On Monday, the security world was rocked by a sensational claim: A mysterious new group calling itself “Shadow Brokers” claimed they had hacked into an elite NSA-linked hacking group, and were auctioning off cyberweapons.
After pouring over files — including alleged software exploits — provided by Shadow Brokers, some experts increasingly think that this is the real deal.
Some speculate that the auction is a shame, and that Russia is likely responsible — though there is little hard evidence on the origins of the data at this stage.
Shadow Brokers assert that it managed to hack “Equation Group” — a highly sophisticated cyber-attack group that is believed to be Tailored Access Operations (TAO), a hacking group within the NSA. Equation Group, security firm Kaspersky said in 2015, is “a threat actor [hacker or hacking group, essentially] that surpasses anything known in terms of complexity and sophistication of techniques, and that has been active for almost two decades.”
Many are inclined to believe that the data Shadow Brokers has is legitimate.
Kaspersky researchers said in a blog post that “while we cannot surmise the attacker’s identity or motivation nor where or how this pilfered trove came to be, we can state that several hundred tools from the leak share a strong connection with our previous findings from the Equation group.”
Security researcher Nicholas Weaver wrote on Tuesday that “because of the sheer volume and quality, it is overwhelmingly likely this data is authentic. And it does not appear to be information taken from comprised systems. Instead the exploits, binaries with help strings, server configuration scripts, 5 separate versions of one implant framework, and all sort of other features indicate that this is analyst-side code — the kind that probably never leaves the NSA.”
If true, where did it come from? It’s important to stress that the NSA itself didn’t get hacked. No-one, as best we know, managed to break into its Fort Meade headquarters (either physically or digitally).
Instead, it’s possible that the data was retrieved from a server used by Equation Group, or TAO, in one of their operations. Exiled NSA contractor-turned-whistleblower Edward Snowden explored this possibility on Twitter on Tuesday, guessing that the data may have been stolen from a command-and-control server used by the cyber-attack group.
“NSA malware staging servers getting hacked by a rival is not new,” he wrote. “A rival publicly demonstrating they have done so is.”
Dave Aitel, a former NSA employee who works in the cybersecurity industry, has a different theory as to the origin of the files. “First off, it’s not a ‘hack’ of a command and control box that resulted in this leak,” he writes. “Assuming it’s real (I cannot confirm or deny anything here – largely because I don’t know), it’s almost certainly human intelligence – someone walked out of a secure area with a USB key.”
An unnamed former NSA employee suggested to The Washington Post that the files may have accidentally been left on a “redirector” server used to mask the origins of the TAO hackers during one of their operations. “What’s unprecedented is to not realise you made a mistake … You would recognise, ‘Oops, I uploaded that set’ and delete it.”
However the files were obtained, many are pointing the finger at Russia. Russia has previously been accused by security experts of hacking into the Democratic National Party (DNC) and leaking confidential internal documents; this may be the latest salvo in an ongoing dispute between the United States and Russia as the US considers whether to publicly blame Russia for the DNC hack.
There is currently no concrete evidence tying Russia to Shadow Brokers, but the timing and the nature of the incident suggest Russian involvement, some security experts say.
“High level US political officials seemed quite upset about the DNC hacks, which no doubt resulted in a covert response, which this is then likely a counter-response to,” Aitel argues. Additionally, “no team of ‘hackers’ would want to piss off Equation Group this much. That’s the kind of cojones that only come from having a nation state protecting you.”
“The list of suspects is short: Russia or China,” Nicholas Weaver writes. “And in the context of the recent conflict between the US and Russia over election interference, safe money is on the former.”
Snowden suggests that this may be a “warning” to the US against publicly accusing Russia of hacking the DNC, and that if the US does Russia will retaliate by leaking potentially damaging information about US cyber-intelligence operations to the world.
“This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server [that the hacked files originated on]. That could have significant foreign policy consequences. Particularly if any of those operations targeted US allies,” Snowden wrote.