Digital Transformation, Cyber Security, Cloud, AI, IoT and more.

ScorpionShield

ScorpionShield

ScorpionShield CyberSecurity is an EC-Council Accredited Training Center, and an On-Demand Service for Cybersecurity professionals.

Comcast Business

Comcast Business

Comcast Business keeps businesses ready for what’s next with powerful connectivity, advanced cybersecurity solutions, and the right people at your side.

HackEDU

HackEDU

HackEDU provides secure coding training to companies ranging from startups to the Fortune 500.

Testhouse Ltd

Testhouse Ltd

Testhouse is a thought leader in the Quality Assurance, software testing and DevOps space. Founded in the year 2000 in London, UK, with a mission to contribute towards a world of high-quality software

Confidencial

Confidencial

Confidencial is a provider of solutions that help organizations secure their most sensitive information, regardless if that information exists inside or is shared outside the organization.

Neosoft

Neosoft

Néosoft is an independent digital transformation consulting group with expertise in Consulting & Agility, Cybersecurity, Data, DevOps, Infrastructure & Cloud and Software Engineering.