New Russian Cyber Spying Campaign Bolsters Need for Continued NSA Use of Software Holes

Former NSA official says Windows vulnerability shows Russian cyber attack capabilities

• October 15, 2014 5:00 am


The National Security Agency should not be restricted from using software holes in overseas spying following disclosure Tuesday that Russian hackers conducted a major cyber espionage campaign using a flaw in Microsoft Windows, a former NSA official says.

The security firm iSight Partners, in cooperation with Microsoft, revealed Tuesday that sophisticated Russian hackers working for the Moscow government conducted the cyber spying campaign against NATO, a U.S. government agency and European countries using a previously unknown "zero day" flaw in the widely-used operating system.

The company called the Russian hacker group behind the cyber spying the "Sandworm Team" that has been active since 2009. The group’s use of the Windows flaw was detected last month, the company said in a statement on the flaw.

"We are actively monitoring multiple intrusion teams with differing missions, targets and attack capabilities," the statement said. "We are tracking active campaigns by at least five distinct intrusions teams."

Microsoft released software patches Tuesday afternoon in response to the flaw.

David Aitel, a former NSA cyber security specialist, said there are no indications NSA or allied governments knew about Sandworm prior to Tuesday.

"There’s been a lot of talk about limiting the U.S. intelligence community’s ability to use what we call 0-day against foreign countries to advance our national aims," Aitel said in an interview with the Free Beacon.

For the U.S. government to release everything it knows about foreign software vulnerabilities "is possibly the worst strategic option we have," said Aitel, now head of the security firm Immunity Inc.

Aitel disagrees with civil liberties and anti-secrecy advocates who favor curbing NSA spying through zero day flaws and said doing so would be tantamount to unilateral disarmament. American security would be undermined if spy agencies were forced to give up what they secretly know about foreign software gaps used in electronic spying, he added.

The Sandworm case shows that would be a mistake, he said. "That does not affect the Russians," he said. "The Russians still have this giant pile of stuff that we don’t, and they would be able to continue unhindered against us."

"And I think this is a key example of how other people know lots of stuff too and you have to be mindful of that before you unilaterally disarm," Aitel said of the Sandworm exploit.

Groups that oppose NSA’s use of zero day spying include the Electronic Freedom Foundation and the American Civil Liberties Union. They have argued that the government should make public any flaws they discover.

Spokesmen for the ACLU and EFF did not return emails seeking comment.

Several groups have accused the U.S. government of having knowledge and by implication were secretly exploiting a similar software flaw called Heartbleed before it became public and could be patched. The government denied knowing of the bug in advance.

The groups have argued that a policy of not using zero day vulnerabilities and releasing information about them to the public would reduce hacking by improving the overall security of software code.

Aitel has worked with major U.S. financial companies to block state-sponsored cyber attacks. His company Immunity Inc. has developed sophisticated hacking software similar to the Stuxnet software used against Iran, that is used in securing U.S. networks from nation-state attacks.

Steve Ward, senior director at iSight, said the company has not proved conclusively the Russian government was behind Sandworm but all the signs indicate it was.

"We are convinced this was a cyber espionage campaign and have not seen any activity associated with cyber crime," another Russian specialty, Ward said in an interview.

Ward said due to a lapse in the hacker’s security, a command and control service was accessed and contained a help file in Russian.

"The motives and methods and the targets of this group are all aligned with Russian national interests."

Among the known targets were the Ukrainian government, a U.S. government organization, the NATO military alliance, headquartered in Belgium, a western European government, a Polish energy firm and a French telecommunications company.

"Though we have not observed details on what data was exfiltrated in this campaign, the use of this zero day vulnerability virtually guarantees that all of those entities targeted fell victim to some degree," the company said.

A zero day flaw is a vulnerability in software that allows remote users to gain access to internal computers and networks, to steal data or disrupt systems. The term is based on network administrators having zero days from the time the flaw is discovered to fix the problem before facing a cyber intrusion.

Aitel said the latest Russian cyber attacks highlights Moscow’s computer network penetration capabilities.

"There is really no target that the Russians want to get into, that they haven’t gotten into," he said.

Published under: Cyber Security, Russia