In late April IDT Corporation was hit with two cyberweapons that were stolen from the National Security Agency. Golan Ben-Oni, the global chief of information officer at IDT, fended them off, but the attack left him distraught.
He has been dealing with hackers for over 22 years, but had never seen anything like this. He didn’t know how they evaded his defenses or how many other had been attacked.
Ben-Oni has been in contact with anyone who will listen over this attack, including the White House, the Federal Bureau of Investigation, and top cybersecurity companies around the country to warn them about this invisible attack.
He is determined to find who did it. Two weeks after the hit on IDT, the ransomware known as WannaCry hit hard around the world. It was no doubt destructive, but Ben-Oni witnessed much worse. Unfortunately, with WannaCry being in the limelight, very few people noticed the attack on IDT’s system.
The IDT attack was similar to WannaCry in the sense that it shut down their systems and demanded a ransom to unlock it. Unfortunately, this was only a cover for the hackers’ true intentions. The hackers stole employee credentials. With those credentials in hand, hackers could have run free through the company’s computer network, taking confidential information or destroying machines.
Perhaps the worst part is that the attack went unnoticed by some of the nation’s leading cybersecurity products, top security engineers, government intelligence analysts or the FBI.
Luckily for research, the digital black box at IDT’s office had the records of the attack.
Scans for the two hacking tools used against IDK indicate that the company is not alone. In fact, tens of thousands of computers all over the world have been “backdoored” by the same NSA weapons.
An attack like this could put lives at risk, especially at a hospital or water treatment plant.
“The world is burning about WannaCry, but this is a nuclear bomb compared to WannaCry,” Ben-Oni said. “This is different. It’s a lot worse. It steals credentials. You can’t catch it, and it’s happening right under our noses.”
“The world isn’t ready for this.”
Targeting the Nerve Center
Nothing Ben-Oni has ever seen has compared to the attack that struck in April. Like the WannaCry attack in May, the assault on IDT relied on cyberweapons developed by the N.S.A. that were leaked online in April by a mysterious group of hackers calling themselves the Shadow Brokers — alternately believed to be Russia-backed cybercriminals, an NSA mole, or both.
The WannaCry attack used one NSA cyberweapon, the IDT assault employed two. Both employed a hacking tool code-named EternalBlue. It takes advantage of unpatched Microsoft servers to automatically spread malware from one server to another.
The attack on IDT went a step further with another stolen weapon, called DoublePulsar. The NSA used this to penetrate computer systems without tripping security alarms. It allows spies to inject their tools into the nerve center of the target’s computer system, which manages communications between hardware and software.
In IDT’s case, attackers used DoublePulsar to steal an IDT contractor’s credentials. Then they deployed ransomware in what appears to be a cover for their real motive: broader access to IDT’s businesses.
Ben-Oni only learned of the attack because when a contractor attempted to open her computer, it said all her data was encrypted and that she must pay a ransom to unlock it. He assumed at the moment it was a simple case of ransomware.
But the attack struck Ben-Oni as unique. It was odd that the first attack from a contractor’s home computer. After checking the digital black box, it showed that the ransomware was installed after attackers made off with the contractor’s credentials. With this they managed to bypass every major security detection mechanism along the way. Finally, they covered up the larger attack with ransomware, and asked for only $130.
When Ben-Oni contacted major companies and corporations, only Amazon had seen the attack before Ben-Oni told them. Afterwards, many companies scanned and found they had been hit.
‘No One Is Running Point’
Since the Shadow Brokers leaked dozens of coveted attack tools in April, hospitals, schools, cities, police departments and companies around the world have largely been left to fend for themselves against weapons developed by the world’s most sophisticated attacker: the NSA
A month earlier, Microsoft had issued a software patch to defend against the NSA hacking tools — suggesting that the agency tipped the company off to what was coming. Microsoft regularly credits those who point out vulnerabilities in its products, but in this case the company made no mention of the tipster.
For his part, Mr. Ben-Oni said he had rolled out Microsoft’s patches as soon as they became available, but attackers still managed to get in through the IDT contractor’s home modem.
The Shadow Brokers resurfaced last month, promising a fresh load of NSA attack tools, even offering to supply them for monthly paying subscribers.
“Understand, this is really a war — with offense on one side, and institutions, organizations and schools on the other, defending against an unknown adversary,” Said Ben-Oni.
In a hint that the industry is taking the group’s threats seriously, Microsoft issued a new set of patches to defend against such attacks. The company noted in an ominously worded message that the patches were critical, citing an “elevated risk for destructive cyberattacks.”
These attacks are getting more sophisticated and harder to spot by the day. It is important to take as many precautions as you can and always screen your computer to make sure your company has not been hit. WannaCry may have looked bad, but this attack is much worse.
(Story via New York Times)