How Snowden Breached the NSA from the Inside

Photo credit: Rena Schild/
Photo credit: Rena Schild/

In fact, suggests Venafi, Snowden used a methodology that is widely used by cybercriminals and effectively used by the NSA itself in its Stuxnet attack on Iran: attacking the keys and certificates that provide trust. Back in July, Forrester Research produced a report (itself commissioned by Venafi) titled Attacks On Trust: The Cybercriminal's New Weapon. It says, "Yet, your average enterprise is unlikely to have an incident response plan for an attack on keys and certificates."

This is the crux of the attack: as an administrator Snowden was able to fabricate digital certificates and cryptographic keys; but the NSA had no ability to detect the forgeries. "The NSA had no awareness of the keys and certificates in use, no ability to detect anomalies, and no ability to respond to an attack," writes Venafi CEO Jeff Hudson.

Snowden, suggests Venafi, followed the classic steps described by Lockheed Martin in the paper titled Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. But Snowden didn't need to employ all of the steps: 'delivery' wasn't necessary because he was already inside the network. What was left was reconnaissance, intrusion and exfiltration.

Using the SSH keys issued to an administrator he was able to locate, although not access, the files he wanted to steal; and determine methods to obtain them. Venafi suggests that this process also gave him access to other SSH keys that he would use later.

The next step was to gain access to the classified servers while simultaneously covering his tracks: the intrusion stage. For this he used stolen SSH credentials, probably obtained during the reconnaissance stage, to both get in and subsequently leave a secure backdoor on those target systems ready for stage 2.

For exfiltration Snowden transferred the data over encrypted channels to his own external file share using self-signed certificates that he created himself. So as far as the NSA was concerned, these signed transmissions were safe and authorized, and merely allowed to pass unquestioned. Since security systems cannot inspect encrypted data without the keys to decrypt it, there was no way to recognize and prevent the exfiltration.

This is the basic problem: key and certificate populations are rarely known and monitored for anomalous behavior by the companies concerned. And this is the weakness Snowden knew and exploited.

Venafi is challenging the NSA to prove its analysis wrong. "If we’re wrong," writes Hudson, "we invite the NSA and Edward Snowden to correct us. NSA Director General Keith Alexander wants to promote information sharing, and now is the perfect opportunity."

But this is more than an academic exercise. The Forrester study shows just how many companies are vulnerable to attacks against their own keys and certificates. "As a leading organization responsible for contributing to US national and global cyber defense, the NSA has a responsibility to disclose the truth behind the breach,” says Hudson. “Until the agency openly admits what happened along with all of the steps it’s taken to correct the problem, all organizations that rely on keys and certificates to ensure trust will remain vulnerable to this attack vector.”

What’s Hot on Infosecurity Magazine?