NEWARK, NEW JERSEY
There have been times over the past two months when Golan Ben-Oni has felt like a voice in the wilderness.
On April 29, someone hit his employer, IDT Corp, with two cyberweapons that had been stolen from the National Security Agency. Ben-Oni, the global chief information officer at IDT, was able to fend them off, but the attack left him distraught.
In 22 years of dealing with hackers of every sort, he had never seen anything like it. Who was behind it? How did they evade all of his defences? How many others had been attacked but did not know it?
Since then, Ben-Oni has been sounding alarm bells, calling anyone who will listen at the White House, the FBI, the New Jersey attorney general’s office and the top cybersecurity companies in the country to warn them about an attack that may still be invisibly striking victims undetected around the world.
And he is determined to track down whoever did it.
“I don’t pursue every attacker, just the ones that [expletive] me off,” Ben-Oni said recently over lentils in his office, which was strewn with empty Red Bull cans. “This [expletive] me off and, more importantly, it [expletive] my wife off, which is the real litmus test.”
Two weeks after IDT was hit, the cyberattack known as WannaCry ravaged computers at hospitals in England, universities in China, rail systems in Germany, even auto plants in Japan. No doubt it was destructive. But what Ben-Oni had witnessed was much worse, and with all eyes on the WannaCry destruction, few seemed to be paying attention to the attack on IDT’s systems — and most likely others around the world.
The strike on IDT, a conglomerate with headquarters in a nondescript grey building here with views of the Manhattan skyline 15 miles away, was similar to WannaCry in one way: Hackers locked up IDT data and demanded a ransom to unlock it.
But the ransom demand was just a smoke screen for a far more invasive attack that stole employee credentials. With those credentials in hand, hackers could have run free through the company’s computer network, taking confidential information or destroying machines.
Worse, the assault, which has never been reported before, was not spotted by some of the nation’s leading cybersecurity products, the top security engineers at its biggest tech companies, government intelligence analysts or the FBI, which remains consumed with the WannaCry attack.
Were it not for a digital black box that recorded everything on IDT’s network, along with Ben-Oni’s tenacity, the attack might have gone unnoticed.
Scans for the two hacking tools used against IDT indicate that the company is not alone. In fact, tens of thousands of computer systems all over the world have been “backdoored” by the same NSA weapons. Ben-Oni and other security researchers worry that many of those other infected computers are connected to transportation networks, hospitals, water treatment plants and other utilities.
An attack on those systems, they warn, could put lives at risk. And Ben-Oni, fortified with adrenalin, Red Bull and the house beats of Deadmau5, the Canadian record producer, said he would not stop until the attacks had been shut down and those responsible were behind bars.
“The world is burning about WannaCry, but this is a nuclear bomb compared to WannaCry,” Ben-Oni said. “This is different. It’s a lot worse. It steals credentials. You can’t catch it, and it’s happening right under our noses.”
And, he added, “The world isn’t ready for this.”
As IDT started acquiring and spinning off an eclectic list of ventures, Ben-Oni found himself responsible for securing shale oil projects in Mongolia and the Golan Heights, a “Star Trek” comic books company, a project to cure cancer, a yeshiva university that trains underprivileged students in cybersecurity, and a small mobile company that Verizon recently acquired for $3.1 billion.
Which is to say he has encountered hundreds of thousands of hackers of every stripe, motivation and skill level. He eventually started a security business, IOSecurity, under IDT, to share some of the technical tools he had developed to keep IDT’s many businesses secure. By Ben-Oni’s estimate, IDT experiences hundreds of attacks a day on its businesses, but perhaps only four each year that give him pause.
Nothing compared to the attack that struck in April. Like the WannaCry attack in May, the assault on IDT relied on cyberweapons developed by the NSA that were leaked online in April by a mysterious group of hackers calling themselves the Shadow Brokers — believed to be Russia-backed cybercriminals, an NSA mole, or both.
The WannaCry attack — which the NSA and security researchers have tied to North Korea — employed one NSA cyberweapon; the IDT assault used two.
Both WannaCry and the IDT attack used a hacking tool the agency had code-named EternalBlue. The tool took advantage of unpatched Microsoft servers to automatically spread malware from one server to another, so that within 24 hours North Korea’s hackers had spread their ransomware to more than 200,000 servers around the globe.
The attack on IDT went a step further with another stolen NSA cyberweapon, called DoublePulsar. The NSA used DoublePulsar to penetrate computer systems without tripping security alarms. It allowed NSA spies to inject their tools into the nerve centre of a target’s computer system, called the kernel, which manages communications between a computer’s hardware and its software.
In the pecking order of a computer system, the kernel is at the very top, allowing anyone with secret access to it to take full control of a machine. It is also a dangerous blind spot for most security software, allowing attackers to do what they want and go unnoticed. In IDT’s case, attackers used DoublePulsar to steal an IDT contractor’s credentials. Then they deployed ransomware in what appears to be a cover for their real motive: broader access to IDT’s businesses.
Ben-Oni learnt of the attack only when a contractor, working from home, switched on her computer to find that all her data had been encrypted and that attackers were demanding a ransom to unlock it. He might have assumed that this was a simple case of ransomware.
