In October 2010, a Federal Bureau of Investigation system monitoring U.S. Internet traffic picked up an alert. The signal was coming from Nasdaq (NDAQ). It looked like malware had snuck into the company’s central servers. There were indications that the intruder was not a kid somewhere, but the intelligence agency of another country. More troubling still: When the U.S. experts got a better look at the malware, they realized it was attack code, designed to cause damage.
As much as hacking has become a daily irritant, much more of it crosses watch-center monitors out of sight from the public. The Chinese, the French, the Israelis—and many less well known or understood players—all hack in one way or another. They steal missile plans, chemical formulas, power-plant pipeline schematics, and economic data. That’s espionage; attack code is a military strike. There are only a few recorded deployments, the most famous being the Stuxnet worm. Widely believed to be a joint project of the U.S. and Israel, Stuxnet temporarily disabled Iran’s uranium-processing facility at Natanz in 2010. It switched off safety mechanisms, causing the centrifuges at the heart of a refinery to spin out of control. Two years later, Iran destroyed two-thirds of Saudi Aramco’s computer network with a relatively unsophisticated but fast-spreading “wiper” virus. One veteran U.S. official says that when it came to a digital weapon planted in a critical system inside the U.S., he’s seen it only once—in Nasdaq.
The October alert prompted the involvement of the National Security Agency, and just into 2011, the NSA concluded there was a significant danger. A crisis action team convened via secure videoconference in a briefing room in an 11-story office building in the Washington suburbs. Besides a fondue restaurant and a CrossFit gym, the building is home to the National Cybersecurity and Communications Integration Center (NCCIC), whose mission is to spot and coordinate the government’s response to digital attacks on the U.S. They reviewed the FBI data and additional information from the NSA, and quickly concluded they needed to escalate.
Thus began a frenzied five-month investigation that would test the cyber-response capabilities of the U.S. and directly involve the president. Intelligence and law enforcement agencies, under pressure to decipher a complex hack, struggled to provide an even moderately clear picture to policymakers. After months of work, there were still basic disagreements in different parts of government over who was behind the incident and why. “We’ve seen a nation-state gain access to at least one of our stock exchanges, I’ll put it that way, and it’s not crystal clear what their final objective is,” says House Intelligence Committee Chairman Mike Rogers, a Republican from Michigan, who agreed to talk about the incident only in general terms because the details remain classified. “The bad news of that equation is, I’m not sure you will really know until that final trigger is pulled. And you never want to get to that.”
Bloomberg Businessweek spent several months interviewing more than two dozen people about the Nasdaq attack and its aftermath, which has never been fully reported. Nine of those people were directly involved in the investigation and national security deliberations; none were authorized to speak on the record. “The investigation into the Nasdaq intrusion is an ongoing matter,” says FBI New York Assistant Director in Charge George Venizelos. “Like all cyber cases, it’s complex and involves evidence and facts that evolve over time.”
While the hack was successfully disrupted, it revealed how vulnerable financial exchanges—as well as banks, chemical refineries, water plants, and electric utilities—are to digital assault. One official who experienced the event firsthand says he thought the attack would change everything, that it would force the U.S. to get serious about preparing for a new era of conflict by computer. He was wrong.
On the call at the NCCIC were experts from the Defense, Treasury, and Homeland Security departments and from the NSA and FBI. The initial assessment provided the incident team with a few sketchy details about the hackers’ identity, yet it only took them minutes to agree that the incursion was so serious that the White House should be informed.
The conference call participants reconvened at the White House the next day, joined by officials from the Justice and State departments and the Central Intelligence Agency. The group drew up a set of options to be presented to senior national security officials from the White House, the Justice Department, the Pentagon, and others. Those officials determined the questions that investigators would have to answer: Were the hackers able to access and manipulate or destabilize the trading platform? Was the incursion part of a broader attack on the U.S. financial infrastructure?
The U.S. Secret Service pushed to be the lead investigative agency. Its representatives noted that they had already gone to Nasdaq months earlier with evidence that a group of alleged Russian cybercriminals, led by a St. Petersburg man named Aleksandr Kalinin, had hacked the company and that the two events might be related. The Secret Service lost the argument and sat the investigation out.
When the FBI notified Nasdaq of the intrusion, it turned out the company had detected anomalies on its own but had yet to report the attack. After negotiations over privacy concerns, Nasdaq agreed to let U.S. officials into its networks. Investigation teams arrived at the company’s headquarters at One Liberty Plaza in New York City and its data center in Carteret, N.J., where they found multiple indications of an intelligence agency or military.
The hackers had used two zero-day vulnerabilities in combination. A zero day is a previously unknown flaw in computer code—developers have had “zero days” to address it—that allows hackers to easily take remote command of a computer. It’s a valuable commodity, sometimes selling for tens of thousands of dollars in underground markets. The use of one zero day indicates a sophisticated hacker; more than one suggests government. Stuxnet deployed four—a sign that the code’s authors had done advanced reconnaissance and knew precisely how various systems worked together.
