It was nearly Christmas 2015 when Juniper released a statement warning customers that it had discovered unauthorized code that allowed hackers to decipher encrypted communications and gain high-level access to customers’ machines that used a popular product developed by the company. The exact wording issued by Juniper stated,
“During a recent internal code review, Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections. Once we identified these vulnerabilities, we launched an investigation into the matter, and worked to develop and issue patched releases for the latest versions of ScreenOS…At this time, we have not received any reports of these vulnerabilities being exploited; however, we strongly recommend that customers update their systems and apply the patched releases with the highest priority.”
For some time that was all the information, the public had to go on and for five years the incident has remained a mystery.
It is easy to compare the incident to a campfire horror story with ghosts in the form of the NSA being rumored to have a hand in events and foreign advanced persistent threat groups making use of a backdoor created by said spooks.
A recent report published by Bloomberg uncovers more details surrounding the attack nearly six years later but questions will remain if we learned anything in the years that passed. Bloomberg summarised the state affairs by saying,
“More than five years later, the breach of Juniper’s network remains an enduring mystery in computer security, an attack on America’s software supply chain that potentially exposed highly sensitive customers including telecommunications companies and U.S. military agencies to years of spying before the company issued a patch.”
At the time concerns about government agencies, in particular, US intelligence agencies making use of backdoors to gather intelligence. Others raised the concern that such backdoors are begging to be an own goal incident when foreign adversaries exploit the backdoor themselves.
While the attackers in the Juniper incident remain largely unknown, one of the facts about the incident was that Juniper’s popular NetScreen included an algorithm developed by the National Security Agency (NSA), called Dual Elliptic Curve Deterministic Random Bit Generator. It is believed that this algorithm was purposefully coded with a backdoor to be exploited when the NSA or other intelligence agencies needed to, allowing them to tap encrypted communications.
As to why the incident remains important is because US Congress is still trying to investigate the matter and questions about the dangers of developing deliberate backdoors remain relevant to this day and into the foreseeable future. One of the US senators who has kept the incident in the public view to find answers is Senator Ron Wyden, a Democrat from Oregon who demanded answers from the NSA.
New Details Emerge
According to the Bloomberg investigation, new details have emerged including the revelation that Juniper installed the algorithm on the product NetScreen in 2008. This was despite company engineers raising concerns that there was a flaw in the algorithm which experts thought could be exploited as a backdoor. As to the reason the backdoor was installed in the first place, the Bloomberg article notes,
“The reason was that the Department of Defense, a major customer and NSA’s parent agency, insisted on its inclusion despite the availability of other, more trusted alternatives, according to the official and the three employees.
The algorithm had just become a federal standard at NSA’s behest, alongside three similar ones that weren’t mired in controversy, and the Pentagon tied some future contracts for Juniper specifically to the use of Dual Elliptic Curve, the employees said. The request prompted concern among some Juniper engineers, but ultimately the code was added to appease a large customer, the employees said. The Department of Defense declined to discuss its relationship with Juniper.”
It was also revealed that a Chinese state-sponsored group APT5 exploited the backdoor of the algorithm. This was done in 2012 according to leaked documents Bloomberg has about Juniper’s review of the incident. Further, these documents detail how the hackers altered the algorithm so they could decipher encrypted data flowing through the virtual private network connections created by NetScreen devices.
To make matters worse the same group attacked again in 2014, this time using the backdoor to install their own backdoor. This backdoor allowed the group to independently access NetScreen products.
Bloomberg investigators believe that Juniper failed to understand their significance or recognize that they were related, according to the two people involved with Juniper’s investigation and the internal document.
At the time, the company found that hackers had accessed its e-mail system and stolen data from infected computers, but investigators mistakenly believed the intrusions were separate and limited to theft of corporate intellectual property, according to the people and the document. In July 2020, Juniper did respond to some of Senator Wyden’s questions. However, the NSA declined to do so.
The abuse of deliberately created backdoors has cast a long shadow on the interactions between intelligence agencies and private enterprises. As investigators noted,
“Because of their central role in telecommunications systems, Juniper products have been a longtime target for intelligence agencies, according to a 2011 document leaked by Snowden. It revealed that GCHQ — the British signals intelligence agency — developed secret exploits against at least 13 different models of NetScreen firewalls, with the knowledge of the NSA. Other classified NSA memos support cybersecurity experts’ suspicions about Dual Elliptic Curve, indicating the NSA created a backdoor and pushed the algorithm on NIST and other standards bodies. One NSA memo, cited in news articles based on the documents, called the effort a ‘challenge in finesse.’”
The new revelations have certainly shown the perils of creating deliberate backdoors for intelligence gathering. Whether lessons are learned from this is another question entirely.