Yesterday, the Shadow Brokers released the password for the encrypted zip file they seeded last year (link).
This release gives threat intelligence teams unprecedented insight into the capabilities of the Equation Group Hackers. The dump appears to contain only Linux and Unix tools and exploits, so organizations running only Windows don’t need to react to tools in this release (though they should check their available netflow and firewall logs for evidence they have communicated with redirection hosts posted here). For organizations running Linux and/or Unix, it should be noted that most of the exploits target older software versions.
However, the dump is still significant for threat intelligence professionals. Because Equation Group is likely typical of other nation state hacking groups, the dump offers unprecedented insight into the capabilities and targets of an Advanced Persistent Threat (APT) actor.
Is there a lesson here for businesses?
Absolutely. Many businesses have data that if stolen and released could influence foreign policy. At Rendition Infosec, we are advising clients to critically analyze the data they have in their possession and red team how attackers might use this data in unconventional ways. If organizations assess that have this type of data, they should update their threat models to include the potential that APT groups might go after this data.
Some examples of data that might take control of the news cycle and/or influence foreign policy might be:
- Data from NGOs that might embarrass a government
- Data that can framed to show “evidence” of collusion or corruption
- Budget information that can be framed to show “evidence” of ethically questionable allocations
- Purchase orders for “dual use” technology that might be framed to appear illegal/immoral
There are countless other examples of data that attackers might use to take control of the news cycle and possibly even influence foreign policy. When evaluating the likelihood that attackers might target a particular data element, remember that the truth of the issue is less important than how an attacker might frame it.
If your organization has never been through a threat modeling exercise, now is the time to start. A good threat model will help you find intelligence gaps in your detection and monitoring strategies from a target centric view.
If your threat model is up to date, consider how your organization would respond to an attacker releasing some of your data and framing it as if your organization is doing something illegal or unethical. This type of tabletop exercise involves far more people than your traditional “someone hacked us” scenario. Think of including business operations leadership, public relations, legal, marketing, social media engagement, and call center management (in addition to all the regular players).
When constructing a tabletop exercise using this type of scenario, remember that the truth is less important than the framing. The attacker is likely to release just enough data to seed an idea and control the narrative. How would your organization respond?
If you need assistance with a tabletop exercise or threat modeling, don’t hesitate to contact Rendition Infosec (link) and one of our world class information security consultants will customize a solution to meet your needs.