When the mysterious Shadow Brokers dumped a cache of hacking tools used by an NSA-linked group last week, researchers quickly identified a number of the spy agencies' targets, including American security companies like Cisco, Juniper, and Fortinet.
But until now, no one noticed that the leaked files suggest the NSA has also been targeting—and was likely able to hack—firewalls made by Huawei, a Chinese manufacturer of network infrastructure often seen as a threat to American companies given the suspicion that the Chinese government might have a backdoor and could spy in its products. The revelation is contained in an instruction file part of the leak.
Within one of the leaked files (TURBO_install-new.txt) there are references to VRP 3.30, a version of Huawei's proprietary operating system. While 3.30 is an older version, it still appears to be popular, according to a search on Shodan, which returns more than 1,600 devices running that version, mostly in China.
NSA has also been targeting—and was likely able to hack—firewalls made by Huawei
While the Shadow Brokers dump contained workable, reproducible exploits for Cisco devices, it doesn't look like there are any exploits for Huawei firewalls. The script contained in the leak, which mentions Huawei's VRP operating system, seems to be designed to delete logs from the firewall, presumably to cover the tracks of the NSA operators hacking into the device, according to Matt Suiche, a security researcher and CEO of UAE-based company Comae, who reviewed the files for Motherboard.
The script is part of a larger set of tools called TURBO in the leaks, which presumably is part of the same tools leaked in late 2013 by the German magazine Der Spiegel. Documents published at the time showed the NSA targeted Huawei's devices with backdoors codenamed HALLUXWATER, and a tool codenamed TURBOPANDA. Of course, Huawei has been known to be a target of US spying also thanks to documents leaked by Edward Snowden.
A Huawei spokesperson declined to comment specifically on these attacks, sending a statement instead.
"We're certainly aware of allegations – recent and more dated - of past government attempts to exploit commercial networking gear. And, of course, we know that networks and related ICT product are under regular and widespread attack and we make significant investments in innovative technologies, processes and security assurance procedures to better secure them, as well as the networks and data of our customers," the statement read.
The NSA's codename for the log-cleaning program is called, funnily enough, POLARCALGON, in reference to the washing powder product. Hilariously, Calgon once made a TV ad where two cleaning store employees joked that Calgon was their "ancient Chinese secret" for their perfectly clean shirts.
In real life, what the NSA's POLARCALGON did, it appears, was wash any sign of NSA's presence from Huawei's hacked firewalls.
"No logs. No Crime. Use Calgon," Suiche joked.
This story has been updated to include Huawei's comment.