How Russian hackers have robbed the Nasdaq

Translator’s note: Not so long ago, a failure on the New York Stock Exchange was widely discussed, which some observers called the result of the attack by Anonymous or Chinese hackers . This case is far from the only one when stock exchanges are under attack. Today we present you an adapted translation of the story of how another American stock exchange, Nasdaq, became the target of the attack.

In October 2010, the Federal Bureau of Investigation Internet monitoring system recorded an alarm. The signal source was the Nasdaq exchange. It looked as if the malware was able to penetrate unnoticed into the central servers of the exchange. The attacker, apparently, was not some boy, but the special service of another country. Moreover, it is disturbing that after a thorough study of the hacker program, American experts concluded that it had to attack the system in order to damage it.
')
Since hacking hacks occur almost every day, almost all of them are displayed on the monitors of the tracking centers, while remaining unnoticed by the general public. The Chinese, the French, the Israelis - and many other less well-known or studied players - all, one way or another, are engaged in hacking. They steal missile defense plans, chemical formulas, piping schemes for power plants, and economic information. This is real espionage, and military strikes are inflicted with the help of virus programs. There are only a few cases of the introduction of malware, the most famous of which is the Stuxnet virus. Being, in the opinion of the majority, a joint project of Americans and Israelis, Stuxnet temporarily disabled the Iranian uranium enrichment plant in Natanz in 2010. He turned off the safety devices, because of which the centrifuges, located in the very center of the installation, got out of control. Two years later, Iran damaged two-thirds of Saudi Aramco’s computer systems, using the relatively easy-to-develop, but rapidly spreading Wiper virus. An elderly American official said that he had only once encountered that digital weapons were aimed at damaging a particularly important US system, and this happened on the Nasdaq exchange.

The alarm signal received in October demanded participation in the investigation of the National Security Agency, and already in 2011, the NSA concluded that there was a potential threat. In the meeting room of an 11-story office building in the suburbs of Washington, a secret videoconference was held for members of the crisis management team. In addition to the fondue bar and the CrossFit gym, the building also housed the office of the National Center for Cybersecurity and Communication Integration NCCIC [ eng. National Cybersecurity and Communications Integration Center ], whose main task is to detect hacker attacks and coordinate US government actions. After studying the FBI data and additional information from the NSA, the NCCIC staff immediately agreed that the situation should be reported to the senior management.

So began an active investigation, which for five months tested the capabilities of the United States to repel cyber attacks and required the direct participation of the president. Intelligence agencies and law enforcement agencies, forced to analyze the actions of hackers under pressure, could hardly provide a relatively clear picture of high-ranking officials. Even after several months of painstaking work, there were still disagreements in various government bodies about who organized the incident and for what purpose. “Let me just say that we discovered how representatives of another state managed to gain access to at least one of our stock exchanges, and it’s not quite clear to us what their ultimate goal is,” said Mike Rogers, head of the Committee on Intelligence in the US House of Representatives. who is also a representative of the Republican Party of Michigan. He agreed to discuss what happened only in general terms, since the details are strictly classified. “The problem of the current situation is that no one, it seems to me, can understand it until we feel all the consequences of what happened. And no one would want it to come to that. ”

For several months, Bloomberg Businessweek journalists interviewed twenty experts about the attack on the Nasdaq and its consequences, about which a detailed report was never provided. Nine of them were directly involved in the investigation and participated in security discussions; no one made public statements. "The investigation into the unauthorized entry into the Nasdaq is still ongoing," said George Venizelos, deputy director of the FBI office in New York. “As with all cases of cybercrime, the current situation is somewhat confusing, and the evidence and facts about this case will emerge over time.”

Despite the fact that the attack was successfully repelled, this case demonstrated how vulnerable the exchanges — as well as banks, chemical plants, water treatment plants, and power grids — were to hackers. One official, who suffered the consequences of what happened, said that the attack, as he thought, would radically change the current state of affairs and force the US to take serious measures to prepare for a new era of conflicts using computer technology. He was wrong.

Experts from US ministries of defense, finance, and internal security, as well as representatives from the NSA and the FBI took part in the meeting held by NCCIC. After a preliminary check, the incident resolution team was provided with a series of disparate data about the hackers' identities, and after a few minutes, everyone agreed on the seriousness of the invasion and the need to inform the White House about this.

