MAL­WARE CASE, A MA­JOR BLOW FOR THE NSA

The night­mare for the agency is not yet over; cy­ber­spe­cial­ists are say­ing that on the un­der­ground dark web, an­other NSA tool has been weaponised and of­fered for sale

New Straits Times - - Opinion - The writer is a reporter in the Washington bu­reau of ‘The New York Times’, where he has writ­ten about na­tional se­cu­rity and other top­ics

SINCE Au­gust, when a mys­te­ri­ous group call­ing it­self the Shadow Bro­kers an­nounced that it was auc­tion­ing off highly clas­si­fied Na­tional Se­cu­rity Agency (NSA) hack­ing tools, a low-grade panic seized the na­tion’s largest in­tel­li­gence agency.

In April, when the Shadow Bro­kers dumped dozens of the agency’s soft­ware ex­ploits on the web, free to crim­i­nals and foreign spies alike, the clock be­gan tick­ing to­wards in­evitable calamity. And, since Fri­day, the agency has watched as ma­li­cious soft­ware based on its cre­ations spread across the world, shut­ting down hos­pi­tals, dis­rupt­ing rail traf­fic and spurring frus­tra­tion and chaos in some 150 coun­tries.

“For half a cen­tury, NSA pried into other peo­ple’s se­crets,” said Amy B. Ze­gart, a Stan­ford Univer­sity pro­fes­sor who stud­ies in­tel­li­gence agen­cies. “Now they’re sud­denly sit­ting ducks who have their se­crets stolen and used around the world.”

The week­end’s ran­somware at­tack is only the lat­est in a se­ries of tri­als for the agency. In 2005, the rev­e­la­tion by The New York Times that the NSA was eaves­drop­ping in­side the United States with­out court or­ders set off a year-long de­bate over pri­vacy and led to new le­gal lim­its on sur­veil­lance.

In 2013, Ed­ward Snow­den gave jour­nal­ists hun­dreds of thou­sands of NSA doc­u­ments he had taken as a con­trac­tor, ig­nit­ing a global de­bate over the agency’s tar­get­ing of al­lies as well as foes. Last Au­gust, shortly af­ter the Shadow Bro­kers’ de­but, a vet­eran in­tel­li­gence con­trac­tor, Harold T. Martin III was charged with walk­ing out of the NSA and other agen­cies with a stag­ger­ing 50 ter­abytes of con­fi­den­tial data.

Michael V. Hay­den, the di­rec­tor of the NSA from 1999 to 2005, said he had de­fended it for years in de­bates over civil lib­er­ties. “But I can­not de­fend an agency hav­ing pow­er­ful tools if it can­not pro­tect the tools and keep them in its own hands,” he said.

He said the loss of the so-called mal­ware, and the dam­age it has caused, “poses a very se­ri­ous threat to the fu­ture of the agency”.

The lat­est night­mare for the agency, which is re­spon­si­ble for eaves­drop­ping, code break­ing and cy­beres­pi­onage, ap­pears to be far from over. Early Tues­day, a post pur­port­edly from the Shadow Bro­kers an­nounced that it was start­ing a sort of hack-ofthe-month club.

“TheShad­owBro­kers is launch­ing new monthly sub­scrip­tion model,” said the post, in the faux bro­ken English that the group has re­peat­edly used in pub­lic state­ments. “Is be­ing like wine of month club. Each month peo­ples can be pay­ing mem­ber­ship fee, then get­ting mem­bers only data dump each month. What mem­bers do­ing with data af­ter is up to mem­bers.”

The mock­ing tone — the post’s ti­tle, “OH LORDY! Comey Wanna Cry Edi­tion,” re­ferred to Pres­i­dent Don­ald Trump’s fir­ing of the Fed­eral Bu­reau of In­tel­li­gence (FBI) di­rec­tor, James Comey, and the ran­somware known as Wan­naCry — could not dis­guise the deadly se­ri­ous nature of the threat. Soft­ware ex­perts said that the group’s dump of NSA tools in April in­cluded ad­di­tional ex­ploits that are “wormable” — mean­ing they could spread rapidly, like the ran­somware at­tack — and that it might well have more NSA mal­ware it has not yet re­leased.

