The Blog

Don’t Be Taken Hostage Part 1: Even the NSA Gets Hacked

Share on linkedin
Share on twitter
Share on facebook

Share this post.

In this article, Sollensys Corp tells the story of the ANT toolbox hijacking and discusses the current trends attributing to a rise in ransomware attacks.

No One Is Safe.

The average cost of a malware attack on a company averages 3.86 million according to IBM’s The Cost of a Data Breach Report. And, if you think your business is too small to be a desirable target – think again.  According to a Verizon Data Breach Investigations Report, 43% of data breach victims are small businesses. 

Never underestimate the value of your data. Every business should have a thorough cybersecurity contingency plan that addresses how to recover IT services and data backups in the event of a security breach or disaster.

No one is safe.  

On December 29th, 2013 Jacob Applebaum, journalist and security expert, published a Top Secret 50-page catalog on the Der Spiegel website leaked from the world’s most elite cybersecurity organization – the NSA. The catalog consists of hardware devices and software implants used by the top operative unit of the NSA for everything from counterterrorism to cyber attacks to basic espionage.  

This cyber arsenal of exploits was hijacked from an elite hacking NSA division known as the Advanced Networks Technology [ANT], tasked with finding backdoors into everything from corporate servers, firewalls, and workstations to home routers and personal cell phones. 

The ANT builds toolboxes, like the one leaked by Der Spiegel, for the [then] Office of Tailored Access Operations or TAO [now Computer Networks Operations], a cyberwarfare intelligence-gathering unit of the NSA.  They are often tasked with getting the “ungettable”.

In cases where TAO’s usual hacking and data-skimming methods don’t suffice, ANT workers step in with their special tools, penetrating networking equipment, monitoring mobile phones and computers and diverting or even modifying data.

Catalog Advertises NSA Toolbox, Der Spiegel

The TAO is focused on computer and network exploitation, but they often collaborate with other intelligence agents. For example, CIA agents will intercept deliveries of devices or networking equipment and then divert the electronics to one of the TAO’s clandestine workshops.  The TAO agents then install malware and/or malicious hardware to give agents remote access or at least the ability to eavesdrop.  

The ANT catalog published by Der Spiegel reads like a Top Secret, high-end department store catalog for cyberspies; the contents of which would make even James Bond’s eyes dilate. For example:

  • SWAP exploits the motherboard BIOS and the hard drive’s Host Protected Area to enable remote control of a variety of operating systems including FreeBSD, Linux, Solaris and Windows.
  • DROPOUTJEEP grants remote access to first-generation iPhones and control through SMS or data service, allowing for upload and download of files, activating the phone’s camera and microphone, browsing the address book, diverting text messages, intercepting voicemails and determining the user’s location.
  • FEEDTROUGH grants the NSA remote access to burrow into a Juniper firewall and install other tools; provides persistent access to the system even after reboots and software upgrades so that spy tools wiped from a system during these processes can be restored.

If these exploits unnerve you, imagine how these technologies have evolved.  The toolbox referenced here was leaked in 2013, but it was originally cataloged over a decade ago, in 2008. It would be fascinating to find out what’s in the latest and greatest toolbox, albeit also a bit terrifying.  Because the reality is if the good guys have it, the other guys can get it.

To add fuel to the fire of this ever-expanding threat landscape, we’re in the midst of a pandemic.  And while the pandemic has been a historical disruption to most businesses, it’s been a boon for cybercriminals.  With so many individuals working remotely without the level of security afforded by office networks, there’s a much broader attack surface for bad actors to prey on companies.  

The biggest malware threat today to most businesses is ransomware.  

Ransomware thrives during COVID-19 pandemic, with new samples increasing by 72%.

Skybox Security, mid-year 2020 Vulnerability and Threat Trends Report.

Ransomware is an especially malicious type of malware that encrypts your data, making it inaccessible until a ransom fee is paid.  It can be as simple as locking an individual out of their personal computer with a pop-up message that instructs the victim to pay or it can be a highly sophisticated attack that spreads throughout a network, completely infiltrating the virtual infrastructure of a company before showing itself and deploying the ransom demand.  

Ransomware uses asymmetric encryption.  An attacker generates a unique pair of keys – one public used to encrypt the data and one private used to decrypt the data.  The private key is kept stored on the attacker’s server until the ransom is paid and then it goes to the victim to recover their data… in theory.  It’s not unheard of for these cybercriminals to not live up to their end of the bargain.

Ransomware attacks can bring companies to their knees.  Not only do you have malicious actors crawling into the deepest recess of your network looking for any and every scrap of data that they can use to exploit you – your business cannot operate.  

In fact, the attack itself is only part of the cost incurred by a ransomware attack.   According to that same 2020 IBM Report, the average time to identify and contain a breach was 280 days while the average cost of lost business averaged $1.52 million, accounting for nearly 40% of the total cost of a breach.

And while paying the ransom to get back to business may seem like the lesser of two evils, it’s not.  The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory on October 1st that warned: “companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”

Even if there were no possible legal ramifications, paying the ransom is only throwing good money after bad and compounding the bottom line.  According to a Sophos Report, The State of Ransomware 2020, paying the ransom doubles the cost of dealing with a ransomware attack and it doesn’t guarantee you will get your data decrypted.

So what can you do?  Understand the threat landscape, create a thorough cybersecurity contingency plan that includes multiple data backups so that business continuity is ensured in the instance of your data being taken hostage.

This is the first part of a series; each article will dive further into ransomware while also providing insight into how best to protect your business from a malware disruption.  

Join us next time for the story of the largest cyberattack in history with an estimated 4 billion in financial losses worldwide & learn about the different types of ransomware attacks. 


Cybersecurity is a growing threat ☠️ & Ransomware Attacks are impacting businesses worldwide… Learn how the Sollensys Blockchain Archive Server™ (BAS) eliminates ransomware disruptions and improves business continuity.

About Sollensys:

Sollensys Corp™ is a Distributive Data company, specializing in Blockchain solutions that help organizations recover quickly from Ransomware attacks.

Talk to a Specialist

We're ready to help.


© Copyright 2020 – Sollensys Corp.