Participants of the videoconference were convened the next day at the White House, and they were joined by representatives of the Department of Justice, the US Department of State and the Central Intelligence Agency. The participants compiled a list of decisions submitted to the leadership of the White House, the Ministry of Justice, the Pentagon and other agencies. The management, in turn, identified a number of questions to which the participants of the investigation had to answer: Could hackers get access to the trading platform and manipulate it or disrupt its work? Was the invasion part of a larger attack on the US financial infrastructure?

The investigation decided to lead the US Secret Service. Its employees added that several months before the incident, they visited the Nasdaq, and they have evidence that a group of alleged Russian criminals, headed by a resident of St. Petersburg Alexander Kalinin, hacked the servers of the exchange, and then connected. However, the Secret Service lost the thread and stopped the investigation.



“If someone in the government tells you that he found out everything ... give us their names”

When the FBI notified the Nasdaq of the invasion, it turned out that the exchange itself had detected system failures and was forced to report an attack. After discussing privacy issues, Nasdaq allowed US intelligence officials to log into their system. Investigation teams visited the Nasdaq headquarters in the One Liberty Plaza in New York and the data center stock exchange in Carteret, New Jersey, where they found several traces of intelligence officers or military personnel.

Hackers used a combination of two zero-day vulnerabilities [ Eng. zero-day ]. A zero-day vulnerability is a previously uncovered “hole” in the system — the developers had “0 days” to fix it — which allows hackers to easily control a computer from a distance. This is a very valuable product for which the underground market offers up to several tens of thousands of dollars. Using a single zero-day vulnerability indicates an experienced hacker; more than one - on government employees. Stuxnet uses four: it’s a sign that the creators of the code used modern intelligence techniques and knew exactly how different systems interact with each other.

Whoever organized the attack on the Nasdaq, they did a similar preparatory work and used similar tools. Special attention was paid to malware found in Nasdaq repositories. The NSA has already encountered a similar program: it was developed by the Federal Security Service of the Russian Federation, the country's main intelligence service. And the program was not just spyware: it could not only steal information, but also completely destroy the computer network. According to the NSA, it is capable of disabling an entire stock exchange.

In early January of this year, the NSA presented its results to the leadership of the special services: elite Russian hackers broke into the stock exchange system and placed a “digital bomb” under it. At best, hackers have installed their malicious software along with a self-destruct mechanism in case they are noticed in order to completely destroy the Nasdaq system, noticing traces. In the worst case, the destruction of the system was their only intention. US President Barack Obama was informed of the results of the investigation.

Later during the investigation, some US officials wondered if the NSA overdid it when it disseminated the information. Malicious software often moves from one owner to another: it is sold, stolen, and shared with others. And from a technical point of view, malicious code may not differ much from a much less destructive program. At this time, NSA Director Keith Alexander and his staff were actively arguing with the authorities over what authority the NSA should have to protect private companies from this new form of aggression. Such a sudden invasion, for sure, would only aggravate the situation.

Given the fact that the investigation went farther and farther into the headquarters of the Nasdaq and its data center, the investigators had to recreate a picture of the actions of first-class hackers, whose work implies the absence of any traces. The investigation team was amazed at how vulnerable a developed organization like Nasdaq could be.

“To be honest, we assumed that the financial sector would act more harmoniously,” said Christopher Feinan, a former cybersecurity expert at the White House. “I’m not saying that such companies are perfect, but they are among the best among the rest.”

According to law enforcement and private companies, contractors hired by the exchange to assist in the investigation, what investigators found during a search on the Nasdaq, they were simply shocked. They found traces of several groups independent of each other, including computer criminals and Chinese cyber spies. Some of them may have entered the exchange system several years ago. No master records of daily activity occurring on the exchange servers were found that could help track down hackers. In addition, investigators found out that the website, run by the owner of One Liberty Plaza, contained a virus program of Russian hackers known as Blackhole: it infected tenant computers that had visited the page to pay bills or other expenses.

