On Aug. 13, a group known as the “Shadow Brokers” announced on Twitter that they would auction off a set of cyber-espionage tools taken from the server of the Equation Group, widely considered part of the United States’ intelligence services and likely to be operating as part of the National Security Agency.
The announcement was met first with disbelief, then chagrin, as it became apparent that the compromise and post-exploitation framework were genuine. Questions remain, James Clapper, director of national intelligence, said at an Aug. 24 event. “It’s still under investigation,” he said, according to the Associated Press. “We don’t know exactly the full extent—or the understanding—of exactly what happened.”
What is known is that the leak involved an encrypted set of files weighing in at more than 250MB of data, and which included the encryption key for a folder of teaser files labeled “Firewall.” The key to unlock the encrypted main body of data will only be released, the group said, if they receive 1 million bitcoin, about $580 million. The Shadow Brokers are thought to be linked to Russia.
While the NSA is most known for its offensive capabilities—it’s ability to spy on other nation’s and group’s communications—the leak of a significant collection of vulnerabilities known to only a few should signal that the agency should be considering its defensive role more heavily, according to security experts.
“If there is an attributable group in a foreign country that is going to use this against people, it is in everyone’s interest for the [government behind the Equation Group] to notify the vendors so that other nations are not using Equation’s IP against citizens,” Logan Brown, president of threat intelligence and vulnerability acquisition firm Exodus Intelligence, told eWEEK.
The outing of the NSA-linked framework is the latest in a series of leaks of cyber toolsets that highlight that many governments are active in cyber operations against rival nations, non-governmental groups and even individuals. Mobile security firm Lookout and the University of Toronto’s Citizen Lab revealed on Aug. 25, for example, that an attacker, likely a nation, had used espionage tools allegedly created by the NSO Group—including exploits for three previously unknown iOS vulnerabilities—against a well-known Middle Eastern activist, Ahmed Mansoor. Mansoor had been targeted by similar attempts twice before.
With each revelation, questions about the appropriate use of such technology—and whether citizens are better served by government agencies that help harden computer systems or conduct espionage on others’ systems—grow louder. The code in the leaked “Firewall” files included the names of tools, such as “SecondDate” and a specific passcode that marks the data as a match for the information leaked by former NSA contractor Edward Snowden. As the name indicates, the attack tools in the teaser data target vulnerabilities in major firewalls. Cisco is in the process of patching one issue, but noted that another vulnerability targeted by the Equation Group tools had been patched in 2011. Fortinet examined the files and found the attacks only affected versions of its software prior to 2012. And Juniper has not found any exploitable vulnerabilities in the data.
Should the NSA Reveal Leaked Exploits?
The leak changes the equation for what constitutes an equitable arrangement between the NSA’s desire to have exploitation capabilities and its mission to protect U.S. computer systems and communications, stated Nicholas Weaver, senior staff researcher at the International Computer Science Institute in Berkeley, Calif.
“Previously, equities calculations generally relied on the probability that someone else might independently discover and exploit a vulnerability,” he said in a post to the Lawfare blog. “How does this calculation change when the NSA’s own tools might be stolen, without detection? Is there a policy on what to do when the NSA knows that their tools are compromised?”
If the NSA knew that the information had been lost, it should have notified the vendors, he said.
“If the NSA knew of the breach of their tools and failed to notify Cisco and Fortinet, this would represent a serious dereliction of the NSA’s Information Assurance mission because both of those products are used by the government and on DOD systems which IAD is charged with protecting,” Weaver said.
In the past, the U.S. government has stated that it would disclose vulnerabilities when there is a clear need to protect the Internet and the nation’s computer systems. Following the disclosure of a widespread flaw in OpenSSL known as Heartbleed, the White House stressed that it did not know about the issue, and if it had, it would have notified the public.
Yet Michael Daniel, special assistant to the president and cyber-security coordinator, who penned the statement, argued that the decision is not always easy.
“[T]here are legitimate pros and cons to the decision to disclose, and the trade-offs between prompt disclosure and withholding knowledge of some vulnerabilities for a limited time can have significant consequences,” he said. “Disclosing a vulnerability can mean that we forgo an opportunity to collect crucial intelligence that could thwart a terrorist attack, stop the theft of our nation’s intellectual property, or even discover more dangerous vulnerabilities that are being used by hackers or other adversaries to exploit our networks.”
For the most part, companies have remained mum on the issue. Cisco, Juniper and Fortinet declined to comment for this article, and their spokespeople pointed to already published statements on their patches for the vulnerabilities.
The NSA also did not return requests for comment. However, Exodus Intelligence’s Brown said that, ultimately, the choice to disclose the issues may not lie with the spy agency. If the Equation Group is a private firm, which counts the NSA as a client, then the intellectual property—and decisions about that IP—belong to the private firm, Brown said.
In that case, “it’s not the government’s IP, it is the Equation Group’s IP,” Brown said.