Whoever hit Nasdaq had done similar prep work and had similar resources. The clincher was the hackers’ malware pulled from Nasdaq’s computer banks. The NSA had seen a version before, designed and built by the Federal Security Service of the Russian Federation (FSB), that country’s main spy agency. And it was more than spyware: Although the tool could be used to steal data, it also had a function designed to create widespread disruption within a computer network. The NSA believed it might be capable of wiping out the entire exchange.
In early January, the NSA presented its conclusions to top national security officials: Elite Russian hackers had breached the stock exchange and inserted a digital bomb. The best case was that the hackers had packed their malware with a destruction module in case they were detected and needed to create havoc in Nasdaq computer banks to throw off their pursuers. The worst case was that creating havoc was their intention. President Obama was briefed on the findings.
Later in the investigation, some U.S. officials questioned whether the NSA had pushed the evidence too far. Malware often changes hands—it’s sold, stolen, or shared. And the technical differences between attack code and something less destructive can be surprisingly small. At the time, NSA Director Keith Alexander and his agency were locked in a fight with government branches over how much power the NSA should have to protect private companies from this new form of aggression. Such a brazen attack would certainly bolster its case.
As the probe deepened inside Nasdaq’s headquarters and its data center, investigators had to reconstruct the path of world-class hackers whose job depended on being untraceable. The team was surprised at how vulnerable a sophisticated operation such as Nasdaq could be. “Our assumption was that, generally speaking, the financial sector had its act together much more,” says Christopher Finan, a former cybersecurity expert in the Obama White House. “It doesn’t mean that they’re perfect, but on a spectrum they’re near the top.”
What the investigators found inside Nasdaq shocked them, according to both law enforcement officials and private contractors hired by the company to aid in the investigation. Agents found the tracks of several different groups operating freely, some of which may have been in the exchange’s networks for years, including criminal hackers and Chinese cyberspies. Basic records of the daily activity occurring on the company’s servers, which would have helped investigators trace the hackers’ movements, were almost nonexistent. Investigators also discovered that the website run by One Liberty Plaza’s building management company had been laced with a Russian-made exploit kit known as Blackhole, infecting tenants who visited the page to pay bills or do other maintenance.
What one investigator referred to as “the dirty swamp” of Nasdaq’s computer banks made following the trail of the Russian malware excruciatingly slow. The agents figured the hackers first broke into Nasdaq’s computers at least three months before they were detected, but that was just a guess. There were indications that a large cache of data was stolen, though proof was scarce, and it was hard to see what was spirited out. “If someone breaks into your house, trying to figure where they went and what they took is pretty difficult because, unlike a bank, you don’t have cameras in your house, you don’t have motion sensors,” says Jason Syversen, chief executive officer of Siege Technologies, a security firm in Manchester, N.H. “In terms of cybersecurity, most companies are more like a house than a bank.”
The agencies left it to Nasdaq to characterize the attack for its customers, regulators, and the public, which it did in a brief company statement on Feb. 5 and again in a regulatory filing a few weeks later. The breach couldn’t have come at a worse time for Nasdaq. It was on the verge of trying to acquire the New York Stock Exchange (ICE) for $11 billion.
Nasdaq’s e-mailed statement gave no indication the attack was serious. The company said the malware had been discovered during “a routine scan” and that the incursion was limited to a system called Director’s Desk, which more than 230 companies used to share financial information among board members. “We have no information anything was taken,” the statement said. In an interview for this article, Nasdaq spokesman Joseph Christinat says: “Our own forensics review of the issue conducted in close cooperation with the U.S. government concluded no proof of exfiltration of data from our Director’s Desk systems. Importantly, 2010 was a watershed moment in our company’s commitment to cybersecurity resulting today in an enhanced ability to detect and protect the integrity of our systems, our technology, and market participants.”
Meanwhile, the investigation into who was behind the attack took a dramatic turn. Unlike a bomb or missile, malware can be reused. Left behind in networks, it can be grabbed by other hackers, reverse-engineered, and redeployed in the computer banks of subsequent victims to muddy the trail, like a killer using someone else’s gun. As investigators began examining data on other hacks of government and military computers, there was evidence that the Russians’ malware was being used by a sophisticated Chinese cyberspy also known to have a thriving criminal business on the side. This hacker could have been given the Russian malware or pinched it from inside another computer network and used it to disguise his identity. Some evidence inside Nasdaq supported that theory as well. Obama was briefed again as the probe turned toward Asia.
As investigators followed the new leads, more teams fanned out across the country. The Treasury Department’s Office of Critical Infrastructure Protection and Compliance Policy drew up a list of 10 major banks and U.S. stock exchanges that might be targets for a broader campaign. Not all the companies agreed to cooperate with the investigation. In those that did, agents began scouring computer logs and examining servers, aided by the companies’ security teams.
The agents found little evidence of a broader attack. What they did find were systematic security failures riddling some of the most important U.S. financial institutions. It turned out that many on the list were vulnerable to the same attack that struck Nasdaq. They were spared only because the hackers hadn’t bothered to try.
