Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

12/30/2013
02:08 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

NSA Elite Hacking Team Operations Exposed

Treasure trove of tools created and used by NSA hackers for planting backdoors via Cisco, Juniper, Apple products unveiled in latest document leaks

It should come as no surprise that the National Security Agency has a special team of top-gun hackers who breaks into systems around the world to spy on its targets. But revelations published yesterday by a German magazine about the NSA's Tailored Access Operations (TAO) Group and the agency's homegrown hacking tools shine some light on the scope and expertise of the agency's hacking abilities, including its custom backdoor tools for popular commercial networking equipment and systems.

Der Spiegel reported yesterday that the NSA describes the TAO as specialized in "getting the ungettable" with access to "our very hardest targets." According to the report, the hacking team successfully infiltrated 258 targets across 89 countries, and in 2010, executed some 279 different operations.

The report stops short of confirming whether the TAO team was involved in the creation and execution of Stuxnet, the highly targeted malware program that sabotaged uranium enrichment equipment in Iran's Natanz nuclear facility. But it references leaked internal NSA presentation documents on the agency's goals of hacking "servers, workstations, firewalls, routers, handsets, phone switches, SCADA systems, etc."

Michael Sutton, vice president of security research at Zscaler, says the report by the German publication appears to "insinuate" TAO's involvement with Stuxnet, but it's not definitive. "The team does have a development arm constantly tinkering with new technologies," Sutton says.

The leaked catalog of NSA's custom software and hardware-based hacking tools date back to 2008, so the newly exposed information raises more questions about what else the agency has in its arsenal today. The NSA toolkit published by der Spiegel consists of so-called "implant" items, such as Nightstand, an 802.11 wireless exploitation and injection tool; Jetplow, a "firmware persistence implant" for taking over Cisco PIX and ASA firewalls; Halluxwater, a backdoor for Huawei firewalls; Feedtrough, a software tool that operates in Juniper firewalls to move other NSA spy software onto mainframes; and Dropout Jeep, a software tool for intercepting communications from an Apple iPhone.

According to the report, the tools have allowed the NSA to create its own global spy network "that operates alongside the Internet." And in a nod to old-school spying techniques, the NSA's TAO group reportedly can intercept from a target a computer shipment and load malware or hardware backdoor access onto the equipment before it reaches the buyer.

[EMC security subsidiary accused of accepting $10 million from the NSA to purposefully use encryption for which the intelligence agency enjoyed backdoor access. See RSA Denies Trading Security For NSA Payout.]

Networking vendors Cisco and Juniper both issued statements of concern about the report. John Stewart, senior vice president and chief security officer at Cisco, says his company is unaware of any new product vulnerabilities reportedly exploited by the agency, and does not deploy security "backdoors" in its products.

"We are deeply concerned with anything that may impact the integrity of our products or our customers’ networks and continue to seek additional information," Stewart said in a blog post. "At this time, we do not know of any new product vulnerabilities, and will continue to pursue all avenues to determine if we need to address any new issues. If we learn of a security weakness in any of our products, we will immediately address it. As we have stated prior, and communicated to Der Spiegel, we do not work with any government to weaken our products for exploitation, nor to implement any so-called security ‘back doors’ in our products."

A Juniper spokesperson echoed the same sentiments. "We take allegations of this nature very seriously and are working actively to address any possible exploit paths ... We are also committed to the responsible disclosure of security vulnerabilities, and if necessary, will work closely with customers to implement any mitigation steps," the spokesperson said. "Juniper Networks is not aware of any so-called 'BIOS implants' in our products and has not assisted any organization or individual in the creation of such implants."

Zscaler's Sutton says the round of NSA revelations of backdoors in security and networking products has placed the affected vendors in a "delicate position."

"There are really a couple of different ways they get drawn into this. One is that they are a passive participant caught in the middle, and their technologies are attacked," he says. "The NSA has been quite aggressive ... tapping into cables at data centers, and that's all bad news for the vendors. Even though they are not complicit in that process, [vendors] still bear the brunt of the public backlash."

Sutton says the other side of the coin is that vendors in some cases are legally obligated to hand over some data to the NSA, for example. "That, too, is not desirable for them," he says. "They want the public to see" they have no choice in those cases, he says.

Security expert Richard Stiennon says this means security vendors will need to take security more seriously than ever now that they have a "new adversary." "Historically the greatest threats to hardware and software vendors were hackers and security researchers who sought the positive exposure of being the ones to discover a new vulnerability. The actual exploit of published vulnerabilities of network gear is rare and in most cases of responsible disclosure the vendor is given an opportunity to release a patch before the vulnerability is published," he said in a post.

Still, the NSA is not unlike other attackers, Sutton says. "Each time we have one of these [NSA] leaks ... the focus tends to be on this silver bullet we didn't know about, this very powerful tool and method. But the NSA is no different in its tactics at the base level than any other attacker," he says. "They have a toolkit available to them, they reach out and pull out particular tasks. And those tools continually evolve and are remade to suit their purposes. We are constantly seeing glimpses into that toolbox."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
Google Lets iPhone Users Turn Device into Security Key
Kelly Sheridan, Staff Editor, Dark Reading,  1/15/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-3595
PUBLISHED: 2020-01-22
Multiple Cross-site Scripting (XSS) vulnerabilities exist in Joomla! through 1.7.0 in index.php in the search word, extension, asset, and author parameters.
CVE-2011-3610
PUBLISHED: 2020-01-22
A Cross-site Scripting (XSS) vulnerability exists in the Serendipity freetag plugin before 3.30 in the tagcloud parameter to plugins/serendipity_event_freetag/tagcloud.swf.
CVE-2019-18583
PUBLISHED: 2020-01-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2019. Notes: none.
CVE-2019-18584
PUBLISHED: 2020-01-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2019. Notes: none.
CVE-2019-18585
PUBLISHED: 2020-01-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2019. Notes: none.