Risk
12/30/2013
02:08 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

NSA Elite Hacking Team Operations Exposed

Treasure trove of tools created and used by NSA hackers for planting backdoors via Cisco, Juniper, Apple products unveiled in latest document leaks

It should come as no surprise that the National Security Agency has a special team of top-gun hackers who breaks into systems around the world to spy on its targets. But revelations published yesterday by a German magazine about the NSA's Tailored Access Operations (TAO) Group and the agency's homegrown hacking tools shine some light on the scope and expertise of the agency's hacking abilities, including its custom backdoor tools for popular commercial networking equipment and systems.

Der Spiegel reported yesterday that the NSA describes the TAO as specialized in "getting the ungettable" with access to "our very hardest targets." According to the report, the hacking team successfully infiltrated 258 targets across 89 countries, and in 2010, executed some 279 different operations.

The report stops short of confirming whether the TAO team was involved in the creation and execution of Stuxnet, the highly targeted malware program that sabotaged uranium enrichment equipment in Iran's Natanz nuclear facility. But it references leaked internal NSA presentation documents on the agency's goals of hacking "servers, workstations, firewalls, routers, handsets, phone switches, SCADA systems, etc."

Michael Sutton, vice president of security research at Zscaler, says the report by the German publication appears to "insinuate" TAO's involvement with Stuxnet, but it's not definitive. "The team does have a development arm constantly tinkering with new technologies," Sutton says.

The leaked catalog of NSA's custom software and hardware-based hacking tools date back to 2008, so the newly exposed information raises more questions about what else the agency has in its arsenal today. The NSA toolkit published by der Spiegel consists of so-called "implant" items, such as Nightstand, an 802.11 wireless exploitation and injection tool; Jetplow, a "firmware persistence implant" for taking over Cisco PIX and ASA firewalls; Halluxwater, a backdoor for Huawei firewalls; Feedtrough, a software tool that operates in Juniper firewalls to move other NSA spy software onto mainframes; and Dropout Jeep, a software tool for intercepting communications from an Apple iPhone.

According to the report, the tools have allowed the NSA to create its own global spy network "that operates alongside the Internet." And in a nod to old-school spying techniques, the NSA's TAO group reportedly can intercept from a target a computer shipment and load malware or hardware backdoor access onto the equipment before it reaches the buyer.

[EMC security subsidiary accused of accepting $10 million from the NSA to purposefully use encryption for which the intelligence agency enjoyed backdoor access. See RSA Denies Trading Security For NSA Payout.]

Networking vendors Cisco and Juniper both issued statements of concern about the report. John Stewart, senior vice president and chief security officer at Cisco, says his company is unaware of any new product vulnerabilities reportedly exploited by the agency, and does not deploy security "backdoors" in its products.

"We are deeply concerned with anything that may impact the integrity of our products or our customers’ networks and continue to seek additional information," Stewart said in a blog post. "At this time, we do not know of any new product vulnerabilities, and will continue to pursue all avenues to determine if we need to address any new issues. If we learn of a security weakness in any of our products, we will immediately address it. As we have stated prior, and communicated to Der Spiegel, we do not work with any government to weaken our products for exploitation, nor to implement any so-called security ‘back doors’ in our products."

A Juniper spokesperson echoed the same sentiments. "We take allegations of this nature very seriously and are working actively to address any possible exploit paths ... We are also committed to the responsible disclosure of security vulnerabilities, and if necessary, will work closely with customers to implement any mitigation steps," the spokesperson said. "Juniper Networks is not aware of any so-called 'BIOS implants' in our products and has not assisted any organization or individual in the creation of such implants."

Zscaler's Sutton says the round of NSA revelations of backdoors in security and networking products has placed the affected vendors in a "delicate position."

"There are really a couple of different ways they get drawn into this. One is that they are a passive participant caught in the middle, and their technologies are attacked," he says. "The NSA has been quite aggressive ... tapping into cables at data centers, and that's all bad news for the vendors. Even though they are not complicit in that process, [vendors] still bear the brunt of the public backlash."

Sutton says the other side of the coin is that vendors in some cases are legally obligated to hand over some data to the NSA, for example. "That, too, is not desirable for them," he says. "They want the public to see" they have no choice in those cases, he says.

Security expert Richard Stiennon says this means security vendors will need to take security more seriously than ever now that they have a "new adversary." "Historically the greatest threats to hardware and software vendors were hackers and security researchers who sought the positive exposure of being the ones to discover a new vulnerability. The actual exploit of published vulnerabilities of network gear is rare and in most cases of responsible disclosure the vendor is given an opportunity to release a patch before the vulnerability is published," he said in a post.

Still, the NSA is not unlike other attackers, Sutton says. "Each time we have one of these [NSA] leaks ... the focus tends to be on this silver bullet we didn't know about, this very powerful tool and method. But the NSA is no different in its tactics at the base level than any other attacker," he says. "They have a toolkit available to them, they reach out and pull out particular tasks. And those tools continually evolve and are remade to suit their purposes. We are constantly seeing glimpses into that toolbox."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1421
Published: 2014-11-25
mountall 1.54, as used in Ubuntu 14.10, does not properly handle the umask when using the mount utility, which allows local users to bypass intended access restrictions via unspecified vectors.

CVE-2014-3605
Published: 2014-11-25
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-6407. Reason: This candidate is a reservation duplicate of CVE-2014-6407. Notes: All CVE users should reference CVE-2014-6407 instead of this candidate. All references and descriptions in this candidate have been removed to pre...

CVE-2014-6093
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 7.0.x before 7.0.0.2 CF29, 8.0.x through 8.0.0.1 CF14, and 8.5.x before 8.5.0 CF02 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

CVE-2014-6196
Published: 2014-11-25
Cross-site scripting (XSS) vulnerability in IBM Web Experience Factory (WEF) 6.1.5 through 8.5.0.1, as used in WebSphere Dashboard Framework (WDF) and Lotus Widget Factory (LWF), allows remote attackers to inject arbitrary web script or HTML by leveraging a Dojo builder error in an unspecified WebSp...

CVE-2014-7247
Published: 2014-11-25
Unspecified vulnerability in JustSystems Ichitaro 2008 through 2011; Ichitaro Government 6, 7, 2008, 2009, and 2010; Ichitaro Pro; Ichitaro Pro 2; Ichitaro 2011 Sou; Ichitaro 2012 Shou; Ichitaro 2013 Gen; and Ichitaro 2014 Tetsu allows remote attackers to execute arbitrary code via a crafted file.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?