In October 2010, a Federal Bureau of Investigation system monitoring U.S. Internet traffic picked up an alert. The signal was coming from Nasdaq (NDAQ). It looked like malware had snuck into the company’s central servers. There were indications that the intruder was not a kid somewhere, but the intelligence agency of another country. More troubling still: When the U.S. experts got a better look at the malware, they realized it was attack code, designed to cause damage.
As much as hacking has become a daily irritant, much more of it crosses watch-center monitors out of sight from the public. The Chinese, the French, the Israelis—and many less well known or understood players—all hack in one way or another. They steal missile plans, chemical formulas, power-plant pipeline schematics, and economic data. That’s espionage; attack code is a military strike. There are only a few recorded deployments, the most famous being the Stuxnet worm. Widely believed to be a joint project of the U.S. and Israel, Stuxnet temporarily disabled Iran’s uranium-processing facility at Natanz in 2010. It switched off safety mechanisms, causing the centrifuges at the heart of a refinery to spin out of control. Two years later, Iran destroyed two-thirds of Saudi Aramco’s computer network with a relatively unsophisticated but fast-spreading “wiper” virus. One veteran U.S. official says that when it came to a digital weapon planted in a critical system inside the U.S., he’s seen it only once—in Nasdaq.
The October alert prompted the involvement of the National Security Agency, and just into 2011, the NSA concluded there was a significant danger. A crisis action team convened via secure videoconference in a briefing room in an 11-story office building in the Washington suburbs. Besides a fondue restaurant and a CrossFit gym, the building is home to the National Cybersecurity and Communications Integration Center (NCCIC), whose mission is to spot and coordinate the government’s response to digital attacks on the U.S. They reviewed the FBI data and additional information from the NSA, and quickly concluded they needed to escalate.
Thus began a frenzied five-month investigation that would test the cyber-response capabilities of the U.S. and directly involve the president. Intelligence and law enforcement agencies, under pressure to decipher a complex hack, struggled to provide an even moderately clear picture to policymakers. After months of work, there were still basic disagreements in different parts of government over who was behind the incident and why. “We’ve seen a nation-state gain access to at least one of our stock exchanges, I’ll put it that way, and it’s not crystal clear what their final objective is,” says House Intelligence Committee Chairman Mike Rogers, a Republican from Michigan, who agreed to talk about the incident only in general terms because the details remain classified. “The bad news of that equation is, I’m not sure you will really know until that final trigger is pulled. And you never want to get to that.”
Bloomberg Businessweek spent several months interviewing more than two dozen people about the Nasdaq attack and its aftermath, which has never been fully reported. Nine of those people were directly involved in the investigation and national security deliberations; none were authorized to speak on the record. “The investigation into the Nasdaq intrusion is an ongoing matter,” says FBI New York Assistant Director in Charge George Venizelos. “Like all cyber cases, it’s complex and involves evidence and facts that evolve over time.”
While the hack was successfully disrupted, it revealed how vulnerable financial exchanges—as well as banks, chemical refineries, water plants, and electric utilities—are to digital assault. One official who experienced the event firsthand says he thought the attack would change everything, that it would force the U.S. to get serious about preparing for a new era of conflict by computer. He was wrong.
On the call at the NCCIC were experts from the Defense, Treasury, and Homeland Security departments and from the NSA and FBI. The initial assessment provided the incident team with a few sketchy details about the hackers’ identity, yet it only took them minutes to agree that the incursion was so serious that the White House should be informed.
When the FBI notified Nasdaq of the intrusion, it turned out the company had detected anomalies on its own but had yet to report the attack. After negotiations over privacy concerns, Nasdaq agreed to let U.S. officials into its networks. Investigation teams arrived at the company’s headquarters at One Liberty Plaza in New York City and its data center in Carteret, N.J., where they found multiple indications of an intelligence agency or military.
The hackers had used two zero-day vulnerabilities in combination. A zero day is a previously unknown flaw in computer code—developers have had “zero days” to address it—that allows hackers to easily take remote command of a computer. It’s a valuable commodity, sometimes selling for tens of thousands of dollars in underground markets. The use of one zero day indicates a sophisticated hacker; more than one suggests government. Stuxnet deployed four—a sign that the code’s authors had done advanced reconnaissance and knew precisely how various systems worked together.