Because of the so-called “dirty swamp” in the Nasdaq repository, searching for traces of the Russian virus program was too slow. The security services found out that for the first time hackers had penetrated into the Nasdaq computers at least three months before they were noticed, but this is only a guess. By some indications, it is possible to judge that a large amount of cache data has been stolen, although there is not enough evidence and it is difficult to say which data was stolen. “If someone broke into your house, it’s quite difficult to find out where the robbers were and what they stole because, unlike the bank, there are no cameras or motion sensors in your house,” explains Jason Syverssen, executive director of Siege Technologies, a security firm from Manchester, New Hampshire. “From a cybersecurity point of view, most companies are more houses than banks.”

Intelligence agencies left the Nasdaq the right to report the attack to their customers, regulators and the public. The exchange made it on February 5 in its short message and a few weeks later recorded it in its reporting. The hole in the Nasdaq system arose at a time that was far from the right time for the exchange. She was close to acquiring the New York Stock Exchange (ICE) for $ 11 billion.

In her e-mail, Nasdaq did not mention how serious the attack was. The exchange reported that the hacker program was discovered during a “regular check” and could not penetrate the Director's Desk, through which more than 230 companies shared financial information with board members. "We have no information that any information was stolen," - said in a message. In an interview for this article, Nasdaq spokesman Joseph Christinat stated: “Our experts on this issue, working in close cooperation with the US Government, concluded that no evidence of data leakage from our Director’s Desk systems was found. More importantly, in 2010, the exchange dramatically changed its attitude towards cybersecurity. As a result, today we have much more opportunities to detect attacks and protect the integrity of our systems, our technologies and market participants. ”



Photo by Mario Tama / Getty Images

“I’ll say that we discovered how representatives of one civil service managed to gain access to at least one of our stock exchanges ... and it’s not quite clear to us what their final goal is”

Meanwhile, the events surrounding the search for cyber attack organizers took an unexpected turn. Unlike bombs and missiles, hacker programs can be reused. If you leave them in the system, other hackers can assign them to themselves, subject them to reverse engineering and transfer their next victims to the repositories in order to cover their tracks, like a killer who uses someone else’s gun. In the course of examining data on other intrusions into government and military computers, investigators found out that the malicious software of the Russians was used by an experienced Chinese cyber spy who, according to some reports, was also successfully engaged in the criminal business. This hacker could get malicious code from Russians or steal it from another system and use it to hide its identity. Some Nasdaq materials also supported this theory. Barack Obama was once again informed that the investigation had changed direction in the direction of Asia.

After the investigators changed course, the number of groups involved in the investigation increased. The Department of Critical Infrastructure Protection and Compliance Policy of the Ministry of Finance has compiled a list of 10 major banks and US stock exchanges that could be targets of a larger operation. Not all companies agreed to cooperate with the investigation. In those that agreed, the investigators examined the computer’s log files and verified the operation of the servers, and the security services of these companies helped speed up the process.

The security services did not find much evidence of a larger attack. However, they found systematic security breaches in several of the most important US financial institutions. It turned out that many of the institutions from the list were subjected to the same attack that suffered from the Nasdaq. They got off lightly because the hackers did not make any effort to do so.

The discovery of a connection with Asia did not bring the desired results. Investigators again turned their attention to Russia as the main suspect, but could not determine the motive for the crime. Hackers could freely be on the Nasdaq network for several months. In addition, the exchange itself is separated from other components of the system. It is not easy to access, but there are no signs that hackers have tried to do this.

For answers, the White House turned to the CIA. Unlike the NSA, which collects intelligence information exclusively by electronic means, the CIA receives information "from all sources" and focuses on the opinions of real people. The CIA began to search for links between the Russian special services and organized crime. Someone from the FSB officers could, among other things, manage a non-profit enterprise or transmit virus programs to a group of hackers. Further malware research has shown that their capabilities were less disruptive than previously thought. They could not disable computers as much as Wiper could, for example, but could take control of certain functional elements and cause a network failure.

If the motive of the hackers was money, then the Web-based Communication Director's Desk, which they penetrated at the very beginning, offered a wide range of possibilities. It was used by thousands of corporate directors to share secret information about their companies. If someone took possession of this data, he could suddenly become a millionaire.

In Washington, the FBI and trade administrations analyzed thousands of transactions conducted using algorithms to determine whether information from the Director's Desk could lead to suspicious transactions. According to two employees who reported on the results of their work, no evidence was found.

