Nasdaq Hack Attribution Questioned

Culprit and Motive Still Remain Unclear
Nasdaq Hack Attribution Questioned

Two zero-day vulnerabilities were exploited by the attackers who hacked NASDAQ's systems in October 2010. A senior U.S. legislator claims the hackers had "nation-state" backing. That claim aside, however, security experts say it's still not clear who hacked NASDAQ or why, although there's still no indication that attackers accessed or altered the systems running the NASDAQ stock exchange.

See Also: 2015 Financial Services Cybersecurity Agenda: An Inside Out Look at a New Risk Mitigation Approach

Bloomberg Businessweek reports that two different zero-day vulnerabilities - previously unknown code bugs - were used to compromise NASDAQ. The in-depth report on the breach is based on interviews with more than two dozen people who have knowledge of the attack details or related digital forensic investigation. Despite their collective input, however, the only thing that remains clear about the motive or identity of the attackers is how unclear they still remain. Indeed, even the duration of the hack remains unknown, with investigators saying it began by October 2010, but may have started earlier. Likewise, it's not clear exactly what the attackers accessed or stole.

State Sponsor Questions

House Intelligence Committee Chairman Mike Rogers, R-Mich., however, says the NASDAQ hack was state-sponsored. "We've seen a nation-state gain access to at least one of our stock exchanges, I'll put it that way, and it's not crystal clear what their final objective is," he tells Bloomberg, saying the full details remain classified.

But Dublin-based independent information security consultant Brian Honan questions how that conclusion was reached. "Accusing or stating that a nation-state is behind an attack can be quite a leap, as the techniques and tools used by criminals can be the same as those used by agents of a state," he tells Information Security Media Group. "So without additional evidence, and as stated in this story that evidence is lacking, it is not possible to confidently state the attacks where the result of nation-state involvement, whether that be direct or state-sponsored."

Further complicating the attribution question, investigators did recover malware that had been developed by Russia's state-security organization, the Federal Security Service. But the FSB malware could have been sold to third parties, and some investigators believe that at least one China-based attacker has also used that malware.

QCF Link Unlikely

The timing of the NASDAQ attack places it prior to Operation Ababil, the long-running distributed-denial-of-service attack run by Qassam Cyber Fighters that targeted U.S. financial services firms, and which Rogers has blamed on the Iranian government. There's no evidence, however, that the NASDAQ hack might have been some type of precursor effort.

"My opinion - which is pure speculation - is that one, it wasn't QCF," Dan Holden, director of ASERT, the security engineering and response team at Arbor Networks, tells Information Security Media Group. "Two, I'd be surprised if it was any of the usual suspects - China, Russia, Iran. [It's] likely not nation-state-backed at all."

Notably, the NASDAQ investigators reached out to other exchanges, worried that the attacks might be more widespread. But they reportedly found no evidence of similar attacks. "In my opinion, if an attack like that was nation-state backed you would have seen a campaign against more than just NASDAQ," Holden says.

Missing Network Monitoring

The NASDAQ breach story was first reported in 2011 by The Wall Street Journal, which said the U.S. Secret Service had discovered the breach. NASDAQ soon issued a public statement saying the breach pertained only to its Director's Desk subsidiary, used by 230 companies' board members to exchange confidential information.

At the time, many information security experts saw the breach as a cautionary tale involving the risks of failing to closely monitor a high-risk financial services network (see NASDAQ Breach: Lesson for Banks). Since then, the latest reported details about the attack - including that NASDAQ failed to track daily usage details relating to its network, and that the breach was so extensive that President Obama received multiple briefings on the related investigation - only reinforce that view.

"The core of the problem here is the lack of logging and proactive monitoring of systems and networks. Without good logs it is very difficult to investigate an incident and confidently identify what happened and even as to who may be behind the attack," Honan says.

The lesson for other firms, Honan says, is that they must proactively monitor network traffic to better spot in-progress attacks. "For example, data being FTP'd to a server in a country you do not do business with could indicate that your data is being exfiltrated, or remote log-in attempts at time patterns outside that user's normal working hours could also be potential flag," he says.

Unusual Aspect

The use of two zero-day vulnerabilities by attackers remains an unusual aspect to this case, given that such bugs can command big bucks on the black-market, and are thus rarely used in tandem, except in the case of Stuxnet, which targeted a record four zero-day vulnerabilities, and which was reportedly built by a joint U.S.-Israeli program.

But that doesn't necessarily mean the NASDAQ hack was state-sponsored. "Many criminals would have access to zero days, as would many government agencies," Honan says. Typically, criminals would exploit older vulnerabilities that are present in so many systems, unless they had a motive for doing otherwise. "The use of zero days would indicate the attackers had a particular motivation that justified the use of such zero days," he adds. "Once a zero day is used, the value of it to the attacker is severely diminished as it becomes known and patched."

But the NASDAQ attackers' motive remains unknown. "Again, we are back to attribution and motive for the attack," Honan says. "Was it for financial gain? If so, then maybe those behind the attack were criminals. If it was for espionage or the ability to disrupt the markets then it could be more likely nation state involvement was in play."

(Executive Editor Tracy Kitten contributed to the story.)

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.

Around the Network