An unprecedented data dump, of security exploits believed to originate from within the US National Security Agency (NSA) has left some firms scrambling to fix security holes dating back years, and revealed the extent to which the NSA stockpiles cyber-weapons..

The dump includes attacks on network products from several vendors, including Cisco and Juniper. These so-called ’zero day exploits’ take advantage of software vulnerabilities that have been found, and kept secret from the vendor. Until the vendor knows and fixes these weaknesses, they can be attacked, and the exploits can be used with ’cyber weapons’. The dump appears to show the US agency is stockpiling these exploits, but that another power gained access to its stash of weapons - revelations that could have serious ramifications for the US cyber security and cyber warfare team, as well as for foreign relations.

Flaw in the machine

Earlier this month, a hacking group going by the name ‘The Shadow Brokers’ appeared on Tumblr, trying to auction cyber weapons. ShadowBrokers said the exploits had been stolen from Equation Group, a cyber attack group which was involved with Stuxnet and Flame exploits. and is believed to be an NSA body, based on leaked Edward Snowden documents cited by The Intercept. The body has no official existence, and was named Equation Group by security researchers Kaspersky Labs. 

ShadowBrokers said: “We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons.

Continuing: “We want make sure Wealthy Elite recognizes the danger cyber weapons, this message, our auction, poses to their wealth and control. Let us spell out for Elites. Your wealth and control depends on electronic data. You see what “Equation Group” can do. You see what cryptolockers and Stuxnet can do. You see free files we give for free. You see attacks on banks and SWIFT in news.

“Maybe there is Equation Group version of cryptolocker+stuxnet for banks and financial systems? If Equation Group lose control of cyber weapons, who else lose or find cyber weapons? If electronic data go bye bye where leave Wealthy Elites? Maybe with dumb cattle? “Do you feel in charge?” Wealthy Elites, you send bitcoins, you bid in auction, maybe big advantage for you?”

The group released two files, one encrypted with demands for 1 million in bitcoin (around $550 million), and another for anyone to peruse.

It was in this second file that researchers began to realize that this Tumblr post was more serious than might originally have been suspected.

Documents showed information on hacking tools dating from 2013 and earlier, including firewall attack tools, with Snowden documents pointing to the tools originating from the NSA.

The tools compromised devices built by Cisco, Fortinet, Juniper, WatchGuard and Chinese firewall vendor TopSec.

Cisco confirmed the legitimacy of two vulnerabilities exploited by tools named EXTRABACON and EPICBANANA. The zero day flaw exploited by EXTRABACON was a new one to Cisco, which was patched quickly. EPICBANANA’s flaw had already been patched in 2011.

Meanwhile, legacy Cisco PIX security appliances may be vulnerable to a different tool. Some 15,000 PIX devices, built from at least 2002 to 2008, still remain in use, mostly in Russia; Cisco says the BENIGNCERTAIN tool impacts “PIX versions 6.x and prior.” The company has not said whether it is working on a fix for the product which “is not supported and has not been supported since 2009.”

“Cisco remains steadfast in the position that we should be notified of all vulnerabilities if they are found,” the company said. ”We look to defend our customers against attacks from any source, and our preventive technology and processes to investigate and fix vulnerabilities are industry-leading.”

It sure is strange when your company doesn’t just have to worry about attacks from foreign intelligence agencies, but from your own as well.

— Mikko Hypponen (@mikko) August 18, 2016

’Hacker Fantastic,’ the handle of a white hat hacker who works for UK consultancy MDSec, said: “Remote [unauthorized] cisco PIX & ASA code is Internet god mode”.

Hardly benign 

BENIGNCERTAIN is also thought to affect some aspects of Ipsec-Tools, StoneGate, HP JetDirect 635n, Funkwerk X2300, Gentoo Linux, Crypto IP, and SUSE Linux.

Meanwhile, Fortinet patched a flaw contained in the dump, that targeted the FortiGate firmware, while WatchGuard said in a statement to DCD: “We investigated the exploit and found that it cannot be used against any of our currently supported appliances.

“The referenced vulnerability was actually targeting RapidStream appliances, a company WatchGuard acquired in 2002. This RapidStream exploit did not carry over into any WatchGuard appliances and is not a vulnerability for our current customers.”

Juniper’s Security Incident Response team said that “we identified an attack against NetScreen devices running ScreenOS. We are examining the extent of the attack, but initial analysis indicates it targets the boot loader and does not exploit a vulnerability on ScreenOS devices.”

Earlier this year, some security professionals questioned whether Juniper had worked with the US government to install a backdoor.

Three years ago

Of all the documents released, the most recent date to three years ago, suggesting the hackers only had access up until that point.

In a series of tweets, condensed here for clarity, Edward Snowden offered his theory on how the hack happened, who was behind it, why it stopped when it did, and why we are finding out now.

“NSA traces and targets malware C2 servers in a practice called Counter Computer Network Exploitation, or CCNE. So do our rivals. NSA is often lurking undetected for years on the C2 and ORBs (proxy hops) of state hackers. This is how we follow their operations. This is how we steal their rivals’ hacking tools and reverse-engineer them to create “fingerprints” to help us detect them in the future. Here’s where it gets interesting: the NSA is not made of magic. Our rivals do the same thing to us – and occasionally succeed.

“Knowing this, NSA’s hackers (TAO) are told not to leave their hack tools (“binaries”) on the server after an op. But people get lazy. What’s new? NSA malware staging servers getting hacked by a rival is not new. A rival publicly demonstrating they have done so is. Why did they do it? No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack.

“Circumstantial evidence and conventional wisdom indicates Russian responsibility. Here’s why that is significant: This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server. That could have significant foreign policy consequences. Particularly if any of those operations targeted US allies. Particularly if any of those operations targeted elections. Accordingly, this may be an effort to influence the calculus of decision-makers wondering how sharply to respond to the DNC hacks.

“TL;DR: This leak looks like a somebody sending a message that an escalation in the attribution game could get messy fast.

“Bonus: When I came forward [in 2013] NSA would have migrated offensive operations to new servers as a precaution - it’s cheap and easy. So? So… The undetected hacker squatting on this NSA server lost access in June 2013. Rare public data point on the positive results of the leak.”

Who dunnit?

So it looks like a group got access to some of the NSA’s cyber weapons. They lost access in 2013 when Snowden went public and the NSA took precautions, and the group has now leaked the evidence as political tensions have begun to increase.

Whether it was a state body or an unaffiliated hacker group that was behind the attack is a topic of intense speculation. Russia, which has been linked to separate cyber attacks on the Democratic National Committee (DNC) and the Democratic Congressional Campaign Committee (DCCC), has been the group most suspected of culpability, but nothing is certain.

However, what is perhaps more pressing is what this means about the NSA’s view on zero day exploits. After continued legal action for nearly a year and a half, the Electronic Frontier Foundation managed to get the US government to confirm it stockpiles and uses zero days, but there is still a lot unknown.

One crucial question some have asked is whether the NSA were aware of the 2013 security breach, and if so, why the agency decided to remain quiet about the zero day flaws. Even if the NSA did not know about the breach, its approach of prioritizing offense over defense led to the zero days falling into another group’s hands, potentially for over three years.