CNN: New hack discovered that breached gov't encrypted communications -- for three years

If the OPM hack seemed like a catastrophe, the Juniper hack revealed for the first time by CNN sounds like Game Over. The OPM hack went on for more than a year without being detected, but the Juniper breach went on for three years, and cracked open encrypted communications within both the federal government and the private sector:

A major breach at computer network company Juniper Networks has U.S. officials worried that hackers working for a foreign government were able to spy on the encrypted communications of the U.S. government and private companies for the past three years.

The FBI is investigating the breach, which involved hackers installing a back door on computer equipment, U.S. officials told CNN. Juniper disclosed the issueThursday along with an emergency security patch that it urged customers to use to update their systems “with the highest priority.”

The concern, U.S. officials said, is that sophisticated hackers who compromised the equipment could use their access to get into any company or government agency that used it.

One U.S. official described it as akin to “stealing a master key to get into any government building.”

The back door created by hackers in Juniper’s hardware allowed access to VPN networks that carry the government’s most sensitive communications — including those of the Departments of Homeland Security, Justice, and Treasury. Juniper’s networking equipment is in use by the same agency that will now investigate its breach — the FBI. And while the CNN report does not specify that the CIA or NSA use Juniper equipment, the company indirectly brags that intelligence agencies do.

As Friday afternoon document dumps go, this one’s pretty dramatic, needless to say. Perhaps these hacks were committed by just anarchic hobbyists, but this looks very, very sophisticated — and expensive in both time and risk. One has to assume that the people who pulled it off (a) had a lot of resources available for the task, and (b) definitely had something in mind for the information they could glean through the hack. China would certainly fit that bill, but so would Iran, Russia, or even North Korea, which has had success at this kind of venture in the past. The perps may not be working for another state, though; they could be working on their own to find information to sell to the highest bidder, or a group with its own purposes.

The question will be how this hack made it into Juniper’s firmware, and how it went unnoticed for so long. No one thought to backward-engineer the equipment to check the security for that long? The FBI has to be hoping it was an inside job, because that will make it a lot easier to answer some of these questions. Otherwise, the people who did this will know how to cover their tracks well enough to keep people guessing for a long, long time.