In an appearance earlier this week at the Usenix Enigma security conference in San Francisco, the National Security Agency’s top hacker, Rob Joyce, downplayed the significance of zero-day exploits while noting that there are “many more vectors” that are not only easier to exploit, but “less risky” and “often more productive” than the zero-days the NSA has caught considerable attention for employing in recent years.
I think a lot of people think the nation states are running on this engine of zero-days. You go out with your skeleton key and unlock the door and you’re in. It’s not that […] I will tell you that persistence and focus will get you in, will achieve that exploitation without the zero-days […] There’s so many more vectors that are easier, less risky and quite often more productive than going down that route.
Joyce, who heads the NSA’s top hacking outfit, which is known as Tailored Access Operations (TAO), suggested at the conference that it is more so the NSA’s abundance of resources and patience than it is their arsenal of zero-days that allows them to compromise the security of networks and systems targeted by their missions.
If documents leaked by former Central Intelligence Agency (CIA) employee Edward Snowden — who is scheduled to appear at a convention in New Hampshire next month via video link — hold any weight, one of the zero-day alternatives employed by the NSA entails paying communication companies such as AT&T to install surveillance equipment on their behalf. Such surveillance equipment, allegedly installed at 17 different internet hubs across the U.S. in the case of AT&T, would allow the agency to monitor internet traffic without the use of zero-days, or hacking for that matter.
Hardware pre-infected with sophisticated spyware is perhaps another technique employed by the secretive intelligence agency, as analysts with the Russian-based cybersecurity firm Kaspersky published a report last February which implicates a shadowy group of NSA-linked hackers dubbed the “Equation group” in a series of sophisticated spying programs – among them, a program in which hard drives made by top manufacturers such as Western Digital, IBM, Samsung and Seagate were pre-infected with malware.
In the case of the hard drives which came pre-infected with a virus known only as nls_933w.dll, the virus proved to be a breakthrough in itself as it infected an aspect of the hardware that has long been sought after by hackers: the firmware. By infecting the firmware, a feat that Kaspersky claims would require access to the hardware manufacturers’ carefully guarded source code, the virus is able to persist through disk formatting and operating system reinstallations.
All notions of techniques employed by the agency and its U.S. government sanctioned hackers aside, Joyce iterated the simple truth behind hacking their targets: it’s a waiting game.
There’s a reason it’s called Advanced Persistent Threats, ’cause we’ll poke and we’ll poke and we’ll wait and we’ll wait […] We’re looking for that opening and that opportunity to finish the mission.
Over the years, zero-day exploits have entered the mainstream. Nowadays, hackers of all shapes and sizes have the opportunity to sell their zero-days through various marketplaces, both legitimate and illegitimate. Subsequently, hackers can now sell their exploits for cold hard cash or in the case of the United Airlines hackers, exchange them for free frequent flyer miles.