In the two weeks after the so-called “Heartbleed” Internet security bug was made public on April 7, 2014, there were more than 42,000 attempts to exploit the vulnerability to gain access to Department of Defense (DoD) information, The Crime Report has learned.
A National Security Agency (NSA) memo circulated on April 22, 2014, and obtained recently by The Crime Report, details steps the agency took to secure military and intelligence networks from cyber-attack.
The number of attempts—in the memo the NSA identified 42,834 that occurred between April 11 and April 22, 2014—was actually far fewer than many industry experts expected. It is not clear where the attempted exploits originated, what portion specifically targeted the DoD, or how many were bots scanning a wider swath of the Internet,
The revelation of Heartbleed, a major flaw in the popular encryption technology OpenSSL, left many of the Internet's most trafficked websites vulnerable to attack. But the bug's limited impact on the U.S. military was an indication, experts said, of just how routine attacks on our cybersecurity infrastructure have become.
For the Department of Defense it was “probably the typical day at work,” according to Ed Goings, National Principal in Charge of Forensic Technology Cyber Services at KPMG
“Cyber Command is constantly probing all websites — and that’s not just U.S. — that’s worldwide,” said Goings, who formerly investigated computer crime for the Air Force Office of Special Investigations, a predecessor of the U.S. Cyber Command, the military's primary Internet security agency. “There are exploits that the public doesn’t even know about yet, that Cyber Command knows about.”
He added: “They have software that allows them to basically call to every website; how that website answers allows them to see if they’re vulnerable.”
Still, despite reports last year that the NSA was previously aware of the Heartbleed vulnerability, the agency claims it found out the same day the general public did. According to the NSA, it reacted quickly.
“When NSA learned of the presence of the Heartbleed vulnerability on April 7, 2014, it triggered an immediate response by Information Assurance and Cyber Defense experts at NSA and the United States Cyber Command,” the agency wrote in the memo.
The memo was released in a partial response to a 2014 Freedom of Information Act request submitted by The Crime Report to the NSA, asking for documents “that reference the Transport Layer Security (TLS) heartbeat extension in OpenSSL” — the area of security vulnerability.
The request asked for documents composed between Jan. 1, 2012 and April 10, 2014. In a letter to The Crime Report, an NSA representative said the agency was continuing to review documents related the query. However it was releasing the memo, which “although outside the parameters of your request, we hope you will find useful.”
OpenSSL is used by about two-thirds of all websites to encrypt private data such as passwords, usernames and more sensitive information like credit card numbers. The coding flaw, which was present for at least two years, was undetected by security experts until it was discovered in late March 2014.
The discovery set off a global flurry of warnings for companies and networks to install a patch meant to plug the vulnerability.
All but five of the largest 100 sites in the world installed patches within the first 24 hours. A study by researchers at the Universities of Michigan, Illinois and California at Berkeley, as well as Purdue University, found the first large-scale malicious vulnerability scans — bots that searched for unpatched sites — were detected just over 21 hours after the bug was first made public.
“What the department did immediately was block the exploitation of this vulnerability at the boundary between the department's network and the Internet,” Richard Hale, Chief Information Officer for the Department of Defense, said during an interview with the American Foreign Press Service.
That meant targeting at least 100 different products and networks protected by OpenSSL, according to David Gewirtz, a cyber-warfare advisor with the International Association of Counterterrorism and Security Professionals.
While it's unclear how quickly the NSA was able to patch all the DoD's systems, its “Heartbleed Team” was recognized by the DoD's 2014 Chief Information Officer Award, the highest cybersecurity honor given by the department.
And in Congressional testimony on March 4, Admiral Michael Rogers, Commander of the U.S. Cyber Command, said, “it was not long before we detected new probes checking our websites and systems for open locks, as it were, at the relevant doors and windows.”
Rogers' statement to Congress was largely celebratory, but left unanswered is whether anyone found open locks before the DoD first found out about Heartbleed.
The researchers who wrote the study analyzing the Heartbleed response found no evidence that the bug was exploited prior to its being made public, but the likelihood is that it was, said Gewirtz.
“People don't realize (that) it existed for years in this chunk of code (and) undoubtedly throughout the period of time before there were people exploiting it,” Gewirtz said.
“You know any time there's an open door people are going to go through it.”
Graham Kates is deputy managing editor of The Crime Report. He welcomes readers' comments. He can be found on Twitter, @GrahamKates.