Security officials have once again revised their assumptions about the illegal invasion. Based on the results obtained by the CIA, White House officials concluded that this was a carefully planned cybercrime. According to one expert, the probability of this was only about 70%, but there was no alternative to this assumption. The NSA operated under the special control of the Technical Assistance Service . Request for Technical Assistance, RTA ], and she didn’t have much time left. According to two intelligence officers, after Barack Obama was informed about the incident for the third time, the intelligence service was removed from the case, and by the end of March the investigation was completely transferred to the FBI.

Employees of the bureau noted that the special attention of hackers, apparently, attracted 13 servers using unique Nasdaq technologies. These technologies are so complex that the exchange conducts additional business aimed at providing special rights to technology to other stock exchanges around the world.

And yet the time of the attack did not correspond to reality. In 2008, Dmitry Medvedev replaced Vladimir Putin as president, and Putin took a slightly less influential prime minister. Relations with the West, one might say, were quite friendly, and there could be no talk of aggression towards the global financial system.

Russia could be interested in the activities of the Nasdaq for other reasons. In January 2011, Medvedev visited the International Economic Forum in Davos, Switzerland, to present the grandiose idea of ​​turning Moscow into an international financial center. A month later, two underperforming stock exchanges, MICEX and RTS, announced the merger into a single world-class trading platform, as the owners saw it. This platform would be the jewel in the crown of a new global financial capital.

According to top managers from Russia, the country's national security and the success of the exchange are closely linked. Today, the majority of Russian companies are represented on large western stock exchanges, which exposes them to serious economic impact from the United States and Europe. In 2012, when Putin returned to the presidency, he forced Russian companies to enter exclusively on a new exchange. At the same time, he invested billions of rubles in the creation of a financial center in Moscow, which included the construction of the tallest building in Europe.

By mid-2011, investigators concluded that the Russians did not attempt to undermine the work of Nasdaq. They wanted to create a copy of it in order to introduce its technology directly to their stock exchange or to take it as a model for studying it. To this end, they sent an elite team of cyber spies.

Without a clear picture of exactly which data was stolen from the Nasdaq and where it was transferred - it is impossible to recreate, given the lack of log files and other necessary expert data - the entire government or even the FBI cannot be convinced of the correctness of this conclusion. However, one investigator who was directly involved in the investigation said that this version is the most convincing. In addition, there were other pieces of the mosaic that did not converge. Were the hackers going to use the destructive impact of the malicious code as a weapon or as something else? If they were not prevented, what else could they do? The chairman of the Russian embassy in Washington, Yevgeny Khorishko, who was asked to comment on the incident at Nasdaq, said: "This is so ridiculous that there is nothing to comment on."

In January last year, during the scandal that arose over the collection of information about several million American citizens of the NSA, Barack Obama made his speech. In it, he implicitly referred to the ability of the NSA to “intercept hacker programs aimed at the stock exchange” as one of the reasons why he did not criticize the agency’s ability to intercept digital communications.

However, for some US officials, the consequences of the incident will be much more daunting. US national security agencies may dominate the real world, but they are not so well prepared to fight in the virtual space. The rules of cyberwar are not yet fully spelled out, and the introduction of malicious code can be a weapon no less destructive than disabling the real infrastructure. And this weapon is quite difficult to track: almost four years after the first invasion of the Nasdaq, US intelligence officials are still trying to figure out what happened. Although the US military is a good deterrent, it does not work if you do not know how to use it.

“If someone in the government tells you that he knows how to respond to an aggressive cyber attack, give us their names. There shouldn't be such people there, ”said Rogers, who heads the intelligence committee. “The problem is that regardless of our actions, it’s not the government that will suffer: 85% of the American networks in the private sector will suffer. And they are going through hard times. ”

---

Failures periodically occur not only on American exchanges, but also on trading floors in other countries, for example, on the Moscow Exchange. Errors often lead not to stop trading, but, for example, to incorrect display of trade data or incorrect calculation of the collateral to hold a position (an error can even lead to premature closing of the transaction)

In order to minimize possible damage, brokerage companies are developing various systems to protect customers. We will talk about how similar protection is implemented in the ITinvest MatriX trading system in one of the following posts (you can briefly read about it here ).