The global chief information officer at IDT, Golan Ben-Oni, is concerned over two cyberweapons that hit IDT Corporation, which is his employer. The two weapons, which had been stolen from the National Security Agency, hit IDT over the last two months.
The attacks left Mr. Ben-Oni with lots of determination to track down the accomplices of the awful attack. Shortly after IDT was hit, WannaCry plagued computers in China, plants in Japan, even rail systems in Germany.
The IDT strike was similar to WannaCry in that hackers locked up IDT data and demanded a ransom to unlock it. However, the ransom demand was just a smoke screen for a far more invasive attack that stole employee credentials.
Surprisingly, the attack was not tracked by some of the nation’s leading cybersecurity products, government intelligence analysts or the F.B.I., which remains consumed with the WannaCry attack. A digital black box recorded everything on IDT’s network and hence the attack was noticed. The two hacking tools have been used to backdoor tens of thousands of computer systems all over the world.
Mr. Golan has encountered hundreds of thousands of hackers of every stripe, motivation and skill level. He eventually started a security business, IOSecurity, under IDT, to share some of the technical tools he had developed to keep IDT’s many businesses secure.
The assault on IDT relied on cyberweapons developed by the N.S.A. that were leaked online in April by a mysterious group of hackers calling themselves the Shadow Brokers. The WannaCry attack employed one N.S.A. cyberweapon while the IDT assault used two.
WannaCry and the IDT attack used a hacking tool the agency had code-named EternalBlue. The tool took advantage of unpatched Microsoft servers to automatically spread malware from one server to another, so that within 24 hours North Korea’s hackers had spread their ransomware to more than 200,000 servers around the globe.
The IDT attack went a step further with another stolen N.S.A. cyberweapon, called DoublePulsar. The N.S.A. used DoublePulsar to penetrate computer systems without tripping security alarms. It allowed N.S.A. spies to inject their tools into the nerve center of a target’s computer system, called the kernel, which manages communications between a computer’s hardware and its software.
In the pecking order of a computer system, the kernel is at the very top, allowing anyone with secret access to it to take full control of a machine. It is also a dangerous blind spot for most security software, allowing attackers to do what they want and go unnoticed.
In IDT’s case, attackers deployed DoublePulsar to steal an IDT contractor’s credentials. Then they deployed ransomware in what appears to be a cover for their real motive: broader access to IDT’s businesses. Since IDT was hit, Mr. Ben-Oni has contacted everyone in his Rolodex to warn them of an attack that could still be working its way, undetected, through victims’ systems.