Perhaps the most dangerous collection of cyberweapons that has ever appeared online has surfaced, putting law abiding people, businesses, government agencies, and even critical infrastructure around the world at risk.
Here is what you need to know:
Earlier this week, a mysterious entity shared online portions of a cache of cyberweapons that the NSA allegedly used to hack into parties on which it wanted to conduct surveillance or to which it wanted deliver harm. The parties who posted the material - calling themselves "The Shadow Brokers" - claim to have stolen the material from "The Equation Group," - widely believed to be either part of the NSA or an organization associated with it.
In addition to the weapons which it shared over the weekend, The Shadow Brokers also released an encrypted file allegedly containing more cyberweapons, whose decryption key will be supplied to the winner of an online auction. If the winning price is over 1 million bitcoin (over half a billion dollars!), The Shadow Brokers promises to release more materials and make them available to the public at no additional charge.
While the demand for money could be a hoax - laundering a million bitcoins is practically impossible - I do believe that there is a good chance that the leaked material is "the real thing" - an eerie feeling that has been corroborated by other experts who have examined the leaked materials. (Note: After I wrote this article, but before it went live on the Inc. website, at least one major vendor confirmed that the weapons were exploiting real vulnerabilities.)
How dangerous are these cyberweapons?
The cyberweapons in question include technology to breach popular commercial firewalls - meaning that someone using the cyberweapons could potentially invade the networks of many businesses and governmental organizations around the world. While the material does appear to be dated - the latest files are from 2013 - in some cases the weapons include zero-day exploits for which there are no current fixes, meaning that despite the passage of time, these weapons are still highly effective and pose a grave danger to a huge number of businesses and government agencies - never mind providers of critical infrastructure - around the world.
To put it simply: Many providers of critical infrastructure, financial systems, and even emergency services rely on the security technologies that the weapons undermine.
Can't using multiple security technologies make the cyberweapons ineffective?
Yes and no. To mitigate against vulnerabilities, for example, many organizations layer multiple firewalls from different vendors; if a weakness is discovered by hackers in one firewall the attackers still cannot easily breach the organization because they would have to pierce the other non-vulnerable security devices. Normally major vulnerabilities in multiple products do not leak at exactly the same time, so, in most cases, major weaknesses in one product will be fixed before a problem of similar magnitude is discovered in others. The current cache of cyberweapons, however, includes tools that penetrate multiple firewalls from multiple vendors - for many (but not all) organizations all of their firewall security-layers may at risk. It is clear that the parties who had the cyberweapons had the ability to simultaneously exploit major vulnerabilities in multiple security products.
Using multiple approaches might help -- an intrusion detection system looking for anomalous activity on a network should detect a hacker snooping around -- but cyberweapons targeting those systems might also be in the cache.
Won't leaking the cyberweapons undermine their effectiveness and reduce the risk level?
Of course, once cyberweapons are leaked to the public the impacted vendors are likely to fix any vulnerabilities being exploited by the weapons. But, according to The Shadow Brokers, they have saved the best weapons for last - so, assuming that the claim is true, the most dangerous weapons in the cache have not been released to the public, and remain fully potent. The present leak might simply be to prove that The Shadow Brokers, whoever they are, have obtained the top-secret cache of cyberweapons.
How did this leak of secret cyberweapons happen?
It is not clear (other than to those involved) how this code emerged from the depths of government secrecy. Was the NSA hacked? Did an insider intentionally leak it? Did someone at the NSA make a serious error and accidentally transmit the files to an insecure location, or otherwise allow unauthorized parties to obtain the material from the NSA's computers or other equipment? Did something go wrong in the infrastructure around the world that the NSA uses to make its actions less-easily traced? It is impossible for outsiders to know yet exactly what transpired, but, one thing seems clear - the current situation is extremely serious.
Who leaked the weapons? Who are "The Shadow Brokers?"
It is also unclear (other than to those involved and perhaps to others in the intelligence community) who posted the materials online - was it criminals intent on making money? A foreign power looking to prove a point? The Russian government angry at the United States' Democratic party for accusing it of hacking the party's email servers? At this point, the few folks who actually know the identities of those involved are not talking.
What do I do now?
Obviously, information-security product companies should make sure to quickly fix any vulnerabilities being exploited by the cyberweapons now available, and any others as they become known. While patches must be tested for QA reasons, efforts should be made to expedite the process of creating, testing, and distributing the fixes; warnings should also be sent out with regard to any vulnerabilities that have already been fixed, but which are exploited by the cyberweapons -- not everyone installs updates as often as he or she should.
Everyone else should make sure to install patches that information security vendors issue, and, if you do find a product that needs patching as a result of the disclosures now being made, make sure to run scans with updated security software to help check if you may have been breached prior to the patching.
What lessons should be learned - and what needs to change?
I will dedicate a separate article to this topic, which will appear online on August 26th.