What Did NSA Do to Help Prevent Supply Chain Attacks?Lawmakers Probe Why Juniper Breach Didn’t Lead to Actions to Help Prevent SolarWinds Hack
In light of the recent SolarWinds supply chain hack on government agencies and others, 10 Democratic lawmakers are asking the National Security Agency to explain why it apparently did not take action after the 2012 Juniper Networks supply chain hack to help prevent similar attacks.
In a recent letter to NSA, the lawmakers state: “The American people have a right to know why NSA did not act after the Juniper hack to protect the government from the serious threat posed by supply chain hacks. A similar supply chain hack was used in the recent SolarWinds breach, in which several government agencies were compromised with malware snuck into the company’s software updates.”
The letter to NSA, signed by Sens. Ron Wyden, D-Ore., and Cory Booker, D-N.J. and eight Democratic representatives, follows a similar request for information made in June 2020 to Juniper Networks executives by many of the same elected officials (see: Lawmakers Demand Details on 2015 Juniper Data Incident).
In the letter, the lawmakers pose a series of questions, including: "After Juniper's 2015 public disclosure that it inadvertently delivered software updates and products to customers containing malicious code, what actions did NSA take to protect itself, the Department of Defense, and the U.S. government from future software supply chain hacks? For each action, please identify why it was not successful in preventing the compromise of numerous government agencies in 2020 by a malware-laden update delivered by SolarWinds."
The NSA did not immediately reply to Information Security Media Group’s request for comment.
The Juniper Networks Hack
In 2015, Juniper Networks revealed its Netscreen firewalls contained an algorithm created by the NSA and approved by the U.S. National Institute of Standards and Technology that may have also included a backdoor. This algorithm would have allowed VPN traffic to be decrypted at a time when the firewalls were widely used by federal government agencies (see: 4 Juniper Questions Congress Should Be Asking).
When Juniper acknowledged the attack in 2015, the company revealed that an internal investigation pointed to a hack conducted by a foreign government. The hackers made a minor change to the NSA-created backdoor that resided in an algorithm used in Juniper's ScreenOS firmware - which runs its NetScreen firewalls and VPN devices - giving the attackers control of the backdoor.
The malware was spread when updates were pushed out to Juniper Networks customers - much as users of SolarWinds Orion network monitoring software were infected.
The letter requests information from the NSA on:
- Whether NSA knew its algorithm had a backdoor, and if so, why the NSA attempting to place a backdoor into software used by the federal government;
- Whether NIST was correct when it reported the NSA algorithm contained a backdoor;
- What legal authority, if any, would permit the NSA to introduce vulnerabilities into U.S. government-approved algorithms certified by NIST and to keep them hidden from NIST;
- Whether the effort to introduce such backdoors into government software requires the permission of the NSA's director after consulting with other federal agencies and departments.
The algorithm at the center of Juniper incident, which is called the Dual Elliptic Curve Deterministic Random Bit Generator, has a cloudy history.
Security researchers claimed that as far back as 2005, the algorithm contained a backdoor that could be exploited. Despite these complaints, NIST standardized the algorithm in 2006, but then withdrew that approval in 2013 after disclosures by Edward Snowden that the NSA put a backdoor in the algorithm.
The story grew more complicated in 2015 when Juniper Networks reported a data breach saying it had discovered "unauthorized code" in the firmware that runs the NetScreen firewalls. The code, which was somehow added to the firmware in 2012, could enable an attacker to remotely gain access to any vulnerable device as well as decrypt VPN traffic flowing across the device, potentially without leaving any trace (see: Who Backdoored Juniper's Code?).
At the time, Juniper CIO Bob Worrall said the code would enable a knowledgeable attacker to gain administrative access to NetScreen devices and allow them to decrypt VPN connections "without leaving a trace."