Hacktivist group Anonymous recently breached NASA, stealing somewhere between 100 and 276GB of data, the Institute for Critical Infrastructure Technology says. The data was stolen from NASA’s servers and drones, and include drone video and radar footage, flight logs and employee information.
Anonymous claims NASA is not telling the truth about global warming – it wants the agency to disclose the ‘actual’ amount of radioactive chemicals in the upper atmosphere, and threatens to release the data unless NASA complies within a month.
The group targeted specific data – drone footage in particular, as it contains records of chemical samples from the upper atmosphere. The stolen data was allegedly already given to WikiLeaks and The Guardian. No word from NASA or the FBI at this point.
No one really knows how Anonymous managed to find their way inside NASA. There have been speculations that the group managed to buy its way in – purchasing its foothold from someone within the agency. They might have even bruteforced their way in – the group claims to have used a sniffing program to steal a system administrator password.
The group split in two, with one part targeting NASA’s systems and stealing data, while the other was sniffing through it. Anonymous says it spent months inside the system and deleted all indicators of ever being present on the network.
James Scott, Co-Founder of the Institute for Critical Infrastructure Technology finds it hard to believe that NASA couldn’t have defended against this attack.
“First, it’s hard to believe that NASA hasn’t made use of a virtually unlimited budget to allocate funds to create the most technologically sophisticated cyber-barricade around their techno-infrastructure,” he says.
“If this breach claim is indeed accurate, a few things that could have thwarted or substantially slowed down the breach would be:
- User behavioural analytics: an early warning mechanism to detect abnormalities in user behaviour
- User behavioural biometrics: another early warning mechanism most valuable when used with UBA to detect physical abnormalities in user’s technical behaviour
- Multi layered field encryption of data in transit and stationary: name, email, phone etc. should each possess individual and unique encryption algorithms so that if the adversary breaches the network and goes undetected and is able to exfiltrate information, they have to literally decrypt each field.
- Ongoing penetration testing: red team penetration testing by highly skilled hired-hackers to uncover vulnerabilities in the organization’s network and IoT attached devices.
- Insider threat analysis: people who work at federal agencies with access to highly classified material must undergo ongoing direct and indirect psychological and lifestyle assessments to see if they are a current threat or could become a future threat. Credit profile, marital and familial relationships, financial stress, and professional satisfaction etc., all play a role in assessing the potential threat that comes from inside an organization. A certain level of privacy will need to be interrupted for federal employees with high level clearances as the IoT attach surface expands.
- Consider each network, device, drone, NASA location vulnerable and breached until proven otherwise by penetration testing and vulnerability assessment/risk analysis. These simulations should take into consideration all know threat actors, vulnerabilities and exploits.
- Change administration credentials from ‘default’ to creative combination of 16 randomized numbers, letters, upper and lower case (it is ‘claimed, that the adversary was able to brute force admin credentials in .32 seconds because the credentials were set as “default”).”