Written by Sean Lyngaas
As the U.S. investigation into the SolarWinds hacking campaign grinds on, lawmakers are demanding answers from the National Security Agency about another troubling supply chain breach that was disclosed five years ago.
A group of lawmakers led by Sen. Ron Wyden, D-Ore., are asking the NSA what steps it took to secure defense networks following a years-old breach of software made by Juniper Networks, a major provider of firewall devices for the federal government.
Juniper revealed its incident in December 2015, saying that hackers had slipped unauthorized code into the firm’s software that could allow access to firewalls and the ability to decrypt virtual private network connections. Despite repeated inquiries from Capitol Hill— and concern in the Pentagon about the potential exposure of its contractors to the hack — there has been no public U.S. government assessment of who carried out the hack, and what data was accessed.
Lawmakers are now hoping that, by cracking open the Juniper cold case, the government can learn from that incident before another big breach of a government vendor provides attackers with a foothold into U.S. networks.
Members of Congress also are examining any role that the NSA may have unwittingly played in the Juniper incident by allegedly advocating for a weak encryption algorithm that Juniper and other firms used in its software. Lawmakers want to know if, more than a decade ago, the NSA pushed for a data protection scheme it could crack, only for another state-sponsored group to exploit that security weakness to gather data about the U.S.
“Congress has a responsibility to determine the root cause of this supply chain compromise and the NSA’s role in the design and promotion of the flawed encryption algorithm that played such a central role,” Wyden and other lawmakers wrote to Gen. Paul Nakasone, head of the NSA and U.S. Cyber Command, in a letter made public Friday.
Other signatories of the letter are: Sen. Cory Booker, D-N.J.; and Democratic Reps. Yvette Clarke, Anna Eshoo and Ted Lieu of California; Bill Foster of Illinois; Stephen Lynch of Massachusetts; Tom Malinowski of New Jersey; and Suzan DelBene and Pramila Jayapal of Washington.
A years-long search continues
The letter comes amid a broader search for answers in Washington as to why foreign hackers have been able to exploit the software supply chain to access sensitive government networks.
The lawmakers, for example, are asking the NSA why any security overhaul after the Juniper breach apparently did not lead the federal government to adopt defensive measures capable of detecting the SolarWinds campaign, in which suspected Russian spies infiltrated multiple federal agencies in 2020.
It’s a complicated question, as there are key differences between the two incidents.
Experts regard the alleged Russian hacking spree — in which attackers breached the departments of Treasury, Justice and others — as one of the most advanced efforts in recent memory. The operation focused on multiple vendors, along with the Texas-based contractor SolarWinds, meaning that detection was no easy task.
The Juniper hack, by contrast, does not appear to have relied on so many attack vectors.
Moreover, the NSA has jurisdiction over Department of Defense networks, but not, typically, the multiple civilian agencies that have been compromised in the SolarWinds campaign. The NSA, though, is still a key player in the federal government’s response to severe hacking threats.
And the parallels between the two supply chain compromises are instructive.
SolarWinds and Silicon Valley’s Juniper hold similar positions in the federal contracting ecosystem. Both make software that is widely used at U.S. agencies — code that, if exploited, offers hackers a valuable entrypoint from which to root around in networks for sensitive data. A clear accounting of what happened in both breaches is key to improving the government’s supply chain security measures, experts say.
“Whether talking about Juniper, SolarWinds or another compromise, the methods used, the weaknesses exploited and the potential scope of the ramifications need to be shared” to improve network defenses, said Ben Johnson, a former NSA official who is now chief technology officer of Obsidian Security. (Johnson left the government in 2007 and says he has no firsthand knowledge of the Juniper incident.)
A Juniper spokesperson did not respond to phone calls or emails requesting comment for this article. The NSA did not respond to a request for comment. The FBI, which Juniper has previously said was investigating the incident, did not respond to a request for comment.
Information about how still-unidentified hackers altered code on Juniper’s NetScreen firmware, which runs on its firewalls, has only trickled into the public eye over the last five years.
In 2016, security researchers documented how attackers made changes to the firmware in 2012 and 2014. The 2012 change, the researchers said, was enabled by Juniper’s use of a then-popular encryption algorithm known as Dual EC.
Documents leaked by former NSA contractor Edward Snowden reveal how the NSA allegedly pushed the National Institute of Standards and Technology to adopt a standard using the flawed Dual EC algorithm. The NSA reportedly knew how to break the encryption scheme to aid its overseas spying efforts.
NIST later withdrew the algorithm because of security concerns, and Juniper followed suit by removing it from its operating system in 2016. Exactly who was responsible for breaking into Juniper systems has never been publicly confirmed.
In a July 2020 letter to Wyden, Brian Martin, Juniper’s general counsel, said the breach appeared to be the work of an unnamed “sophisticated nation-state hacking unit.” Investigators suspected that Chinese government-backed hackers were responsible for at least one of the alterations of Juniper’s code, Reuters reported in October. The attackers’ tactics, techniques and procedures pointed toward Chinese-sponsored hackers, a person familiar with the investigation reiterated to CyberScoop this week.
For critics of U.S. law enforcement agencies’ longstanding push for technology companies to grant access to their encrypted software products, it’s a cautionary tale of unintended consequences. A foreign government had reportedly exploited a “backdoor” in encryption technology that the NSA may have helped introduce into the technology. Juniper has told congressional investigators that it added support for the Dual EC algorithm “at the request of a customer,” but has refused to identify that customer, according to the lawmakers.
“What we learned here is that just a few bytes of code can be the difference between a secure system and a surveillance bonanza for our foreign adversaries,” said Matthew Green, an associate professor of computer science at Johns Hopkins University and one of the authors of the 2016 research paper on the Juniper breach.
“The only solution we have to this problem is transparency, to make sure nothing like this can ever happen again,” Green added.
Juniper’s Martin also said in his letter to Wyden that the firm believed it had “successfully remediated the attack,” while asserting that the “intrusion was neither caused nor aided by the use of” the Dual EC algorithm.
That is technically true, Green said, in that the attackers didn’t break into Juniper using the Dual EC algorithm, but it obscures the broader point: The hackers apparently used their access to Juniper firmware to modify the algorithm and enable their spying.
A clear post-mortem report on the Juniper breach remains elusive. NSA officials told Wyden’s office in a 2018 briefing that the agency had written a “lessons learned” report about the Dual EC incident, according to Keith Chu, a Wyden spokesman. But the NSA now asserts that it cannot locate the document, Chu said. The NSA did not respond to questions on the matter from CyberScoop.
Wyden and the other legislators asked NSA about the status of that report again on Friday.
You can read the full letter online.