Shadowbrokers Steal NSA Hacking Tools

Uploaded on 2016-08-30 in TECHNOLOGY--Hackers, INTELLIGENCE--USA, INTELLIGENCE--International, FREE TO VIEW

Firewalk is one of 50+ expolits in the NSA Ant Catalog of hacking expoits reportedyly stolen 

Recently, a group with the moniker ShadowBrokers posted two encrypted dossiers on online file-sharing sites. One contained about 300 megabytes of tools and techniques to infiltrate computer systems’ firewalls, with the files dating to late 2013, according to Kaspersky Lab, a software security firm. The contents are open for the taking. The second trove, though, remains locked with the password up for auction.

In a post, Kaspersky said that several hundred tools from the leak "share a strong connection" with what it calls the Equation Group, a hacking entity it’s been tracking that other analysts have said is the NSA. The NSA isn’t talking.

Cybersecurity analysts are still poring over the material, which raised questions about whether the leak poses a threat to national security or was just a warning from US adversaries. Meanwhile, on the day of the leak, much of the NSA’s public website was down.

For now, here’s what people are asking:

Who’s behind it?

The “suspect list” of actors who could likely get this kind of data as well as publicise it points to Russia and China, according to Nicholas Weaver, a senior researcher at the International Computer Science Institute at University of California at Berkeley. Both nations have repeatedly denied hacking accusations.

But it is also possible that an NSA worker left behind a toolkit in a server the agency hacked into - and did a sloppy job covering his or her tracks, according to Jason Healey, a senior cyber research scholar at Columbia University’s School of International and Public Affairs. Or, more nefariously, an insider could have used removable media, such as a USB drive, to take the content from the NSA and disclose it.

Lance James, chief scientist at cybersecurity firm Flashpoint, said an Internet protocol address found in one of the leaked files pointed to a Defense Department-owned "non-routable IP address space," which he said suggests the material came from a testing server rather than an operational one.

"That to me is a red flag," James said via e-mail. "This could indicate this was not stolen from outside the network but within and could have been taken from a source code repository where this software resided before it was launched."

Is it a big deal?

The short answer: probably. The leak contains scripts and means to "attack, disable, alter and bypass firewalls from vendors" such as Cisco Systems Inc., Fortinet Inc. and Juniper Networks Inc., according to Justin Harvey, chief security officer at Fidelis Cybersecurity.

Because time-stamps on the files date to 2013, some of the software weaknesses could have since been fixed. In a statement Wednesday, Cisco said it investigated the information from the breach and found exploits of two Cisco product vulnerabilities, one of which is a newly discovered defect. The company says it’s patching those gaps.

Yet the leak does provide new ideas and concepts that hackers could build on.

"You’re releasing these very advanced tools in the wild," said Bob Stasio, a fellow at the Truman National Security Project and former chief of operations at the NSA’s Cyber Operations Center, who likened it to a new weapons arsenal at hackers’ fingertips. "What this does is actually severely increases the risk to the US private sector, especially for financial institutions" that are less prepared than the government to respond to such threats, he said in an interview.

Why did they do it?

"The message is: ‘Hey, NSA we hacked you and we want the world to know," Weaver said. "We can damage you further because we have all this other information and you don’t even know what it is."

In a series of recent tweets, Snowden echoed that idea, saying, "This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server." Snowden also backed the idea that Russia, where he resides in exile, could be behind the hack.

What’s next?

The NSA will likely be doing a “thorough examination” to see if there are any remnants of the code revealed in the leak in their current operations, and if so, they’ll stop using it, Paulo Shakarian, chief executive officer of IntelliSpyre Inc. and director of the Cyber-Socio Intelligent Systems Laboratory at Arizona State University in Tempe.

Cyber analysts will also watch for any malware from the auctioned files and if those tools end up on sale on the dark web. They’ll also monitor whether the group releases additional material from the NSA.

“They said there is more stuff coming," Shakarian said.

Information-Management:

 

« UK Police Hire Law Firms To Tackle Cyber Criminals
Uber’s First Self-Driving Cars »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Alan Turing Institute

Alan Turing Institute

Alan Turing Institute is the UK national institute for data science. A major focus is Big Data analysis with applications including cyber security.

Nixu

Nixu

Nixu is the largest Nordic specialist company in information security consulting.

SISSDEN

SISSDEN

SISSDEN will improve cybersecurity through the development of increased awareness and the effective sharing of actionable threat information.

Crest International

Crest International

Crest is focused on professionalizing the technical cyber security market whilst driving quality and standards of organizations that operate within it.

InnoSec

InnoSec

InnoSec is a software manufacturer of cyber risk management technology.

SecureNinja

SecureNinja

SecureNinja provides professional training, certifications & professional services related to all facets of Information Technology and Cyber Security.

Security University

Security University

Security University is a leading provider of Qualified Hands-On Cybersecurity Education, Information Assurance Training and Certifications for IT and Security Professionals.

Totaljobs

Totaljobs

Totaljobs is the UK’s largest hiring platform. We have over 280,000 live jobs adverts on our site, helping you to find any type of job in any industry, including cybersecurity.

iHLS Startups Accelerator

iHLS Startups Accelerator

iHLS Accelerator is the first startup accelerator in the world in the security and homeland security field.

Focal Point

Focal Point

We aspire to be the focal point for Medium and Small size companies providing 24/7 cyber security advice, services and solutions.

Scarlett Cybersecurity

Scarlett Cybersecurity

Scarlett Cybersecurity provide cybersecurity services to US private and public organizations with specific emphasis on compliance and cybersecurity incident prevention, detection, and response.

Simplilearn

Simplilearn

Simplilearn is the world's #1 online bootcamp for digital skills training in disciplines such as Cyber Security, Cloud Computing, Project Management, Digital Marketing, and Data Science.

Occentus Network

Occentus Network

Occentus Network is a telecommunications service provider specialized in High Availability Servers & managed Cloud services.

CYBHORUS

CYBHORUS

CYBHORUS are a team of Italian cyber security experts, specialized in cyber threat defense and strategic and organizational consulting.

Assurestor

Assurestor

Assurestor's singular focus is delivering leading cloud-based backup and disaster recovery designed to increase levels of IT resilience.

AI EdgeLabs

AI EdgeLabs

AI EdgeLabs is a powerful and autonomous cybersecurity AI platform that helps security teams respond immediately to ongoing attacks and protect Edge/IoT infrastructures.