If this were a Philip K. Dick novel, I would have died of sheer paranoia.
Honestly, it’s becoming increasingly difficult to keep track of what is happening in the security circles. You have that leaking faucet of Snowden documents to deal with, the general tomfoolery of my hacker friends, and now, the games of deception which nation states play. It’s like a terrible B-grade movie with villainous nerds holding the reins.
A group that calls itself Shadow Brokers had stolen the stockpile of the National Security Agency (NSA) some years ago. It belonged to the Tailored Access Operations (TAO), a covert division tasked to infiltrate the hardest of targets. You know, like the strategic nuclear commands of foreign armies, which pride themselves on their networks being air-gapped (not connected to the internet), or that isolated government computer storing secrets so damning that you are better off not knowing them. The stuff of lore.
Last week, the Shadow Brokers decided to leak a part of TAO’s burgled exploits and promised to share the rest if the hoi polloi could raise bitcoins worth half a billion dollars. Rife with bad English, the trademark of Eastern supervillains, the public announcement accompanying their actions made no sense at all, and was vague enough to trigger very sensational conspiracy theories.
For the lay readership, to gain and retain access to the crown jewels of the most powerful, and the best-funded cyber army on earth is a big freaking deal. The Russian antivirus firm Kaspersky had also found traces of TAO’s malware, disclosing them to the public in February 2015. They dubbed these spymasters of the ether the Equation Group, for their affinity towards intricate mathematics.
What came to fore was an intensely dedicated group, with uncanny precision, persistence and flair you normally would not associate with hackers. It turned out to be one of the longest running cyber-espionage campaigns ever. These guys brought to you blockbusters like Stuxnet and Flame; history-altering malware. Even the intelligence legend James Jesus Angleton would have felt humbled by their expanse. Their footprints went back to the yesteryear of the internet, the heyday of the nineties when little was known about networks, leave alone exploiting them.
Of course, Indian computers were also on its kill-list. I don’t think our cyber response agencies still have a damn clue about the organisations that were hit.
The timelines are important here. 2013 was the year of Snowden’s call to arms, also when the trail of Shadow Broker files went cold. People are still rifling through the leaked documents, but there could be some overlap between these two fappenings.
This is where wild conjecturing begins. Some say, the Shadow Brokers lost access to TAO’s operational platform after the Snowden leaks as the NSA hustled to brace the disclosures. Others say that it was an inside job, some lousy NSA operative losing the keys to the kingdom.
While Snowden himself has risen from the dead to proclaim that it’s common for adversaries to hack into each other’s command-and-control, it’s highly uncommon to do such spousal sparring in public. The American security community at-large attributes it to the sneaky Russians, the leak being some kind of Slavic warning for breaking the online omerta – supposedly a fallout of the Democratic National Convention hack.
You really can lose sleep over such stuff.
Now, the exploit repository in itself, the one available to us, seems to target the firewall appliances of Cisco, Juniper, Fortigate, Watchguard and Chinese vendor TopSec. The codenames and other operational security countermeasures leave no suspicion that all of this is genuine TAO.
For me, the most important takeaway is the paradigm which TAO follows: ONE, security products in themselves are the weakest link in the chain; TWO, hardware appliances are the most ignored component of security architecture; THREE, some of these vendors are operating under plausible deniability – there is no effin’ way this could have gone unnoticed; and FOUR, spy agencies prefer to maintain presence in places that are typically inaccessible via software security components (hard disk microcontrollers, router firmware, etc.) – with the listening post as far from the target as possible.
Another thing, no one has even mentioned the Juniper backdoor that came to light in December 2015. It was an NSA-sanctioned implant for its brand of firewalls, a cent percent TAO-job. Don your tin-foiled conspiracy hats as I say that it’s not important that the backdoor was revealed and a federal investigation was sanctioned in the first place, but the fact that the vulnerability was deemed expendable despite the huge repercussions it had on the reputations of Juniper and the American tech sector.
Things need to add up here: maybe, the NSA knew about the intrusions. The chatter in the media was that someone else managed to find the Trojan horse, probably the Russians, the Israelis or the Chinese. That’s the Faustian nature of backdoors – it is mathematically impossible to hide them for long. I am certain that all of these events are interconnected in some way or the other.
The Indian Government needs to haul up its cybersecurity leadership for not taking cognisance of many such incidents. No risk or damage assessment has ever been undertaken. The key interlocutors are confusing the Establishment with techno-babble which the elected leaders find difficult to decipher.
It also calls for a larger debate on how the agencies that promulgated the internet are linked to the ones that have systemically exploited its broken security model. The folks at the NSA, they have this thing called QUANTUM, which can passively hijack any network session anywhere in the world – exploiting vulnerabilities in the TCP/IP that have been known for three decades now. It’s like messing with your DNA to alter your gene pool, that bad.
I am also kind of enamoured by the beauty that lies in the chaos of asymmetric warfare. A billion-dollar op, hundreds of thousands of man-hours gone to dust with one hack, by a single margin of error. How many resources are required for the counter-op? Near to none.
The reluctance of the parties who gain from it and the ones who are oblivious to it, will cost our future generations dearly, that’s for sure.