Cyber Security and NSA Breach: Hack or Insider Threat?
by Dr. Vanessa Neumann
Yesterday morning, August 16th, our Predata signals detected a buzz. The cybercrime signal was 3.06 sigmas away from the mean, the spike being triggered by inquires into the NSA hack and online conversations among people discussing the topic.
Using the signals as a jumping off point, it was clear something was happening in the world of cybercrime, and at this point, none of the major news agencies were talking about it. A group of hackers, calling themselves the “Shadow Brokers” claims to have hacked into the “Equation Group,” which is a hacking group affiliated with the U.S. National Security Agency (NSA).
The group has released what appears to be top-secret computer codes, which have been designed to break through network firewalls and get inside the computer systems of competitors like Russia, China and Iran. Whoever obtained the source code apparently broke into either the top-secret computer servers of the N.S.A. or other servers around the world that the agency would have used to store the files.
Because the codes are from 2013, some experts do not see the release as a serious threat, and the fact that the group is planning an online auction in the cryptocurrency Bitcoin, means the hack is driven by financial incentives, rather than state-sponsored espionage.
Some, though, are discrediting the attack, including James A. Lewis, a computer expert at the Center for Strategic and International Studies, a Washington think tank who said, “I think it’s Snowden-era stuff, repackaged for resale now. This is probably some Russian mind game, down to the bogus accent.”
Other experts think this hack is absolutely something to worry about.
According to ex-NSA insiders who spoke with Business Insider, the agency’s hackers do not just put their exploits and toolkits online where they can potentially be stolen. The more likely scenario for where the data came from, says ex-NSA research scientist Dave Aitel, is an insider who downloaded it onto a USB stick.
The NSA is rattled. This was not a successful penetration by an adversary state; it was a stupid lapse of internal security. That a major breach could come so easily from an employee lapse is a chilling reminder that they may be a lot less lucky next time.
What everyone can agree on, though, is the bizarre nature of this attack. Normally, if the hackers had access to NSA computers, they would wait to announce publicly and gain all the information possible. Instead, the hackers took their accomplishment to a public forum and the group wrote on Pastebin, a website where you can store text, that, “we follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons.”
However, cyber weapons are different from other weapons: once they are deployed, they quickly become useless, because the codes are then out there and any hacker worth their salt can develop a defense against them. So the value of an auctioned code is limited, particularly if it is not current.
The wording on Pastebin suggests that the group no longer has access to the server, but in a future circumstance, if a hacker group begins an online conversation outside of the public forum and those in the know begin looking up background information, our signals can detect this spike and have advance notice that something is going on.
Originally published at asymmetrica.net on August 17, 2016.
