Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/30/2013
02:08 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

NSA Elite Hacking Team Operations Exposed

Treasure trove of tools created and used by NSA hackers for planting backdoors via Cisco, Juniper, Apple products unveiled in latest document leaks

It should come as no surprise that the National Security Agency has a special team of top-gun hackers who breaks into systems around the world to spy on its targets. But revelations published yesterday by a German magazine about the NSA's Tailored Access Operations (TAO) Group and the agency's homegrown hacking tools shine some light on the scope and expertise of the agency's hacking abilities, including its custom backdoor tools for popular commercial networking equipment and systems.

Der Spiegel reported yesterday that the NSA describes the TAO as specialized in "getting the ungettable" with access to "our very hardest targets." According to the report, the hacking team successfully infiltrated 258 targets across 89 countries, and in 2010, executed some 279 different operations.

The report stops short of confirming whether the TAO team was involved in the creation and execution of Stuxnet, the highly targeted malware program that sabotaged uranium enrichment equipment in Iran's Natanz nuclear facility. But it references leaked internal NSA presentation documents on the agency's goals of hacking "servers, workstations, firewalls, routers, handsets, phone switches, SCADA systems, etc."

Michael Sutton, vice president of security research at Zscaler, says the report by the German publication appears to "insinuate" TAO's involvement with Stuxnet, but it's not definitive. "The team does have a development arm constantly tinkering with new technologies," Sutton says.

The leaked catalog of NSA's custom software and hardware-based hacking tools date back to 2008, so the newly exposed information raises more questions about what else the agency has in its arsenal today. The NSA toolkit published by der Spiegel consists of so-called "implant" items, such as Nightstand, an 802.11 wireless exploitation and injection tool; Jetplow, a "firmware persistence implant" for taking over Cisco PIX and ASA firewalls; Halluxwater, a backdoor for Huawei firewalls; Feedtrough, a software tool that operates in Juniper firewalls to move other NSA spy software onto mainframes; and Dropout Jeep, a software tool for intercepting communications from an Apple iPhone.

According to the report, the tools have allowed the NSA to create its own global spy network "that operates alongside the Internet." And in a nod to old-school spying techniques, the NSA's TAO group reportedly can intercept from a target a computer shipment and load malware or hardware backdoor access onto the equipment before it reaches the buyer.

[EMC security subsidiary accused of accepting $10 million from the NSA to purposefully use encryption for which the intelligence agency enjoyed backdoor access. See RSA Denies Trading Security For NSA Payout.]

Networking vendors Cisco and Juniper both issued statements of concern about the report. John Stewart, senior vice president and chief security officer at Cisco, says his company is unaware of any new product vulnerabilities reportedly exploited by the agency, and does not deploy security "backdoors" in its products.

"We are deeply concerned with anything that may impact the integrity of our products or our customers’ networks and continue to seek additional information," Stewart said in a blog post. "At this time, we do not know of any new product vulnerabilities, and will continue to pursue all avenues to determine if we need to address any new issues. If we learn of a security weakness in any of our products, we will immediately address it. As we have stated prior, and communicated to Der Spiegel, we do not work with any government to weaken our products for exploitation, nor to implement any so-called security ‘back doors’ in our products."

A Juniper spokesperson echoed the same sentiments. "We take allegations of this nature very seriously and are working actively to address any possible exploit paths ... We are also committed to the responsible disclosure of security vulnerabilities, and if necessary, will work closely with customers to implement any mitigation steps," the spokesperson said. "Juniper Networks is not aware of any so-called 'BIOS implants' in our products and has not assisted any organization or individual in the creation of such implants."

Zscaler's Sutton says the round of NSA revelations of backdoors in security and networking products has placed the affected vendors in a "delicate position."

"There are really a couple of different ways they get drawn into this. One is that they are a passive participant caught in the middle, and their technologies are attacked," he says. "The NSA has been quite aggressive ... tapping into cables at data centers, and that's all bad news for the vendors. Even though they are not complicit in that process, [vendors] still bear the brunt of the public backlash."

Sutton says the other side of the coin is that vendors in some cases are legally obligated to hand over some data to the NSA, for example. "That, too, is not desirable for them," he says. "They want the public to see" they have no choice in those cases, he says.

Security expert Richard Stiennon says this means security vendors will need to take security more seriously than ever now that they have a "new adversary." "Historically the greatest threats to hardware and software vendors were hackers and security researchers who sought the positive exposure of being the ones to discover a new vulnerability. The actual exploit of published vulnerabilities of network gear is rare and in most cases of responsible disclosure the vendor is given an opportunity to release a patch before the vulnerability is published," he said in a post.

Still, the NSA is not unlike other attackers, Sutton says. "Each time we have one of these [NSA] leaks ... the focus tends to be on this silver bullet we didn't know about, this very powerful tool and method. But the NSA is no different in its tactics at the base level than any other attacker," he says. "They have a toolkit available to them, they reach out and pull out particular tasks. And those tools continually evolve and are remade to suit their purposes. We are constantly seeing glimpses into that toolbox."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27132
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
CVE-2021-25284
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
CVE-2021-3144
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
CVE-2021-3148
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
CVE-2021-3151
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...