Nasdaq Hack Attribution Questioned

Culprit and Motive Still Remain Unclear

By Mathew J. Schwartz, July 18, 2014.
Nasdaq Hack Attribution Questioned

Two zero-day vulnerabilities were exploited by the attackers who hacked NASDAQ's systems in October 2010. A senior U.S. legislator claims the hackers had "nation-state" backing. That claim aside, however, security experts say it's still not clear who hacked NASDAQ or why, although there's still no indication that attackers accessed or altered the systems running the NASDAQ stock exchange.

See Also: Understanding the Opportunities and Threats in Mobile Banking

Bloomberg Businessweek reports that two different zero-day vulnerabilities - previously unknown code bugs - were used to compromise NASDAQ. The in-depth report on the breach is based on interviews with more than two dozen people who have knowledge of the attack details or related digital forensic investigation. Despite their collective input, however, the only thing that remains clear about the motive or identity of the attackers is how unclear they still remain. Indeed, even the duration of the hack remains unknown, with investigators saying it began by October 2010, but may have started earlier. Likewise, it's not clear exactly what the attackers accessed or stole.

State Sponsor Questions

House Intelligence Committee Chairman Mike Rogers, R-Mich., however, says the NASDAQ hack was state-sponsored. "We've seen a nation-state gain access to at least one of our stock exchanges, I'll put it that way, and it's not crystal clear what their final objective is," he tells Bloomberg, saying the full details remain classified.

But Dublin-based independent information security consultant Brian Honan questions how that conclusion was reached. "Accusing or stating that a nation-state is behind an attack can be quite a leap, as the techniques and tools used by criminals can be the same as those used by agents of a state," he tells Information Security Media Group. "So without additional evidence, and as stated in this story that evidence is lacking, it is not possible to confidently state the attacks where the result of nation-state involvement, whether that be direct or state-sponsored."

Further complicating the attribution question, investigators did recover malware that had been developed by Russia's state-security organization, the Federal Security Service. But the FSB malware could have been sold to third parties, and some investigators believe that at least one China-based attacker has also used that malware.

QCF Link Unlikely

The timing of the NASDAQ attack places it prior to Operation Ababil, the long-running distributed-denial-of-service attack run by Qassam Cyber Fighters that targeted U.S. financial services firms, and which Rogers has blamed on the Iranian government. There's no evidence, however, that the NASDAQ hack might have been some type of precursor effort.

"My opinion - which is pure speculation - is that one, it wasn't QCF," Dan Holden, director of ASERT, the security engineering and response team at Arbor Networks, tells Information Security Media Group. "Two, I'd be surprised if it was any of the usual suspects - China, Russia, Iran. [It's] likely not nation-state-backed at all."

Notably, the NASDAQ investigators reached out to other exchanges, worried that the attacks might be more widespread. But they reportedly found no evidence of similar attacks. "In my opinion, if an attack like that was nation-state backed you would have seen a campaign against more than just NASDAQ," Holden says.

Missing Network Monitoring

The NASDAQ breach story was first reported in 2011 by The Wall Street Journal, which said the U.S. Secret Service had discovered the breach. NASDAQ soon issued a public statement saying the breach pertained only to its Director's Desk subsidiary, used by 230 companies' board members to exchange confidential information.

Follow Mathew J. Schwartz on Twitter: @euroinfosec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Verizon: Breaches Under-Reported Globally

Although breaches affecting U.S. retailers are widely reported, Verizon's new PCI Compliance Report...

Latest Tweets and Mentions

ARTICLE Verizon: Breaches Under-Reported Globally

Although breaches affecting U.S. retailers are widely reported, Verizon's new PCI Compliance Report...

The ISMG Network