New Investigations Shed Light on the Juniper Attacks

It was nearly Christmas 2015 when Juniper released a statement warning customers that it had discovered unauthorized code that allowed hackers to decipher encrypted communications and gain high-level access to customers’ machines that used a popular product developed by the company. The exact wording issued by Juniper stated,

“During a recent internal code review, Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections. Once we identified these vulnerabilities, we launched an investigation into the matter, and worked to develop and issue patched releases for the latest versions of ScreenOS…At this time, we have not received any reports of these vulnerabilities being exploited; however, we strongly recommend that customers update their systems and apply the patched releases with the highest priority.”

For some time that was all the information, the public had to go on and for five years the incident has remained a mystery.

juniper attacks new investigations

It is easy to compare the incident to a campfire horror story with ghosts in the form of the NSA being rumored to have a hand in events and foreign advanced persistent threat groups making use of a backdoor created by said spooks.

A recent report published by Bloomberg uncovers more details surrounding the attack nearly six years later but questions will remain if we learned anything in the years that passed. Bloomberg summarised the state affairs by saying,

“More than five years later, the breach of Juniper’s network remains an enduring mystery in computer security, an attack on America’s software supply chain that potentially exposed highly sensitive customers including telecommunications companies and U.S. military agencies to years of spying before the company issued a patch.”

At the time concerns about government agencies, in particular, US intelligence agencies making use of backdoors to gather intelligence. Others raised the concern that such backdoors are begging to be an own goal incident when foreign adversaries exploit the backdoor themselves.

While the attackers in the Juniper incident remain largely unknown, one of the facts about the incident was that Juniper’s popular NetScreen included an algorithm developed by the National Security Agency (NSA), called Dual Elliptic Curve Deterministic Random Bit Generator. It is believed that this algorithm was purposefully coded with a backdoor to be exploited when the NSA or other intelligence agencies needed to, allowing them to tap encrypted communications.

As to why the incident remains important is because US Congress is still trying to investigate the matter and questions about the dangers of developing deliberate backdoors remain relevant to this day and into the foreseeable future. One of the US senators who has kept the incident in the public view to find answers is Senator Ron Wyden, a Democrat from Oregon who demanded answers from the NSA.

The senator published press releases that indicated his intent and the need for the public to have access to information as to what happened.

New Details Emerge

According to the Bloomberg investigation, new details have emerged including the revelation that Juniper installed the algorithm on the product NetScreen in 2008. This was despite company engineers raising concerns that there was a flaw in the algorithm which experts thought could be exploited as a backdoor. As to the reason the backdoor was installed in the first place, the Bloomberg article notes,

“The reason was that the Department of Defense, a major customer and NSA’s parent agency, insisted on its inclusion despite the availability of other, more trusted alternatives, according to the official and the three employees.

The algorithm had just become a federal standard at NSA’s behest, alongside three similar ones that weren’t mired in controversy, and the Pentagon tied some future contracts for Juniper specifically to the use of Dual Elliptic Curve, the employees said. The request prompted concern among some Juniper engineers, but ultimately the code was added to appease a large customer, the employees said. The Department of Defense declined to discuss its relationship with Juniper.”

It was also revealed that a Chinese state-sponsored group APT5 exploited the backdoor of the algorithm. This was done in 2012 according to leaked documents Bloomberg has about Juniper’s review of the incident. Further, these documents detail how the hackers altered the algorithm so they could decipher encrypted data flowing through the virtual private network connections created by NetScreen devices.

To make matters worse the same group attacked again in 2014, this time using the backdoor to install their own backdoor. This backdoor allowed the group to independently access NetScreen products.

Bloomberg investigators believe that Juniper failed to understand their significance or recognize that they were related, according to the two people involved with Juniper’s investigation and the internal document.

At the time, the company found that hackers had accessed its e-mail system and stolen data from infected computers, but investigators mistakenly believed the intrusions were separate and limited to theft of corporate intellectual property, according to the people and the document. In July 2020, Juniper did respond to some of Senator Wyden’s questions. However, the NSA declined to do so.

The abuse of deliberately created backdoors has cast a long shadow on the interactions between intelligence agencies and private enterprises. As investigators noted,

“Because of their central role in telecommunications systems, Juniper products have been a longtime target for intelligence agencies, according to a 2011 document leaked by Snowden. It revealed that GCHQ — the British signals intelligence agency — developed secret exploits against at least 13 different models of NetScreen firewalls, with the knowledge of the NSA. Other classified NSA memos support cybersecurity experts’ suspicions about Dual Elliptic Curve, indicating the NSA created a backdoor and pushed the algorithm on NIST and other standards bodies. One NSA memo, cited in news articles based on the documents, called the effort a ‘challenge in finesse.’”

The new revelations have certainly shown the perils of creating deliberate backdoors for intelligence gathering. Whether lessons are learned from this is another question entirely.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal