No doubt the good folks at the National Security Agency’s (NSA) Office of Tailored Access Operations (TAO) opened up their browsers early in the week of the 15th of August to learn that many of their “alleged” toys had fallen out of the toy box and were now up for auction and in the hands of a group calling themselves “The Shadow Brokers.” Enough to ruin anyone’s morning.
Is it true?
From many accounts the identified hacks consisted of both new and previously reported “Zero Day” vulnerability (NB: A zero day is a discovered vulnerability which has not previously been reported and the originator has not been informed, and thus has not had the opportunity to mitigate and thus exploitation can be expected to be successful by an adversary using the zero day). A close look shows that some of the shared exploits date from work performed in 2013. In a Der Spiegel article “Inside TAO”, the Der Spiegel notes that they had reviewed document on the TAO which “… reveal just how diversified the tools at TAO’s disposal have become — and also how it exploits the technical weaknesses of the IT industry, from Microsoft to Cisco and Huawei, to carry out its discreet and efficient attacks.”
So if the question is, does the TAO have a toys which are designed to penetrate the cybersecurity of an adversary, the answer is ‘yes’ (as does every other nation’s signals intelligence entity … it is their mission to penetrate secure networks). What troubles many is how did the Shadow Brokers obtain the tools?
Who built these tools?
Many industry analysts are pointing fingers at the Equation Group, given the similarity of code previously identified as having originated from the entity and that which has been revealed by the Shadow Brokers, an entity speculated to be operating on behalf of the Russian government.
According to industry malware analysts at Russian security company Kaspersky, the Equation Group is the crown creator of cyber-espionage, with a history of building sophisticated and advanced attack scripts which exploit adversary’s systems. A series of 2015 reports, including a Question and Answer FAQ on the Equation Group, is worthy of a read to understand the depth of their sophistication.
How did the toys go missing?
No doubt, the release of this information is having a deleterious affect over at TAO, as their mission is to be prepared for offensive information operations at a time of need. Who dumped the sophisticated exploits sitting in the toy box? The Washington Post notes some think it may be disgruntled insider from with TAO. Others say operators within TAO have in the past inadvertently uploaded a tools suite to an incorrect (and thus exposed) environment. Perhaps the speculation that the Equation Group is behind the creation of the exploits, and one of their team kept copies of her/his work, as so many development engineers are known to do.
What do I do?
As companies learn that their secure devices are insecure, they will be working mightily to close the vulnerability being exploited by the zero day and issuing appropriate patches. Both Cisco and Fortinet have already published responses, and urge their customers to read and implement the proffered changes. Indeed, given the age of many of the identified exploits, those who have been keeping their security appliances updated will find the vulnerabilities identified to be old news.
Who now has these tools?
We know the Shadow Brokers are asking for one million Bitcoins minimum for the exploits, which they are selling at auction. One million Bitcoins is more than US$500 million. But no one seems to be interested in purchasing these cyberweapons. For now, the Shadow Broker group and Russia – if you believe they are behind the release – are the sole owners of these NSA tools.
This author believes this to be a signal to the United States from Russia, let the cyber-espionage games begin, we have your toys.