Leaked NSA Hacking Tools, Tactics, In Focus

Enterprises worry about NSA 'copycat' spying scenarios

Dark Reading logo in a gray background | Dark Reading

The NSA's catalog of custom hacking tools for popular networking and consumer products recently leaked by former contractor Edward Snowden provided a rare glimpse at the arsenal at the fingertips of the spy agency's hackers.

But the tools were not unlike many techniques and weapons employed by criminals or other espionage cyberattackers, experts say. Take DROPOUT JEEP, the NSA-built hacking tool included in its recently published catalog in 2008 that hacks iPhones. DROPOUT JEEP is technically a remote access Trojan or RAT, says Lucas Zaichkowsky, enterprise defense architect at incident response and forensics firm AccessData.

Zaichkowsky says based on the leaked information and diagrams, NSA hackers are operating the RAT backdoor for their intelligence-gathering operations. The RAT backdoor likely has a small footprint and can be updated with plugins for various functions, he says.

"They're just jailbreaking the iPhone," Zaichkowsky says. "It's a remote administrative tool ... it can take pictures, do keystroke recording," not unlike other RATs, he says.

The version leaked by Snowden is for attacks that require close proximity to the target, but the NSA's description of the tool says a remote installation capability was on the horizon. The documents were published late last month by Der Spiegel, exposing the NSA's elite hacking team, called the Tailored NSA's Tailored Access Operations (TAO) Group, and the agency's homegrown hacking tools.

Apple has reportedly denied providing the NSA with any backdoors to its products. "Apple has never worked with the NSA to create a backdoor in any of our products, including iPhone. Additionally, we have been unaware of this alleged NSA program targeting our products," the company said in statement. "We will continue to use our resources to stay ahead of malicious hackers and defend our customers from security attacks, regardless of who’s behind them.

"My initial thought was that Apple didn't give them [access]," Zaichkowsky says. "[The NSA] may have found some network-based exploits and sent specially crafted packets over the network," he says. "If there isn't proper input validation, then you end up jailbreaking the iPhone, exploiting it, and getting kernel-mode or root access" on the targeted iPhone, he says.

[Treasure trove of tools created and used by NSA hackers for planting backdoors via Cisco, Juniper, Apple products unveiled in latest document leaks. See NSA Elite Hacking Team Operations Exposed.]

The actual damage these NSA operations revelations have had -- and will have -- on security has been debated within the security community since the Snowden leaks began this past summer. While the scope of the NSA's operations is under scrutiny, the agency is basically doing its own bug-hunting not unlike an advanced attacker would do, experts say.

"Any attacker could be finding zero-days. It's less bad if we know our people know what those exploits are and are keeping an eye out, instead of having no clue those exploits exist," Zaichkowsky says. NSA needs more external checks and balances surrounding its operations, however, he says.

But the fallout has already been felt not only within the U.S. as vendors have expressed concerns about the NSA's operations, but also overseas.

Ron Gula, CEO and CTO of Tenable, says he has seen European and Asian markets going sour on U.S.-based cloud firms in the wake of the NSA revelations. That has actually boosted Tenable's business, he says. "Since our stuff is inside the network, we have been able to switch out with some of our competitors who are cloud-based," he says. But that's only a temporary trend, he says.

The bigger worry of most enterprises in the wake of the leaked NSA documents outlining some controversial and widespread spying operations, as well as backdoors in popular products, is copycat scenarios, Gula says. "More organizations are going to be interested in 'becoming' NSA," he says. "There are technologies out there that take a movie of your desktop and play it later. That has dramatic ramifications for HR and IT security, with competitive intel [at risk]."

Most enterprises are just as worried about their top researchers being hired away, and being attacked by APTs, he says.

Not much is likely to change at NSA until any legal proceedings occur, says privacy expert Mark Weinstein, CEO of Sgrouples. "It's business as usual right now," Weinstein says. "This really has to work through our court systems. The courts are going to have to redefine what the Fourth Amendment means ... and it's going to take a couple of years" to hash out, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights