IDT Corporation (International Discount Telecommunications), an American public telecommunications company was attacked by hackers using cyber weapons stockpiled by NSA (National Security Agency). The stolen tools are code-named EternalBlue and DoublePulsar.
EternalBlue, used by hacker group Shadow Brokers exploited “unpatched Microsoft servers to spread malware from one server to another“, reported Nicole Perlroth of The New York Times. The other tool, DoublePulsar, was used “to steal an IDT contractor’s credentials”, wrote Perlroth. The aim was to gain broader access to IDT’s employee credentials and IDT’s other businesses.
The unusual aspect of the attack was that the Ransomware attack was only used as a ‘smokescreen’ to hide the real attempt that was to gain network-wide access to IDT’s employee credentials, shares Ben-Oni.
When Did IDT Become Aware?
The cyber attack took place two hours prior to the end of Sabbath, a day set aside for rest and worship in Abrahamic religions. Golan Ben-Oni, Global Cheif Information Officer of IDT was the first to spot the unusual intrusion into the company’s networks. The hacker first compromised one of IDT contractor’s computer through the home modem of the contractor. Afterward, the hackers installed Ransomware on the contractor’s computer to encrypt the data.
Mr. Ben further shared that the hackers were able to intrude the network bypassing every security mechanism the company had put in place to check such intrusions.
Who Was Behind The Attack?
It is believed that the attack was mounted by Shadow Brokers, allegedly Russia-backed cybercriminals. Part of the attack points towards a personal Android device in Russia that hackers used. The company has informed Europol of the incident.
Rep. Jackie Speier: "In my mind, this was—this cyberattack on our country was an act of war." pic.twitter.com/l8u5OXMQnZ
— Kyle Griffin (@kylegriffin1) June 21, 2017
The Motivation Behind The Cyberattack
It was not clear as to what the motivation was behind selectively targeting IDT. However, Ben-Oni believes his employer is not the only one attacked by the hackers, it is only that he’s been vigilant enough to spot the attack.
He might be right to assume this. An analyst from a Mexican security research company found thousands of host computer infected by DoublePulsar.
Was This Unusual?
The cyber attack did not attract wide media attention. However, the forensic and circumstantial evidence shared with The New York Times and other stakeholders within the corporate industry point towards the non-traditional and clever approach of the hackers.
DoublePulsar allows injecting intrusion tools into the Kernal, a computer program that is the core of a computer’s operating system, with complete control over everything in the system. The image below shows that Kernel sits between software & the hardware handling virtually everything including system calls, memory, and peripherals (monitors, keyboards, printers, and speakers). All the instructions to the CPU pass through the Kernel.
The attack was sophisticated enough to bypass threat-detection of 99 percent of the antivirus software it came across.
The consequences of an IDT-like cyber attack will be massive. Not every organization has as sophisticated threat detection and mitigation infrastructure as IDT. The company uses “128 publicly available threat intelligence feeds” to detect unusual network traffic or events. It further spends half a million dollars for 10 commercial threat intelligence feeds.
Still, DoublePulsar and EternalBlue did bypass every ring of IDT’s security. We might not know how many ‘Zero-Day’ vulnerabilities (a software or computer vulnerability not publicly reported or announced before becoming active) are out there as a disaster waiting to happen.
Can a sophisticated attack as this one on IDT serve as a wake-up call for other companies? Only time will tell.