WATER PLANTS, HOSPITALS MAY BE COMPROMISED
“Time is burning. Understand, this is really a war — with offense on one side, and institutions, organizations and schools on the other, defending against an unknown adversary.”
have gone unnoticed.
Scans for the two hacking tools used against IDT indicate that the company is not alone. In fact, tens of thousands of computer systems all over the world have been “backdoored” by the same NSA weapons. Ben-oni and other security researchers worry that many of those other infected computers are connected to transportation networks, hospitals, water treatment plants and other utilities.
An attack on those systems, they warn, could put lives at risk. And Ben-oni, fortified with adrenaline, Red Bull and the house beats of Deadmau5, the Canadian record producer, said he would not stop until the attacks had been shut down and those responsible were behind bars.
“The world is burning about Wannacry, but this is a nuclear bomb compared to Wannacry,” Ben-oni said. “This is different. It’s a lot worse. It steals credentials. You can’t catch it, and it’s happening right under our noses.”
And, he added, “The world isn’t ready for this.”
Targeting the nerve center
As IDT started acquiring and spinning off an eclectic list of ventures, Ben-oni found himself responsible for securing shale oil projects in Mongolia and the Golan Heights, a “Star Trek” comic books company, a project to cure cancer, a yeshiva university that trains underprivileged students in cybersecurity, and a small mobile company that Verizon recently acquired for $3.1 billion.
Which is to say he has encountered hundreds of thousands of hackers of every stripe, motivation and skill level. He eventually started a security business, Iosecurity, under IDT, to share some of the technical tools he had developed to keep IDT’S many businesses secure. By Ben-oni’s estimate, IDT experiences hundreds of attacks a day on its businesses, but perhaps only four each year that give him pause.
Nothing compared to the attack that struck in April. Like the Wannacry attack in May, the assault on IDT relied on cyberweapons developed by the NSA that were leaked online in April by a mysterious group of hackers calling themselves the Shadow Brokers — believed to be Russia-backed cybercriminals, an NSA mole, or both.
The Wannacry attack — which the NSA and security researchers have tied to North Korea — employed one NSA cyberweapon; the IDT assault used two.
Both Wannacry and the IDT attack used a hacking tool the agency had code-named Eternalblue. The tool took advantage of unpatched Microsoft servers to automatically spread malware from one server to another, so that within 24 hours North Korea’s hackers had spread their ransomware to more than 200,000 servers around the globe.
The attack on IDT went a step further with another stolen NSA cyberweapon, called Doublepulsar. The NSA used Doublepulsar to penetrate computer systems without tripping security alarms. It allowed NSA spies to inject their tools into the nerve center of a target’s computer system, called the kernel, which manages communications between a computer’s hardware and its software.
In the pecking order of a computer system, the kernel is at the very top, allowing anyone with secret access to it to take full control of a machine. It is also a dangerous blind spot for most security software, allowing attackers to do what they want and go unnoticed. In IDT’S case, attackers used Doublepulsar to steal an IDT contractor’s credentials. Then they deployed ransomware in what appears to be a cover for their real motive: broader access to IDT’S businesses.
Ben-oni learned of the attack only when a contractor, working from home, switched on her computer to find that all her data — Golan Ben-oni
had been encrypted and that attackers were demanding a ransom to unlock it. He might have assumed that this was a simple case of ransomware.
But the attack struck Ben-oni as unique. For one thing, it was timed perfectly to the Sabbath. Attackers entered IDT’S network at 6 p.m. Saturday on the dot, 2 1/2 hours before the Sabbath would end and when most of IDT’S employees — 40 percent of whom identify as Orthodox Jews — would be off the clock. For another, the attackers compromised the contractor’s computer through her home modem — strange.
The black box of sorts, a network recording device made by the Israeli security company Secdo, shows that the ransomware was installed after the attackers had made off with the contractor’s credentials. And they managed to bypass every major security detection mechanism along the way. Finally, before they left, they encrypted her computer with ransomware, demanding $130 to unlock it, to cover up the more invasive attack on her computer.
Ben-oni estimates that he has spoken to 107 security experts and researchers about the attack, including the chief executives of nearly every major security company and the heads of threat intelligence at Google, Microsoft and Amazon.
Few traces noticed
With the exception of Amazon, which found that some of its customers’ computers had been scanned by the same computer that hit IDT, no one had seen any trace of the attack before Ben-oni notified them. The New York Times confirmed Ben-oni’s account via written summaries provided by Palo Alto Networks, Intel’s Mcafee and other security firms he used and asked to investigate the attack.
“I started to get the sense that we were the canary,” he said. “But we recorded it.”
Since IDT was hit, Ben-oni has contacted everyone in his Rolodex to warn them of an attack that could still be worming its way, undetected, through victims’ systems.
“Time is burning,” Ben-oni said.
Six years ago, Ben-oni had a chance meeting with an NSA employee at a conference and asked him how to defend against modern-day cyberthreats. The NSA employee advised him to “run three of everything”: three firewalls, three anti-virus solutions, three intrusion detection systems. And so he did.
But in this case, modern-day detection systems created by Cylance, Mcafee and Microsoft and patching systems by Tanium did not catch the attack on IDT. Nor did any of the 128 publicly available threat intelligence feeds that IDT subscribes to. Even the 10 threat intelligence feeds that his organization spends a half-million dollars on annually for urgent information failed to report it. He has since threatened to return their products.
“Our industry likes to work on known problems,” Ben-oni said. “This is an unknown problem. We’re not ready for this.”
No one he has spoken to knows whether they have been hit, but just this month, restaurants across the United States reported being hit with similar attacks that were undetected by anti-virus systems. There are now Youtube videos showing criminals how to attack systems using the very same NSA tools used against IDT, and Metasploit, an automated hacking tool, now allows anyone to carry out these attacks with the click of a button.
Worse still, Ben-oni said, “No one is running point on this.”
Last month, he personally briefed the FBI analyst in charge of investigating the Wannacry attack. He was told that the agency had been specifically tasked with Wannacry and that even though the attack on his company was more invasive and sophisticated, it was still technically something else, and therefore the FBI could not take on his case.
The FBI did not respond to requests for comment.
So Ben-oni has largely pursued the case himself. His team at IDT was able to trace part of the attack to a personal Android phone in Russia and has been feeding its findings to Europol, the European law enforcement agency based in The Hague.
The chances that IDT was the only victim of this attack are slim. Sean Dillon, a senior analyst at Risksense, a New Mexico security company, was among the first security researchers to scan the internet for the NSA’S Doublepulsar tool. He found tens of thousands of host computers were infected with the tool, which attackers could use at will.
“Once Doublepulsar is on the machine, there’s nothing stopping anyone else from coming along and using the back door,” Dillon said.
More distressing, Dillon tested all the major anti-virus products against the Doublepulsar infection and a demoralizing 99 percent failed to detect it.
“We’ve seen the same computers infected with Doublepulsar for two months, and there is no telling how much malware is on those systems,” Dillon said. “Right now we have no idea what’s gotten into these organizations.”
Ben-oni is convinced that IDT is not the only victim and that these tools can and will be used to do far worse.
“I look at this as a life-ordeath situation,” he said. “Today it’s us, but tomorrow it might be someone else.”