US investigators are still struggling to agree on the motive behind a 2011 cyber attack on Nasdaq which featured two pieces of zero day malware and had been pegged on state-sponsored Russian hackers.
A Bloomberg Businessweek report revealed how both the NSA and CIA were brought in to investigate who carried out the attack, why and how – a task made much more difficult due to the lack of logs and forensic info provided by Nasdaq systems at the time.
One of the few bits of evidence on which all sides seem to agree is that two pieces of zero-day malware were used in the attack. It was designed not only to exfiltrate sensitive data but also cause widespread network disruption – the latter perhaps intended to disrupt law enforcers if the attackers were discovered.
Investigators apparently claimed that this level of preparation and sophistication indicated state-sponsored operatives at work. The code in question was similar to that found in malware known to have been designed by spy agency the Federal Security Service of the Russian Federation (FSB) – leading them to believe Moscow was behind the attack.
However, the question of motive has not been answered convincingly. Evidence does not point to the attackers attempting to steal sensitive corporate information from the web-based Director’s Desk comms system, for example.
Another theory put forward by investigators is that the attackers wanted to steal information not from Nasdaq clients but proprietary data about the stock exchange itself, which could then be used to develop a similar platform in Russia.
Perhaps the most worrying element of the case for Nasdaq and its customers is that when investigators did get access to the stock exchange’s systems they apparently discovered not only evidence of this attack but of several distinct groups who had previously infiltrated the network.
F-Secure director of security response, Antti Tikkanen argued that there’s not enough publically available information to deduce that Moscow had a hand in the attack.
“Zero-days are one indication that the attacker has more resources than on average, but it’s not always the case that zero-days indicate a nation-state actor,” he told Infosecurity.
“I think in Nasdaq, along with other high-value targets, are now better equipped than they were in 2010. Are they well-enough equipped to be safe from skilled attackers? Probably not.”