The Shadow Bro­kers saga be­gan in mid-Au­gust with a cryptic an­nounce­ment on Paste­bin.com of an on­line auc­tion of hack­ing tools taken from the Equa­tion Group, a tech in­dus­try name for the NSA’s hack­ing divi­sion, of­fi­cially called Tai­lored Ac­cess Op­er­a­tions. A few sam­ples were listed to en­cour­age bids.

“We auc­tion best files to high­est bid­der,” the note said.

The an­nounce­ment cre­ated a scram­ble in the in­tel­li­gence world to as­sess the dam­age and to find the source.

There were at least three the­o­ries: that Rus­sian hack­ers had some­how swiped the tools from the agency or a con­trac­tor; that NSA op­er­a­tors had in­ad­ver­tently left them un­guarded on a “stag­ing server” used to con­duct es­pi­onage; or that a dis­grun­tled in­sider had leaked or sold the mal­ware.

The last sce­nario — an in­sider leak from among the 35,000 NSA em­ploy­ees and thou­sands more con­trac­tors — is now in the lead, of­fi­cials say. About the time the leak hunt be­gan, the FBI ar­rested Martin, a vet­eran in­tel­li­gence con­trac­tor who had worked at the NSA, in­clud­ing in its Tai­lored Ac­cess Op­er­a­tions unit.

An NSA em­ployee was ar­rested in 2015 but never iden­ti­fied, ac­cord­ing to of­fi­cials who spoke on the con­di­tion of anonymity. That em­ployee’s pos­si­ble role in leaks re­mains un­clear.

Martin was not charged with shar­ing the tools. It is un­cer­tain what charges have been filed against the sec­ond per­son.

The Shadow Bro­kers found few bid­ders for their stolen wares. They of­fered a few more an­nounce­ments, in­clud­ing screen­shots of com­puter code, with­out stir­ring up sales.

Then, in March, ap­par­ently af­ter be­ing tipped off by the NSA, Mi­crosoft of­fered cus­tomers a patch that would pro­tect against some of the NSA ex­ploits. Fear­ing that the win­dow for us­ing the stolen mal­ware was clos­ing, on April 14, the Shadow Bro­kers sim­ply dumped a list of dozens of the NSA files on github.com, a site for pro­gram­mers. The group gave the pass­word to find the mal­ware on a cloud site, Yan­dex Disk, and is­sued an an­nounce­ment on steemit.com.

“Is be­ing too bad no­body de­cid­ing to be pay­ing theshad­owbro­kers for just to shutup and go­ing away,” the no­tice said. “TheShad­owBro­kers rather be­ing get­ting drunk with McAfee,” an ap­par­ent ref­er­ence to the anti-virus com­pany, “on desert is­land with hot babes.”

Bi­naryEdge, a Zurich cy­berse­cu­rity com­pany, be­gan pick­ing up ma­chines around the world in­fected with an NSA ex­ploit called Dou­blePul­sar.

The to­tal reached 106,000 on April 21; 244,000 on April 25; and, 429,000 on April 27.

“It was a pre­warn­ing of what was to come,” said Ti­ago Hen­riques, the chief ex­ec­u­tive of Bi­naryEdge.

Us­ing an­other ex­ploit, called Eter­nalBlue, at­tack­ers be­gan tar­get­ing vul­ner­a­ble ma­chines with a self-repli­cat­ing soft­ware “worm” that locked files and posted a ran­som de­mand.

Even the April re­lease of NSA ex­ploits is not close to ex­hausted, ac­cord­ing to sev­eral cy­ber­spe­cial­ists. On the un­der­ground dark web, they said, an­other NSA tool has been weaponised and of­fered for sale, and hack­ers are dis­cussing how to use an­other dozen agency ex­ploits.

The lat­est night­mare for the agency, which is re­spon­si­ble for eaves­drop­ping, code break­ing and cy­beres­pi­onage, ap­pears to be far from over. Early Tues­day, a post pur­port­edly from the Shadow Bro­kers an­nounced that it was start­ing a sort of hack-ofthe-month club.

REUTERS PIC

A screen­shot of the Wan­naCry ran­somware de­mand. Since Fri­day, the Na­tional Se­cu­rity Agency has watched as ma­li­cious soft­ware based on its cre­ations spread across the world, spurring frus­tra­tion and chaos in some 150 coun­tries.

Newspapers in English

Newspapers from Malaysia

© PressReader. All rights reserved.