Was the NY Stock Exchange attacked by super-hackers?

Israeli start-up speculates that powerful cyber-weapons could have shut down the stock market; Israel, global institutions on alert

Traders work on the floor at the New York Stock Exchange in New York, Wednesday, July 8, 2015. (AP Photo/Seth Wenig)
Traders work on the floor at the New York Stock Exchange in New York, Wednesday, July 8, 2015. (AP Photo/Seth Wenig)

A virtual Pandora’s box of top cyberweapons was opened over the weekend, and it is very possible that those tools were used to shut down the New York Stock Exchange for over three hours Wednesday, said Lior Div, CEO of Israeli cybersecurity firm Cybereason.

Those tools may be used to attack other high-profile targets, such as cyber assets of Israel’s government and security establishments, added.

“I want to be very careful here,” Div told The Times of Israel in an interview. “Only the people at the NYSE know how their systems were compromised, and whether or not, in fact, it was a hack that shut down trading Wednesday. But we have already seen tools from Hacking Team, which was invaded by hackers over the weekend, in use on the servers of enterprise clients we work with.

“The Hacking Team tools,” he continued, “are of a much higher quality and are much more effective than anything hackers have had access to, and now that anybody can download them and use them in cyberattacks, don’t be surprised to see many more well-protected sites and servers being compromised.”

Indeed, institutions, corporations, and governments – including the government of Israel – are on high alert over the possibility that sophisticated tools that were stolen by hackers off the servers of Italy’s Hacking Team may be used to beat firewalls and security systems that in the past have been impenetrable using “ordinary” hacking tools.

According to reports Thursday, the National Cyber Council has issued an alert to all Israeli government institutions, warning them to be on extra alert for the possibility that they could fall victim to the latest uptick in the cyberbattle.

After halting trade at 11 a.m. Wednesday morning, the NYSE was quick to deny rumors that the shutdown was caused by a cyberattack. The NYSE twitter feed said the outage was due to “an internal technical issue and is not the result of a cyber breach.”

Traders at the NYSE informed the New York Times that they were told the problem stemmed from a software update rolled out before Wednesday’s business day. A trader told the paper that the NYSE said the new software caused problems shortly after trading began, and the whole system was shut down to fix the problem.

Div hopes they are right, although, he added, it seems strange that the NYSE would choose a working day to install new software. But while nothing can be established without specific facts, he said, it seems “coincidental” that a system that hackers have tried for years to attack was rendered inoperative for hours, just days after hackers stole gigabytes of top-secret data from the servers of Hacking Team.

Although the NYSE has been closed several times in the past for extended periods, most recently in 2012 because of the effects of Hurricane Sandy, it has never been shut down for more than a few minutes because of computer problems.

It was all too possible, said Div, that tools made by Hacking Team, an Italian company of “white hat” hackers, were used to shut down the stock market. The Hacking Team tools are used by governments and institutions for a variety of purposes. The tools can be used to, for example, read e-mails, listen to Skype conversations, decipher encrypted files and other advanced purposes.

Lior Div (courtesy)
Lior Div (courtesy)

To allow the tools to fulfill their purpose, they need to be stronger than the sophisticated protective systems in place to protect against hacking. Generally, said Div, the tools have been bought by responsible organizations, like governments and corporations, to monitor communications, although many have accused the organization of supporting repressive organizations, like spy agencies and armies in developing countries.

According to Hacking Team, it can remotely disable tools that it finds out are used for unethical purposes.

Over the weekend, hackers apparently managed to hijack names and passwords associated with Hacking Team’s Twitter account, and used that information to get access to company servers, from which they stole 400 GB of data. Most of that was in the form of e-mails, internal memos and company documents (according to that data, the Israeli government was not a customer of Hacking Team, but Ra’anana-based Nice Systems developed some joint projects with the company).

While the e-mails have gotten most of the attention in the media, several hundred megabyte’s worth of super-secret tools were stolen as well. It’s these tools, Div believes, that may have been used in the NYSE hack.

“To say that this is exactly what happened would be speculation, but we do know several facts – one, that the NYSE halted trading; two, that Hacking Team’s tools are now out in the wild; and three, just a day or two after the hack, hacker group Anonymous announced that they were going to hack Wall Street.”

Of course, that’s the kind of thing Anonymous would – and has – said on many occasions, but now the tools were available to actually pull that off.

Fortunately, said Div, servers in many government institutions in Israel, as well as in the US, along with most of the top Fortune 100 companies, will be able to mitigate Hacking Team tool attacks because they are customers of his firm, Cybereason, which Div claims has the only solution that will prevent sophisticated attacks.

“If the Hacking Team tools are more powerful than the firewalls and other mitigation tools available – and they have to be in order to be effective – that means there is nothing to prevent a hacker from raiding a server like they would a candy store,” he said.

Once an organization accepts the premise that an attack will take place, it’s ready for the Cybereason solution.

“We keep track of everything that happens on an endpoint, a server, or a network,” Div said. “If there is even the slightest anomaly – a log-in with a name/password that hasn’t been used in a while, a connection from an ‘unusual’ IP address where the company does not have workers — we send out an immediate alert and analyze what that user or agent, if malware is involved, is doing, in real time. That way, the system can be protected – cutting it off from the Internet or shutting it down altogether – in order to let security teams stop the attack.”

According to Div, analytics that fuel his company’s decision engine – which immediately decides whether a situation engenders a threat or not – is unique to Cybereason.

Cybereason is a partner of Lockheed-Martin, the defense systems company that is also in charge of cybersecurity for the US federal government, among other organizations. Recently, Lockheed-Martin invested $25 million in Cybereason.

“The Cybereason platform is an outstanding complement to the tradecraft and technologies Lockheed Martin uses every day to defend our network and our clients,” said Rich Mahler, director of commercial cyber services at Lockheed Martin, announcing the investment. “Its real-time detection and attack tracing capabilities enable us to effectively leverage threat intelligence and provide our government and commercial customers with a calculated, strategic approach to cyber defense.”

Div fears that he has a lot of long days ahead of him. “We have already downloaded the stolen tools and we see how sophisticated they really are,” he said. “Right now, officials in the US are able to claim that the NYSE hack was just a computer glitch, and I hope they are right. But if more attacks against ‘impenetrable’ servers and systems take place, we may have a major problem on our hands.”

read more:
Never miss breaking news on Israel
Get notifications to stay updated
You're subscribed