The agency’s precise role in the investigation hasn’t been disclosed, but its involvement suggests the October 2010 attacks may have been more severe than Nasdaq OMX Group has admitted, or it could have involved a nation-state, according to sources that spoke with Businessweek.
“By bringing in the NSA, that means they think they’re either dealing with a state-sponsored attack or it’s an extraordinarily capable criminal organization,” Joel Brenner, former head of U.S. counterintelligence in the Bush and Obama administrations, told the publication. He added that the agency rarely gets involved in investigations of company breaches.
Last year, the NSA was called in by Google to help the company secure its network after it was targeted in a sophisticated attack.
Regarding the Nasdaq breach, in addition to the Secret Service, the FBI and the NSA, unidentified foreign intelligence agencies are also reportedly assisting in the probe.
In February, the Wall Street Journal reported that Nasdaq OMX Group had been repeatedly breached last year.
Nasdaq later confirmed the report but insisted that computers involved in its trading platform were not compromised in the attacks. The company said the attacks were limited to a web application known as Directors Desk that allows board members of Nasdaq companies to hold online meetings and exchange confidential information — data that attackers would conceivably find useful to trade on.
The system also includes “a useful contacts section that includes detailed information about all board members and key company executives” and their relevant contact information – a wealth of information for an attacker aiming to conduct a spear-phishing attack against company executives in order to gain login credentials to their networks.
The Directors Desk, however, may not have been the target but simply an entry point for the hackers to gain further penetration into Nasdaq OMX’s network. According to Businessweek, investigators have acknowledged they still have no idea how far into the network the attack reached or what data the attackers may have stolen.
The attack prompted the House Financial Services Committee to launch a review in February into the security of the nation’s financial infrastructure.
The NSA’s involvement in the investigation is bound to raise concerns among civil libertarians, since the agency has been accused of trying to strong-arm its way into monitoring critical infrastructure networks. In 2009, National Cyber Security Center (NCSC) Director Rod Beckstrom raised a ruckus when he told the House intelligence committee that the NSA, rather than the Department of Homeland Security which currently oversees cybersecurity for the government, should be in charge of securing cyberspace for government and privately-owned critical infrastructure networks.
“The National Security Agency has the greatest repository of cybertalent,” Blair said. “[T]here are some wizards out there at Fort Meade who can do stuff.”
Blair, commenting on the Google hack in 2010, said that cyberspace could not be secured without a “collaborative effort that incorporates both the U.S. private sector and our international partners.”
The NSA, however, has been embroiled since 2005 in allegations that the agency violated federal laws in conducting illegal surveillance of Americans’ phone and internet communications with the help of telecommunications companies. Giving the agency an entree into an investigation of Nasdaq could help the government make a case for allowing the NSA to monitor financial networks to ensure their security.
The NSA referred all questions about the Nasdaq investigation to the FBI, which did not immediately respond to a call for comment from Threat Level.