For years, attackers may have unmasked and read sensitive digital communications between users and corporate entities around the world. Last week, their efforts were finally detected in the form of recently discovered backdoors, raising troubling new questions about state efforts to break network security.
Last week, Juniper Networks issued an out-of-cycle security advisory for thousands of its devices, based on two vulnerabilities in its ScreenOS product. The vulnerabilities would allow an attacker to gain access to devices or monitor and decrypt protected VPN traffic. And unlike most vulnerabilities, this weakness appears to have been deliberately inserted in the code, designed to be overlooked and kept secret for as long as possible.
Juniper only became aware of its existence recently
Why would someone want to plant a backdoor in corporate VPN software? While it's not a household name, Juniper VPNs protect hundreds of corporate networks, exactly the kind of capability sought by intelligence agencies around the world. Compromising these connections would yield access to highly sensitive information and communications, said HD Moore, chief research officer at Rapid7, in an interview with The Verge. Some estimates put the number of devices vulnerable to Juniper's backdoors at around 26,000, smaller than most vulnerabilities but more lucrative for spies with specific targets.
While the FBI looks into Juniper's unauthorized code, plenty of people are investigating on their own, and in their minds, state-sponsored adversaries are likely to blame for the backdoors. It’s easy to see why. The NSA, GCHQ, China, Russia, Iran, and plenty of other countries routinely conduct cyber-espionage. The US and China, for instance, just reached an agreement about corporate cyber-espionage, without addressing state spying. It isn't hard to imagine that at least one, if not multiple countries are behind Juniper's backdoors. Researchers have provided compelling evidence for each case.
One early suspect is the NSA, thanks to a quirk of the backdoor itself. The mysterious code worked through a faulty random number generator, a modified version of an NSA-linked generator called Dual_EC_DRBG. The NSA is thought to have built a backdoor into Dual_EC_DRBG in 2006, ultimately paying security company RSA $10 million to build it into products. But while Juniper's backdoors resemble Dual_EC's, the tactics have been public for years and it's more likely that a malicious attacker or group copied them, Mitchel Sahertian, a senior security expert at Fox-IT, told The Verge. Others have also expressed skepticism, like respected cryptologist Matt Blaze.
The published docs seem to point *away* from this being NSA, but it's unclear.— matt blaze (@mattblaze) December 21, 2015
Other aspects of the attack point to Britain's surveillance agency, the GCHQ. In 2010, the agency broke into the computer systems of Belgium's largest telecommunications provider, Belgacom, breaking through a number of Juniper VPN gates along the way. Despite extensive documents leaked by Edward Snowden, it's never been entirely clear how the GCHQ broke through, but a tool like the ScreenOS backdoor would have given them easy access to the company's internal networks. There's still no firm evidence linking the GCHQ to the hack, but the coincidence has raised a number of eyebrows in the security world.
I'll leave this here. Belgacom VPN gates hacked by GCHQ were Juniper. https://t.co/CMMPLui2G5— Frederic Jacobs (@FredericJacobs) December 19, 2015
At the same time, others are pointing at China. The Register cited a tip from a former Juniper staffer to make the case for Chinese actors. In 2004, Juniper acquired NetScreen, which was founded by Chinese nationals, and it's reasonable to believe that some ScreenOS code could have originated in the country, too. Juniper wouldn’t say whether any of its code came from its Beijing offices, and The Register didn’t draw further connections beyond pointing out a possible Chinese link.
Juniper wouldn’t say whether any of its code came from its Beijing offices
But while researchers are still looking for clues as to who planted the backdoor, it's already clear they were sophisticated actors, and knew exactly what they were up to. The code stayed secret for three years because it was well hidden. According to Moore, its password was designed to look like the rest of the OS's. One remote access vulnerability is difficult to keep hidden, he says, but add in another backdoor and it's "hard to pull off." He says Juniper needs to "document how the [VPN] backdoor went undetected for so long," although it is doing at least a decent job at transparency already. As the company continues to release information on the apparent attack and researchers scrutinize Juniper's products, Moore warns more vulnerabilities will likely be discovered.
"The only thing I can say is patch," he says.