The attackers who “repeatedly” breached Nasdaq OMX systems over the past year were most likely stealing insider information to use for financial trades, according to a security expert.
Nasdaq OMX confirmed Feb. 5 that its systems had been breached by hackers and malware had been found on one of its servers, but assured investors that the system that controls trades weren’t affected and sensitive information stored in its Director’s Desk Web portal had not been compromised.
According to Tom Kellermann, a former computer security official at the World Bank and current vice president of security awareness and government affairs at Core Security Technologies, hackers may not have been interested in the trading system at all.
The goal of hackers is to “stay in” the network as long as they can, he said. The “reality” is that there is no point to hack into the trading platform, he said. It’s actually more beneficial for hackers to stay away from the trading system and to consider other applications, according to Kellermann.
“Attacking the trading system is like punching a bee hive: There’s all sorts of alarms raised and lots of heat,” Kellermann told eWEEK.
The criminals who infiltrated Nasdaq OMX must have been aware of the importance of these other systems, Kellermann speculated. The criminals gained access to a system containing sensitive insider information by getting into Director’s Desk, which they could use in trading to make money, he said.
Director’s Desk is a Nasdaq OMX subsidiary that offers Web-based tools to make it easier for boards of directors to prepare for, participate in and follow up on board meetings. Part of the service includes document-sharing tools for things like preliminary drafts of earnings reports and other key data and documents, according to its Website.
Director’s Desk customers were regularly accessing the portal with confidential information, Kellermann said. “Information is power, too” he said.
Two Republican Congressmen called the attack “troubling” on Feb. 8. In a joint letter to Nasdaq OMX, House Financial Services Committee Chairman Spencer Bachus and committee member Scott Garrett asked for information about how the systems will be secured going forward. Democrat Sen. Robert Menendez also sent a letter to Securities and Exchange Commission Chairman Mary Schapiro, Attorney General Eric Holder and Homeland Security Secretary Janet Napolitano, stating that the SEC should “consider investigating the extent to which hacking can disrupt trading platforms.”
“This is not terrorism or a state-sponsored attack,” but clearly an attack to game the market, a form of financial fraud, Kellermann said.
Nasdaq Faces Difficult Task Closing Attack Routes
Organizations tend to involve law enforcement after the hackers have already been in the system for some time, so there has already been some damage, Kellermann said. The unknown Nasdaq hackers had penetrated the network multiple times, and the investigation has been ongoing for at least six months.
Once in the system, the attackers likely had probed and traversed to other connected systems and set up “colonies” beyond where they entered the network, he said. The “tendrils do not end here,” as the hackers definitely probed the network to find other systems, he said. Once hackers are in the system, they create backdoors and additional passwords to ensure they can get back in the system, he said.
“Hackers don’t just stop where they land. Like the conquistadores in South America, they go deeper to see what they can colonize,” Kellermann said.
Criminals often sell these “owned systems” in an underground marketplace for others to take advantage of, he said. Those individuals may have more nefarious intentions than the original thieves.
Criminals often target major managed services providers for the same reason these attackers chose Nasdaq, Kellermann said. It is a “gateway” to other systems. Instead of attacking one bank, hitting one service provider gets them access to 300 banks at once, he said. Nasdaq’s Director’s Desk is analogous to a managed service provider scenario, since Nasdaq offers its customers a platform to share documents.
Even though Nasdaq OMX claimed to have fixed the problem, it’s not clear it can keep the attackers out. “Once these hackers are in the system, it is much like leukemia-it’s hard to extricate them,” Kellermann said.
The malware the hackers left behind allowed them to execute code, he said. Just because attackers left this malware behind didn’t mean they hadn’t accessed anything else, he said.
Usually, IT managers have to reimage and rebuild the machines from scratch to regain control of the compromised machine, he said. The Nasdaq servers are production machines and probably can’t be down for more than 12 hours per week, he said. These can’t be reimaged so there’s no way to really ensure that all traces of the attackers have been removed.
Nasdaq OMX should be focusing on where the attackers can go next from the breached system and protect those systems, Kellermann said. “You can’t fortify the castle once they are inside. You just have to build a better keep and dungeon,” he said. With penetration testing, IT managers can figure out all the possible attack paths and prioritize the ones that should be secured.
It’s “glaringly obvious” this application was never properly tested, he said. Now it’s up to the defenders to find out and secure all the other applications that can be accessed from this system, he said.