Shadow Brokers cause ongoing headache for NSA

It’s not been a great few years for the NSA when it comes to breaches.

Of course, the highest profile breach by far was caused by Edward Snowden, the former contractor who in 2013 blew a massive hole in the agency’s credibility when he leaked documented proof of programs like PRISM, Tempura, Upstream and XKeyscore, through which the agency collected troves of data – phone records, emails, texts, browsing, chats, images and more – not just on foreign targets but American citizens as well.

But more recently, there was the breach by the group that calls itself Shadow Brokers – not as well known but still causing major damage. Since the summer of 2016, the group has been dumping exploits and tools collected, hoarded and used by the NSA hacking group Tailored Access Operations (TAO).

Among other things, those dumps have so far exposed major vulnerabilities in Cisco routers, Microsoft Windows and Linux mail servers and provided the exploit that the authors of the WannaCry ransomware used to infect an estimated 400,000 computers in more than 150 countries – launching what was probably the biggest ransomware outbreak in history.

Of course, the NSA had wanted to keep all of those exploits and hacking tools secret, to be used for its own surveillance purposes. Now, they are being used by criminals and hostile nation states.

So while the breaches are old news, the regular dumps mean the bad news keeps piling up. So far, the agency has been unable to track down the group. The New York Times noted this week that 15 months into an investigation of the breach by the NSA’s counterintelligence arm, known as Q Group, and the FBI, they still don’t know if the agency is:

…the victim of a brilliantly executed hack, with Russia as the most likely perpetrator, an insider’s leak, or both. Three employees have been arrested since 2015 for taking classified files, but there is fear that one or more leakers may still be in place.

The damage from Shadow Brokers is very different from that caused by Snowden. It did not expose illegal surveillance, but it made the hacking tools used by the NSA worthless – at least to them – and undermined its reputation that it could effectively guard its secrets. As the Times put it:

Current and former agency officials say the Shadow Brokers disclosures, which began in August 2016, have been catastrophic for the NSA, calling into question its ability to protect potent cyberweapons and its very value to national security. The agency regarded as the world’s leader in breaking into adversaries’ computer networks failed to protect its own.

The cyberweapons already leaked have been used against millions of average citizens and thousands of businesses including factories and hospitals. And there are more expected.

Ironically, while Shadow Brokers generated international headlines, it doesn’t look like the group made big money – which was apparently one of the goals. Naked Security’s Paul Ducklin noted that when the group first went public they contended that what they had was worth as much as $600 million – a number they rapidly began to discount.

Estimates this past August suggest the group made as little as $90,000 through “subscriptions” for what they called a “monthly dump service” of stolen NSA exploits.

They continue to communicate regularly with online rants that, as Ducklin put it last year, are written…

…in a curious style, as though native speakers of English had gone out of their way to create a document that reads in a carefully and consistently stilted way, fusing a sort of fake and vaguely insulting pidgin with the faintly annoying diction of Yoda out of Star Wars.

In the group’s most recent diatribe, on 16 October, they mocked the agency, writing, “Is NSA chasing shadowses?” and regularly refers to its audience as ThePeoples, as in, “ThePeoples is no believing. ThePeoples is got jokes.”

But while the identity of the Brokers is yet to be revealed, there are some educated guesses about where they are from. Bruce Schneier, CTO of IBM Resilient, in a blog post last May, said he thought it was unlikely that it was a whistleblower, since most of the tools and other cyberweapons were stolen in 2013, and it would be unlikely for someone like that to, “sit on attack tools for three years before publishing.”

He said criminals, rather than publishing the tools, would use them. And random, lucky hackers wouldn’t hoard them either, since they would be, “in danger from half the intelligence agencies in the world.”

That leaves a nation state, he wrote, and given that he doubts Israel or France would do it, and North Korea and Iran don’t have the capability, that means:

The obvious list of countries who fit my two criteria is small: Russia, China, and­ – I’m out of ideas. And China is currently trying to make nice with the US.

But even Russia as the villain doesn’t make sense, he wrote, since, “these leaked tools are much more valuable if kept secret.”

So there remains plenty of suspicion within the NSA that an insider is involved. One of the three charged so far, contractor Harold T. Martin III, was arrested last year after FBI agents found what they called a “breathtaking” stash of documents and storage devices in his home, garden shed and car – 50 terabytes of classified intelligence data.

He had much of what Shadow Brokers published, but investigators say he may have been hacked himself.

And, as NSA employees told the Times, it could have been one or more of many, many others:

With thousands of employees pouring in and out of the gates, and the ability to store a library’s worth of data in a device that can fit on a key ring, it is impossible to prevent people from walking out with secrets.

Regardless of who is behind the dump, where does this leave businesses? While this debate and discussion rages on, companies of all size and industries remain vulnerable and at risk of attack, says Dan Schiappa, senior vice president and general manager of Products, Sophos.

We’ve reached a turning point. Traditional security methods are no longer enough to prevent cyberattacks. With Shadow Brokers’ ongoing release of stolen NSA tools that are mouthwatering for hackers, but incredibly dangerous for businesses, security as we know it must change.

Companies need to take a predictive approach to security, meaning they must adopt technologies that include defenses that expect and can stop sophisticated attacks. Predictive security includes early detection and prevention with deep learning technology, plus anti-ransomware capabilities that stops complex ransomware, like we’ve already seen with WannaCry, in its tracks.

With the pace at which cybercriminals are innovating, and considering how stealthy they are, you never know when you will get hit. Expect it at any moment and expect repeated, evolved attacks over time – businesses must pay attention to being prepared to stay secure.