A RECOGNIZED authority on cyber security says the hacking activity against NASDAQ OMX’s Directors Desk board portal, used by 10,000 directors and many Fortune 500 companies, has hallmarks of state-sponsored corporate espionage.
NASDAQ OMX confirmed in a statement on Saturday that it had discovered “suspicious files” on the US servers of its Directors Desk board portal, used by directors and management to share sensitive company documents online. The exchange said that “at this stage” there was no evidence that the hackers had obtained any of its clients’ information.
The exchange company was forced to issue the statement and begin informing clients about the security breach after the Wall Street Journal reported late Friday night that the case had been reported to White House officials and was being investigated by the FBI, the Secret Service, the US Department of Justice, the US Securities and Exchange Commission, the Department of Homeland Security and leading cyber security experts.
Investigation began “more than a year ago”
Initial media reports portrayed the threat as a potential attack on the exchange’s trading systems and therefore a matter of national security, but Directors Desk is an altogether separate product from the exchange’s trading engine.
However, the nature of the information stored on Directors Desk – confidential corporate financial and strategy information shared with board directors – makes the incident potentially extremely serious and helps explain the high level interest in the case and the large number of agencies involved in the investigation.
It also emerged last night that investigations into the hacking have been ongoing for longer than first disclosed. The Wall Street Journal reported that the Secret Service began its investigation more than a year ago, but the investigation ramped up after NASDAQ OMX reported finding malware on its servers in October or November.
It’s not clear if NASDAQ OMX has ever notified Directors Desk clients of potential security threats prior to doing so on Saturday. It’s likely that the current revelations will undermine companies’ confidence in using board portals.
State-Sponsorship, Advanced Persistent Threat
Jeffrey Carr, CEO of cyber security firm Taia Global and author of the 2009 book Inside Cyber Warfare, said in a post on Forbes.com that the length of time involved in the hacking activity “strongly suggests State-sponsorship because it takes skill to continually persist within a network for that long and skill costs money.”
He says the nature of the threat falls within the scope of an Advanced Persistent Threat (APT) attack, a term often used to describe deliberate and sustained attacks by paid state-sponsored operatives who have advanced skills. And he says the Directors Desk security measures are inadequate against such an attack.
“The security measures advertised on the Directors Desk website like compliance with ISO27001, firewalls, IDS, and strong passwords are useless against APT because attacks are specifically designed to bypass everything that the target has put in place; even encryption,” Carr writes, adding that an “entirely different security posture is needed” considering the rich pool of business intelligence available on Directors Desk.
“If it hasn’t already done so, NASDAQ needs to consult with security experts who understand and work APT attacks as soon as possible. If you’re a Directors Desk LLC customer, you should probably do the same,” writes Carr, who also revealed that Directors Desk LLC settled a deceptive practices case brought by the Federal Trade Commission in 2009, after it was acquired by NASDAQ OMX in 2007.
However, that seems unlikely since the NYSE’s service is not a board portal and is used by companies primarily to file corporate governance information with the exchange and to compare their governance practices with those of peers.
In a press release last August, NASDAQ OMX said Directors Desk serves “more than 10,000 directors representing more than 230 organizations worldwide, including many Fortune 500 companies.”