The Asia connection didn’t pan out. Investigators turned back to Russia as the most likely suspect but kept stumbling over questions of motive. The hackers had been free to move around the Nasdaq network unmolested for several months. The exchange itself is isolated from other parts of the company’s network. It’s hard to access, but there’s no evidence that the hackers made the attempt.
Pushing for answers, the White House turned to the CIA. Unlike the NSA, which gathers intelligence solely by electronic means, the CIA is an “all source” intelligence unit and relies heavily on people. The CIA began to focus on the relationships between Russia’s intelligence agencies and organized crime. Someone in the FSB could have been running a for-profit operation on the side, or perhaps sold or gave the malware to a criminal hacking group. More analysis on the malware showed that its capabilities were less destructive than earlier believed. It couldn’t destroy computers like a wiper virus, but it could take over certain functions in order to cause a network disruption.
If the hackers’ motive was profit, Nasdaq’s Director’s Desk, the Web-based communication system where they first entered the network, offered amazing possibilities. It’s used by thousands of corporate board directors to exchange confidential information about their companies. Whoever got their hands on those could accumulate an instant fortune.
In Washington, an FBI team and market regulators analyzed thousands of trades using algorithms to determine if information in Director’s Desk could be traced to suspicious transactions. They found no evidence that had happened, according to two people briefed on the results.
National security officials revised the theory of the break-in once again. With encouragement from the CIA, White House officials began to conclude it was an elaborate act of cybercrime. The conclusion represented a certainty of only about 70 percent, according to one official, but there was little choice. The NSA was operating under a special authority known as a Request for Technical Assistance, or RTA, and the clock on the RTA was running out. After Obama was briefed for a third time, two people say, the intelligence establishment stood down, and by early March, the case was left in the hands of the FBI.
The bureau’s agents noticed that the hackers appeared to focus their attention on 13 servers containing Nasdaq’s most critical technology. That technology is sophisticated enough that the company has a side business licensing it to other stock exchanges around the world.
The timing of the attack had always been one of the pieces that didn’t fit. In 2008, Dmitry Medvedev had succeeded Vladimir Putin as Russia’s president, and Putin stepped into the less powerful role of prime minister. If anything, relations with the West were warming, and aggression against the global financial system didn’t make sense.
Russia might have been interested in Nasdaq for other reasons. In January 2011, Medvedev traveled to the World Economic Forum in Davos, Switzerland, to roll out a grand Russian vision for transforming Moscow into a global financial hub. The next month, Moscow’s two underperforming stock exchanges, the Micex and RTS, announced they would merge into what operators dreamed would be a world-class platform, the jewel in the crown of the globe’s newest financial capital.
To Russia’s senior leaders, the country’s national security and the success of the exchange were linked. Russian companies now mostly list on major Western exchanges, making them more vulnerable to U.S. and European economic leverage. When Putin returned to the presidency in 2012, he pressured Russian companies to list solely on the new exchange. At the same time, he poured billions of rubles into a financial hub in central Moscow that included Europe’s tallest building.
By mid-2011, investigators began to conclude that the Russians weren’t trying to sabotage Nasdaq. They wanted to clone it, either to incorporate its technology directly into their exchange or as a model to learn from. And they dispatched an elite team of cyberspies to get it.
Without a clear picture of exactly what data was taken from Nasdaq and where it went—impossible given the lack of logs and other vital forensics information—not everyone in the government or even the FBI agreed with the finding, but one investigator directly involved in the case says it was the most convincing conclusion. There were other pieces of the puzzle that didn’t fit. Were the malware’s disruptive capabilities meant to be used as a weapon or something else? If they hadn’t been interrupted, what else would they have done? Asked to comment on the Nasdaq incident, Russian Embassy spokesman Yevgeniy Khorishko says, “It is pure nonsense that it is not even worth commenting on.”
In a speech last January, amid the scandal over the NSA’s collection of data on millions of Americans, Obama obliquely referred to the NSA’s ability to “intercept malware that targets a stock exchange” as one reason he opposed stripping the agency of its ability to intercept digital communications.
For some U.S. officials, however, the lessons of the incident are far more chilling. The U.S. national security apparatus may be dominant in the physical world, but it’s far less prepared in the virtual one. The rules of cyberwarfare are still being written, and it may be that the deployment of attack code is an act of war as destructive as the disabling of any real infrastructure. And it’s an act of war that can be hard to trace: Almost four years after the initial Nasdaq intrusion, U.S. officials are still sorting out what happened. Although American military is an excellent deterrent, it doesn’t work if you don’t know whom to use it on.
“If anybody in the federal government tells you that they’ve got this figured out in terms of how to respond to an aggressive cyber attack, then tell me their names, because they shouldn’t be there,” says Rogers, the intelligence committee chairman. “The problem is that whatever we do, the response to it won’t come back at the government, it’ll come back at the 85 percent of networks in America that are in the private sector. And they are already having a difficult time keeping up.”