14 DAY TRIAL // The monitoring systems of the Federal Bureau of Investigation were alerted in 2010 of odd activity on the systems of Nasdaq Stock Market, which was consistent with malware actions.
The incident was reported to the media in February 2011, and according to some sources, the origin of the attack could have been in Russia.
A recent piece of news reveals that the attack was carried out by leveraging two zero-day vulnerabilities, which allowed the intruders to insert malicious code into the systems of Nasdaq and have access to them for at least three months prior to the detection of the attack.
The malware was known to NSA, who pointed out that the code had previously been used by Russia’s espionage agency FSB. It appears that the capabilities of the malware were beyond simple spying of the financial activity and it could also be used to disrupt the entire activity of the Nasdaq system.
According to Bloomberg, the malware could have belonged to other operators too, since malicious code oftentimes falls into different hands and it's repurposed for a different type of activity.
It was discovered that the malware was also used by a Chinese cyberspy, and the attention turned to China; but the leads of the examination failed to make a connection.
Forensic examination of the incident revealed that the stock market’s systems were poorly protected and thus highly vulnerable to intrusions. The investigators found evidence that several outside groups had access to Nasdaq information, although it was not clear who they were.
Proof of information stealing was found, but it was incomplete and the investigation could not determine the type of details that were extracted.
In fact, Bloomberg reports that one of the forensic investigators referred to the Nasdaq’s systems as “the dirty swamp,” because very few records were available that would have revealed daily activities on the servers and would have helped retrace the steps of the intruders.
During the investigation, the systems of other financial businesses that connected to the exchange were verified, in order to determine the spread of the attack. It appears that the attackers were not interested in other information, as they limited the intrusion to Nasdaq.
However, if they wanted to change the target, they would have encountered no resistance, because the same vulnerabilities could have been leveraged.
It’s been four years since the intrusion has been detected, and the conclusions of the investigators are still far from creating a clear picture. They do not know for certain who was behind the attack and which were their exact intentions, given the destructive capabilities of the malware.