Whoever hit Nasdaq had done similar prep work and had similar resources. The clincher was the hackers’ malware pulled from Nasdaq’s computer banks. The NSA had seen a version before, designed and built by the Federal Security Service of the Russian Federation (FSB), that country’s main spy agency. And it was more than spyware: Although the tool could be used to steal data, it also had a function designed to create widespread disruption within a computer network. The NSA believed it might be capable of wiping out the entire exchange.
The agencies left it to Nasdaq to characterize the attack for its customers, regulators, and the public, which it did in a brief company statement on Feb. 5 and again in a regulatory filing a few weeks later. The breach couldn’t have come at a worse time for Nasdaq. It was on the verge of trying to acquire the New York Stock Exchange (ICE) for $11 billion.
Nasdaq’s e-mailed statement gave no indication the attack was serious. The company said the malware had been discovered during “a routine scan” and that the incursion was limited to a system called Director’s Desk, which more than 230 companies used to share financial information among board members. “We have no information anything was taken,” the statement said. In an interview for this article, Nasdaq spokesman Joseph Christinat says: “Our own forensics review of the issue conducted in close cooperation with the U.S. government concluded no proof of exfiltration of data from our Director’s Desk systems. Importantly, 2010 was a watershed moment in our company’s commitment to cybersecurity resulting today in an enhanced ability to detect and protect the integrity of our systems, our technology, and market participants.”
Meanwhile, the investigation into who was behind the attack took a dramatic turn. Unlike a bomb or missile, malware can be reused. Left behind in networks, it can be grabbed by other hackers, reverse-engineered, and redeployed in the computer banks of subsequent victims to muddy the trail, like a killer using someone else’s gun. As investigators began examining data on other hacks of government and military computers, there was evidence that the Russians’ malware was being used by a sophisticated Chinese cyberspy also known to have a thriving criminal business on the side. This hacker could have been given the Russian malware or pinched it from inside another computer network and used it to disguise his identity. Some evidence inside Nasdaq supported that theory as well. Obama was briefed again as the probe turned toward Asia.
As investigators followed the new leads, more teams fanned out across the country. The Treasury Department’s Office of Critical Infrastructure Protection and Compliance Policy drew up a list of 10 major banks and U.S. stock exchanges that might be targets for a broader campaign. Not all the companies agreed to cooperate with the investigation. In those that did, agents began scouring computer logs and examining servers, aided by the companies’ security teams.
The agents found little evidence of a broader attack. What they did find were systematic security failures riddling some of the most important U.S. financial institutions. It turned out that many on the list were vulnerable to the same attack that struck Nasdaq. They were spared only because the hackers hadn’t bothered to try.
In a speech last January, amid the scandal over the NSA’s collection of data on millions of Americans, Obama obliquely referred to the NSA’s ability to “intercept malware that targets a stock exchange” as one reason he opposed stripping the agency of its ability to intercept digital communications.
For some U.S. officials, however, the lessons of the incident are far more chilling. The U.S. national security apparatus may be dominant in the physical world, but it’s far less prepared in the virtual one. The rules of cyberwarfare are still being written, and it may be that the deployment of attack code is an act of war as destructive as the disabling of any real infrastructure. And it’s an act of war that can be hard to trace: Almost four years after the initial Nasdaq intrusion, U.S. officials are still sorting out what happened. Although American military is an excellent deterrent, it doesn’t work if you don’t know whom to use it on.
“If anybody in the federal government tells you that they’ve got this figured out in terms of how to respond to an aggressive cyber attack, then tell me their names, because they shouldn’t be there,” says Rogers, the intelligence committee chairman. “The problem is that whatever we do, the response to it won’t come back at the government, it’ll come back at the 85 percent of networks in America that are in the private sector. And they are already having a difficult time keeping up.”
Full article: How Russian Hackers Stole the Nasdaq (BloombergBusinessweek)