Snowden Borrowed from APT Playbook In NSA Hack

We know for sure that Edward Snowden made short work of the protections that the National Security Agency used to segregate classified data. Snowden’s revelations about government spying on foreign governments, domestic and foreign firms and…well…just about everyone else first appeared in print in May. Since that time, a looming question is “how?” In other words: how did a single contractor gain access to such a massive trove of classified intelligence while working for the most security conscious organization in the world?

Snowden used tricks common to APT-style attacks including forged and stolen SSH certificates to steal classified information from the NSA.
Snowden used tricks common to APT-style attacks including forged and stolen SSH certificates to steal classified information from the NSA. (Image courtesy of The Guardian)


While the exact methods used by Snowden are still not known, there are many theories. Now the security firm Venafi thinks that it has an answer, and is challenging the NSA to prove it wrong. In a blog post on Wednesday, the company laid much of the blame on poor management of digital certificates and user credentials, which allowed Snowden to move laterally within the NSA’s classified network, gaining access to systems that he should not have been able to access.

Venafi based its conclusion on open source research, including interviews with Snowden, investigative reports and the public statements by the NSA and the testimony of NSA chief General Keith Alexander before the House Permanent Select Committee on Intelligence. The company concluded that Snowden made heavy use of techniques that are common in other “advanced persistent threat” (or APT) style hacks to penetrate the NSA’s network.

Specifically, Snowden took advantage of his existing (legitimate) network access to conduct reconnaissance on the NSA’s classified network: determining where sensitive data resided. He then used self-signed digital certificates and pilfered other, legitimate SSH keys to gain access to the systems containing the data he sought. Finally, as has been reported, Snowden conducted social engineering attacks against colleagues to obtain their usernames and passwords to access sensitive systems, allowing him to steal more encryption keys, as well as add his own, self-signed certificates as trusted to those systems, Venafi said.



To get data out of the NSA, Snowden used another common trick of APT-style attackers: using self-signed certificates again to encrypt the sensitive data and sending it out to command and control (C&C) servers that received and stored the encrypted data sessions. 

Venafi’s analysis hasn’t been corroborated by the NSA or anyone with knowledge of the actual hack. However, the company feels confident that it has the recipe right, noting subtle references to Snowden’s techniques by NSA officials. General Alexander, for example, told a Congressional committee that the former Booz Allen Hamilton contractor “fabricated digital keys” as part of his attack.

That’s not an unusual method that outside attackers or malicious insiders use to elevate their level of access on a protected network, Jeff Hudson, the CEO of Venafi, told The Security Ledger.

“This is a problem within every enterprise,” he said. “Most of the focus is on external defenses. The internal defenses are weaker.”

And government networks, populated and even managed by legions of private contractors are prone to abuse. “When you have so many people, it can be hard to manage access.”

Loosely managed SSH keys are another common source of network compromises, Hudson said. Often, system administrators, rather than IT security staff, are responsible for managing credentials. That can put the emphasis on expediency at the expense of security. Often large and complex firms have no idea how many SSH encryption keys they have generated or where they are stored. Nor do organizations do a good job documenting and understanding the trust relationships between different systems on their network. When anomalous behavior crops up, it often goes unnoticed. Too few firms set up alerts to notify them when new SSH keys are generated or when unusual activity between systems on a network is detected. 

The failure of the NSA to properly manage such issues is a wake up call for other organizations that are storing and managing sensitive data,  Hudson said. “The NSA are big boys. They can take care of themselves,” Hudson said. “But in the Global 2000, that’s not so.” 

The NSA has already taken steps to respond to the Snowden breach. In August, the Agency said it was reducing the number of system administrators on its networks by 90% and relying much more on automation to detect threats and possible malicious or suspicious activity.

Venafi believes that organizations need to do the same, and also devote resources to identifying and protecting encryption keys and other tools that might be used as part of a sophisticated attack.


  1. Journalist got it right: long term rogues and
    sophisticated external attackers are alike in many ways from context,
    tools, and methods.

  2. Pingback: Amphion Forum: Spotlight on Security and Internet of Things | The Security Ledger