But the attack struck Ben-Oni as unique. For one thing, it was timed perfectly to the Sabbath. Attackers entered IDT’s network at 6pm. Saturday on the dot, 2 1/2 hours before the Sabbath would end and when most of IDT’s employees — 40 per cent of whom identify as Orthodox Jews — would be off the clock. For another, the attackers compromised the contractor’s computer through her home modem — strange.
The black box of sorts, a network recording device made by the Israeli security company Secdo, shows that the ransomware was installed after the attackers had made off with the contractor’s credentials. And they managed to bypass every major security detection mechanism along the way. Finally, before they left, they encrypted her computer with ransomware, demanding $130 to unlock it, to cover up the more invasive attack on her computer.
Ben-Oni estimates that he has spoken to 107 security experts and researchers about the attack, including the chief executives of nearly every major security company and the heads of threat intelligence at Google, Microsoft and Amazon.
With the exception of Amazon, which found that some of its customers’ computers had been scanned by the same computer that hit IDT, no one had seen any trace of the attack before Ben-Oni notified them. The New York Times confirmed Ben-Oni’s account via written summaries provided by Palo Alto Networks, Intel’s McAfee and other security firms he used and asked to investigate the attack.
“I started to get the sense that we were the canary,” he said. “But we recorded it.”
Since IDT was hit, Ben-Oni has contacted everyone in his Rolodex to warn them of an attack that could still be worming its way, undetected, through victims’ systems.
“Time is burning,” Ben-Oni said. “Understand, this is really a war — with offence on one side, and institutions, organisations and schools on the other, defending against an unknown adversary.”
Since the Shadow Brokers leaked dozens of coveted attack tools in April, hospitals, schools, cities, police departments and companies around the world have largely been left to fend for themselves against weapons developed by the world’s most sophisticated attacker: the NSA.
A month earlier, Microsoft had issued a software patch to defend against the NSA hacking tools — suggesting that the agency tipped the company off to what was coming. Microsoft regularly credits those who point out vulnerabilities in its products, but in this case the company made no mention of the tipster. Later, when the WannaCry attack hit hundreds of thousands of Microsoft customers, Microsoft’s president, Brad Smith, slammed the government in a blog post for hoarding and stockpiling security vulnerabilities.
For his part, Ben-Oni said he had rolled out Microsoft’s patches as soon as they became available, but attackers still managed to get in through the IDT contractor’s home modem.
Six years ago, Ben-Oni had a chance meeting with an NSA employee at a conference and asked him how to defend against modern-day cyberthreats. The NSA employee advised him to “run three of everything”: three firewalls, three anti-virus solutions, three intrusion detection systems. And so he did.
But in this case, modern-day detection systems created by Cylance, McAfee and Microsoft and patching systems by Tanium did not catch the attack on IDT. Nor did any of the 128 publicly available threat intelligence feeds that IDT subscribes to. Even the 10 threat intelligence feeds that his organisation spends a half-million dollars on annually for urgent information failed to report it. He has since threatened to return their products.
“Our industry likes to work on known problems,” Ben-Oni said. “This is an unknown problem. We’re not ready for this.”
No one he has spoken to knows whether they have been hit, but just this month, restaurants across the United States reported being hit with similar attacks that were undetected by anti-virus systems. There are now YouTube videos showing criminals how to attack systems using the very same NSA tools used against IDT, and Metasploit, an automated hacking tool, now allows anyone to carry out these attacks with the click of a button.
Worse still, Ben-Oni said, “No one is running point on this.”
Last month, he personally briefed the FBI analyst in charge of investigating the WannaCry attack. He was told that the agency had been specifically tasked with WannaCry and that even though the attack on his company was more invasive and sophisticated, it was still technically something else, and therefore the FBI could not take on his case.
The FBI did not respond to requests for comment.
So Ben-Oni has largely pursued the case himself. His team at IDT was able to trace part of the attack to a personal Android phone in Russia and has been feeding its findings to Europol, the European law enforcement agency based in The Hague.
The chances that IDT was the only victim of this attack are slim. Sean Dillon, a senior analyst at RiskSense, a New Mexico security company, was among the first security researchers to scan the internet for the NSA’s DoublePulsar tool. He found tens of thousands of host computers were infected with the tool, which attackers could use at will.
“Once DoublePulsar is on the machine, there’s nothing stopping anyone else from coming along and using the back door,” Dillon said.
More distressing, Dillon tested all the major anti-virus products against the DoublePulsar infection and a demoralising 99 per cent failed to detect it.
“We’ve seen the same computers infected with DoublePulsar for two months, and there is no telling how much malware is on those systems,” Dillon said. “Right now we have no idea what’s gotten into these organisations.”
In the worst case, Dillon said, attackers could use those back doors to unleash destructive malware into critical infrastructure, tying up rail systems, shutting down hospitals or even paralysing electrical utilities.
Could that attack be coming? The Shadow Brokers resurfaced last month, promising a fresh load of NSA attack tools, even offering to supply them for monthly paying subscribers — like a wine-of-the-month club for cyberweapon enthusiasts.
In a hint that the industry is taking the group’s threats seriously, Microsoft issued a new set of patches to defend against such attacks. The company noted in an ominously worded message that the patches were critical, citing an “elevated risk for destructive cyberattacks.”
Ben-Oni is convinced that IDT is not the only victim and that these tools can and will be used to do far worse.
“I look at this as a life-and-death situation,” he said. “Today it’s us, but tomorrow it might be someone else.”