Cisco Hack: Leaked NSA Tools Are Already Being Used by Bad Actors

It’s said that those who live by the sword, die by the sword. As for those who live by advanced malware? They’re probably also regretting some of their life choices.

As you’re probably already aware, the NSA was breached this summer by a group of nation-state attackers known only as “The Shadow Brokers.” Part of this breach included a large number of advanced hacking tools, which have been linked to a specialized NSA hacking team called “The Equation Group.” These tools were auctioned off for Bitcoin, and now it appears that attackers have hacked Cisco with tools stolen from the NSA’s own arsenal.

A Stolen Hoard of Weaponized Software

The Equation Group could be referred to, without hyperbole, as the Seal Team Six of hackers. Attacks have been pulled off by intercepting CDs, USB drives, and computer systems in the mail, installing malware on them, and returning them to the postal system. They’ve been linked to breaches that seem nearly impossible.

For instance, the Equation Group is closely linked to Stuxnet, which mapped and breached an air-gapped system. Stuxnet’s inheritor, Regin, was used to breach internet service providers and spy on the governing body of the European Union. If their tools are out in the hands of unfriendly attackers, security professionals have a lot to worry about.

What Are the Consequences of the Cisco Hack?

The tools stolen from the Equation Group won’t necessarily allow hackers to steal large amounts of data over a short amount of time. Rather, the aim was to strategically breach and intercept secure communications over a long period. As an example, one hacking tool allowed a security researcher to obtain passwords to a VPN (also a Cisco appliance, albeit an outdated one).

On the other hand, this newest breach allowed attackers to hack Cisco infrastructure by sending just a single malicious packet. Not only does this represent instant gratification for hackers, it signals a more ominous potential ramification. Cisco equipment—especially VPN systems—are often used to secure the industrial control systems that govern critical infrastructure. The ability to hack Cisco VPNs might come in handy for any attacker looking to cause their own version of Stuxnet, or the Blackenergy hack.

Is There a Silver Lining to the Hack?

Just about the only thing that administrators can breathe easy about is the fact that Cisco has a huge and competent team of security professionals working to detect and patch intrusions by state-level actors. The fact that they were able to detect the use of an NSA-level hacking tool is a testament to their abilities. This should be encouraging.

On the other hand, many administrators still might not know that they’re running systems that are vulnerable to breaches. Other administrators might know that there’s a patch available to mitigate the Cisco hack, but could find themselves unable to apply the patch due to compatibility or dependency issues. This is a problem, because patching is one of the only good defenses available against this kind of breach. For one thing, these tools were designed to break firewalls, and signature or math-based endpoint protection won’t detect this kind of malware—because it won’t have been seen before in the wild.

In order to beat advanced malware, administrators need to choose a tool it can’t hide from. SentinelOne combines cloud-based detection, dynamic behavioral analysis, and automatic mitigation in order to create a solution that small to large businesses can use to protect themselves. Since our solution recognizes malware based on its suspicious behavior, it’s much harder for it to hide—even if it happens to be classified spyware designed by super-scientists and purchased on the black market with crypto-currency.

For more information on SentinelOne, and how our endpoint and server protection products can help defend your enterprise, check out our white paper on The Democratization of Nation-State Attacks.