A group calling itself the “Shadow Brokers” claimed earlier this week that it hacked into the National Security Agency and stole an apparent treasure trove of exploits and hacking tools that it is now trying to auction off.
But experts say this is all a smokescreen for a not-so-subtle message from Moscow to Washington: Don’t mess with us.
“It’s a smokescreen, there’s nothing real about this,” John Schindler, a former NSA analyst and counterintelligence officer, told Business Insider. “This is Moscow’s way of upping the ante in the spy war, and sending a message no one can miss [which is] ‘we have you penetrated, we’ve got you by the balls, don’t push us.'”
He added: “The Russians are making a power play because they think they can right now.”
The previously-unknown “Shadow Brokers” group created a number of social media accounts earlier this month on Reddit, Github, Twitter, and Imgur, before announcing on Aug. 13 its “cyber weapon auction” that promised bidders a “full state sponsor tool set” from a hacking unit believed to be within the NSA known only as “The Equation Group.”
It released a 234-megabyte archive on various file-sharing sites with one-half being free to view and use — which numerous experts say are legitimate — while the other half was encrypted. The winner of the auction, the group said, would get the decryption key.
But an auction for hacking tools and exploits is not something that ever happens, experts say. Instead, exploits are bought and sold on the black market for hundreds of thousands and sometimes millions of dollars, in private.
There’s something else going on here, and it seems like it has nothing to do with a hacking group looking for cash.
‘Auction files better than Stuxnet’
In the announcement of its auction, “Shadow Brokers” seemed to ensure that no one would seriously consider bidding on the other half of their treasure trove, which they claim has within it software that is better than “Stuxnet” — the US-Israeli malware that destroyed Iranian nuclear centrifuges.
Its FAQ tells bidders that they are going to lose their Bitcoin, no matter what they do. If you win the auction, you’ll get the files, but if you lose the auction, you don’t get the files — and you don’t get your Bitcoin back. “Sorry lose bidding war lose bitcoin and files,” the group wrote.
That’s probably why the so-called auction hasn’t moved anywhere close to the group’s goal of 1 million Bitcoin, or roughly $575 million. The high bid is currently 1.629 Bitcoin, a surprisingly low figure for a software package, that, if it were “better than Stuxnet,” would contain a number of unknown software exploits called “zero days,” each of which can be sold for $100,000 or more on the black market.
“This auction is one of the more bizarre things that I’ve ever seen in this space. People who buy and sell exploits would not just dump money into an auction,” a source who used to work for NSA’s elite hacker unit, Tailored Access Operations, told Business Insider on condition of anonymity in order to discuss sensitive matters. “It kind of makes no sense.”
“The low Bitcoin offers are pretty amusing though,” Dr. Peter Singer, a strategist at the think tank New America and coauthor of “Ghost Fleet,” told Business Insider in an email.
Further, the website WikiLeaks apparently has the full archive and says it will release its own “pristine copy in due course.” WikiLeaks did not respond to an email from Business Insider asking when that release would be.
“[This just] shows the fraud of the whole Bitcoin angle,” Schindler said.
‘Conventional wisdom indicates Russian responsibility’
Former NSA contractor Edward Snowden offered his opinion on the underlying message behind the “auction” in a series of tweets on Tuesday, notably pointing the finger at Russia as being behind it.
After cybersecurity firm Crowdstrike said it uncovered two different state-sponsored Russian hacking groups inside the servers of the Democratic National Committee in June, Snowden wrote, “if Russia hacked the DNC, they should be condemned for it,” and then chided the US for not releasing evidence he believed the NSA had that would prove it.
That “smoking gun” evidence never came, though a number of US political and intelligence officials have said the DNC hack was at the Kremlin’s direction.
“Circumstantial evidence and conventional wisdom indicates Russian responsibility,” wrote Snowden of this latest breach, adding: “This leak looks like somebody sending a message than an escalation in the attribution game could get messy fast.”
How messy? According to Snowden, the fully-leaked toolkit — which is from 2013 — could offer insight into previous hacks carried out by NSA, or it could be reverse-engineered to help adversaries detect them in the future. Even Schindler, the former NSA analyst who’s an outspoken critic of Snowden, agrees with Snowden’s finding on the overt message, though he doesn’t think leaked tools will have any significant effect on future NSA operations.
“This stuff has all been changed,” Schindler said. “Three years is a long time in cyber ops, because that’s not the point. The point is to show NSA that we’ve got you by the balls.”
Business Insider Emails & Alerts
Site highlights each day to your inbox.