It’s 3 months since some of the NSA’s top-secret hacking tools were dumped for public inspection by person or persons unknown. Various commentators and experts voiced theories about the motive and perpetrator. People such as Edward Snowden and security experts pointed fingers at Russia almost immediately. The picture of the event has changed somewhat in the intervening period and the salient facts have been re-examined in a different light:
- The suggested price for the remainder of the cache at $568 million was way too high to be credible. This indicated the likelihood of a simple publicity stunt rather than a serious attempt to obtain money.
- Some of the tools were zero-day exploits (tools that take advantage of unreported vulnerabilities) and could have fetched over $100,000 each on the black market instead of being given away for free. That would have been the obvious route to take if money were the objective.
- The timestamps indicated that the material was 3 years old. Although its authenticity has been corroborated, why keep it under wraps for that long?
- The FBI, who are leading the investigation, now say they believe it was accidentally exposed by an NSA employee or subcontractor and subsequently discovered by the perpetrator.
So the infamous hack looks like it was not a hack at all. The most likely explanation is that the act was a veiled threat by Russia to lay off further actions against it over the much-publicized hacks of several Democratic Party organizations. The implication being that the network serving up the malware could be identified, which could severely embarrass the US should they be linked to actions against allies.
Probably the most shocking aspect of the entire affair is the realization that the NSA “good guys” are happy to uncover vulnerabilities but not inform the equipment manufacturer. Just like any black hat hackers, they utilize the information to develop exploits. The most infamous exploit attributed to that group.
The target equipment is major league serious network components used in government networks, large corporations and their like – routers and firewalls manufactured by major American and Chinese vendors such as, Cisco, Juniper Networks, and Fortinet. Seemingly the material consisted of exploits (tools), command-and-control server configurations and installation scripts. Substantially different from the more commonplace malware site drive-by infection that dumps criminalware on the computers of unsuspecting visitors. Some sources believe that the exploits, numbering about ten apparently, were supplied to the NSA by a cyber espionage organization called the Equation Group, who were also linked to the computer worm, Stuxnet.
It is not only the NSA that suffered a significant credibility setback. One can only imagine the reactions of the top brass of the equipment manufacturers that were impacted. In the highly competitive world of international equipment, the perception of buying a totally secure network is paramount. Suddenly, the Cisco salesman or OEM may be asked if the equipment can be guaranteed to be completely secure, or does the US Government effectively own the keys to a back door?