Elite hackers used two zero-day exploits to penetrate world’s #2 stock market
by Dan Goodwin
In 2010, elite hackers, most likely from Russia, used at least two zero-day vulnerabilities to penetrate the computer network operated by Nasdaq Stock Market, a hack that allowed them to roam unmolested for months and plant destructive malware designed to cause disruptions, according to a media report published Thursday.
The intrusion initially caught the attention of officials inside the National Security Agency, the Central Intelligence Agency, and departments of Defense, Treasury, and Homeland Security for two reasons, Bloomberg Businessweek journalist Michael Riley reported in an article headlined How Russian Hackers Stole the Nasdaq. One, it appeared to be the work of hackers sponsored by Russia or another powerful nation-state. Two, far from the typical espionage campaigns that merely siphon out secret data, the malware involved in the attack contained what early on appeared to be a digital bomb that could cause serious damage.
Riley’s 3,100-word cover article traces the resulting federal investigation, which also involved the FBI, Secret Service, the National Cybersecurity and Communications Integration Center, and on at least three occasions, briefings provided to President Barack Obama. Ultimately, analysis of the malware showed its capabilities were less destructive than earlier believed, but there was still cause for concern. AsArs reported last year, it came around the same time that five eastern European men allegedly breached networks belonging to Nasdaq and at least seven other financial institutions. According to federal prosecutors, one of the suspects, upon gaining persistent control over the world’s second biggest stock exchange, proclaimed “NASDAQ is owned.”
“While the hack was successfully disrupted, it revealed how vulnerable financial exchanges—as well as banks, chemical refineries, water plants, and electric utilities—are to digital assault,” Riley wrote of the 2010 campaign. “One official who experienced the event firsthand says he thought the attack would change everything, that it would force the US to get serious about preparing for a new era of conflict by computer. He was wrong.”
The article continued:
What the investigators found inside Nasdaq shocked them, according to both law enforcement officials and private contractors hired by the company to aid in the investigation. Agents found the tracks of several different groups operating freely, some of which may have been in the exchange’s networks for years, including criminal hackers and Chinese cyberspies. Basic records of the daily activity occurring on the company’s servers, which would have helped investigators trace the hackers’ movements, were almost nonexistent. Investigators also discovered that the website run by One Liberty Plaza’s building management company had been laced with a Russian-made exploit kit known as Blackhole, infecting tenants who visited the page to pay bills or do other maintenance.
What one investigator referred to as “the dirty swamp” of Nasdaq’s computer banks made following the trail of the Russian malware excruciatingly slow. The agents figured the hackers first broke into Nasdaq’s computers at least three months before they were detected, but that was just a guess. There were indications that a large cache of data was stolen, though proof was scarce, and it was hard to see what was spirited out. “If someone breaks into your house, trying to figure where they went and what they took is pretty difficult because, unlike a bank, you don’t have cameras in your house, you don’t have motion sensors,” says Jason Syversen, chief executive officer of Siege Technologies, a security firm in Manchester, N.H. “In terms of cybersecurity, most companies are more like a house than a bank.”
The agencies left it to Nasdaq to characterize the attack for its customers, regulators, and the public, which it did in a brief company statement on Feb. 5 and again in a regulatory filing a few weeks later. The breach couldn’t have come at a worse time for Nasdaq. It was on the verge of trying to acquire the New York Stock Exchange (ICE) for $11 billion.
Nasdaq’s e-mailed statement gave no indication the attack was serious. The company said the malware had been discovered during “a routine scan” and that the incursion was limited to a system called Director’s Desk, which more than 230 companies used to share financial information among board members. “We have no information anything was taken,” the statement said. In an interview for this article, Nasdaq spokesman Joseph Christinat says: “Our own forensics review of the issue conducted in close cooperation with the U.S. government concluded no proof of exfiltration of data from our Director’s Desk systems. Importantly, 2010 was a watershed moment in our company’s commitment to cybersecurity resulting today in an enhanced ability to detect and protect the integrity of our systems, our technology, and market participants.”
Meanwhile, the investigation into who was behind the attack took a dramatic turn. Unlike a bomb or missile, malware can be reused. Left behind in networks, it can be grabbed by other hackers, reverse-engineered, and redeployed in the computer banks of subsequent victims to muddy the trail, like a killer using someone else’s gun. As investigators began examining data on other hacks of government and military computers, there was evidence that the Russians’ malware was being used by a sophisticated Chinese cyberspy also known to have a thriving criminal business on the side. This hacker could have been given the Russian malware or pinched it from inside another computer network and used it to disguise his identity. Some evidence inside Nasdaq supported that theory as well. Obama was briefed again as the probe turned toward Asia.
The Asia connection ultimately didn’t pan out, and by the middle of 2011 investigators began to conclude the Russian hackers weren’t trying to sabotage the NASDAQ after all. Rather, a new theory emerged; they wanted to clone it, although House Intelligence Committee Chairman Mike Rogers conceded it still is not “crystal clear” what the hackers’ motive was. Thursday’s report underscores the difficulty of unraveling sophisticated computer intrusions and the alarming susceptibility of critical infrastructure to potentially highly disruptive hacks.