Once attack tools are leaked, they are adopted rapidly by many attackers. Will the leaked NSA exploits quickly be used in an attack, and what is being done?
On Aug. 13, a group known as the “Shadow Brokers” announced on Twitter that they would auction off a set of cyber-espionage tools taken from the server of the Equation Group, widely considered part of the United States’ intelligence services and likely to be operating as part of the National Security Agency.
The announcement was met first with disbelief, then chagrin, as it became apparent that the compromise and post-exploitation framework were genuine. Questions remain, James Clapper, director of national intelligence, said at an Aug. 24 event. “It’s still under investigation,” he said, according to the Associated Press. “We don’t know exactly the full extent—or the understanding—of exactly what happened.”
What is known is that the leak involved an encrypted set of files weighing in at more than 250MB of data, and which included the encryption key for a folder of teaser files labeled “Firewall.” The key to unlock the encrypted main body of data will only be released, the group said, if they receive 1 million bitcoin, about $580 million. The Shadow Brokers are thought to be linked to Russia.
While the NSA is most known for its offensive capabilities—it’s ability to spy on other nation’s and group’s communications—the leak of a significant collection of vulnerabilities known to only a few should signal that the agency should be considering its defensive role more heavily, according to security experts.
“If there is an attributable group in a foreign country that is going to use this against people, it is in everyone’s interest for the [government behind the Equation Group] to notify the vendors so that other nations are not using Equation’s IP against citizens,” Logan Brown, president of threat intelligence and vulnerability acquisition firm Exodus Intelligence, told eWEEK.
The outing of the NSA-linked framework is the latest in a series of leaks of cyber toolsets that highlight that many governments are active in cyber operations against rival nations, non-governmental groups and even individuals. Mobile security firm Lookout and the University of Toronto’s Citizen Lab revealed on Aug. 25, for example, that an attacker, likely a nation, had used espionage tools allegedly created by the NSO Group—including exploits for three previously unknown iOS vulnerabilities—against a well-known Middle Eastern activist, Ahmed Mansoor. Mansoor had been targeted by similar attempts twice before.
With each revelation, questions about the appropriate use of such technology—and whether citizens are better served by government agencies that help harden computer systems or conduct espionage on others’ systems—grow louder. The code in the leaked “Firewall” files included the names of tools, such as “SecondDate” and a specific passcode that marks the data as a match for the information leaked by former NSA contractor Edward Snowden. As the name indicates, the attack tools in the teaser data target vulnerabilities in major firewalls. Cisco is in the process of patching one issue, but noted that another vulnerability targeted by the Equation Group tools had been patched in 2011. Fortinet examined the files and found the attacks only affected versions of its software prior to 2012. And Juniper has not found any exploitable vulnerabilities in the data.
