A group calling itself the “Shadow Brokers” claims it hacked into the National Security Agency and stole an apparent treasure trove of exploits and hacking tools that it now wants to auction off, which some ex-NSA insiders say is both extremely bizarre and very serious.
“It’s a big deal,” Dave Aitel, an ex-NSA research scientist and CEO of penetration testing firm Immunity, Inc., told Business Insider. “We’d be panicking.”
Though he added: “But then it is rather old stuff. So the question is, is it so old that it’s essentially irrelevant but looks very relevant? Or is some of this stuff still in use every day. I don’t know.”
Earlier this week, “Shadow Brokers” announced it was selling a number of cyber weapons claiming to be stolen from “The Equation Group” — a hacking unit uncovered last year by Kaspersky Labs that many believe are within NSA. In its data dump of proof, the brokers offer files dating back to 2013 to allegedly exploit Fortigate and Cisco firewalls, among others.
Aitel doesn’t think the NSA was actually hacked, though he does think the files look legitimate. Instead, he told us, the much more likely scenario is that an insider walked out of a secure area with this data on a USB key, which could have been sold or stolen.
“No one puts their exploits on a [command-and-control] server,” Aitel said. “That’s not a thing.”
That assessment was echoed by another former NSA employee who worked in Tailored Access Operations — the government’s top hacking unit.
“Knowing how the NSA setup is, it’s so unlikely that someone would hack it,” the source told Business Insider on condition of anonymity. “It’s just ridiculous. That’s not to say they are so perfect, or so impenetrable. … The fact that this is consolidated around one specific toolkit, I would totally agree with Dave that someone just left with an infrastructure ops disk.”
‘There’s then a lot of panic’
On one hand, people inside the NSA are likely carrying on with “business as usual,” the source said. Networks, operating systems, and platforms constantly evolve, and security research firms are often finding tools and exploits they use, so they have to find other ways to continue hacking into foreign targets.
“I’ve worked operations where tools were discovered and there was a lot of scrutiny on it, and I think you have to have a practical nature to it, which is, that’s kind of the name of the game,” the source said. “If you implant a computer, you’re leaving something behind.”
But on the other hand, the more pressing concern is in trying to understand how that data was taken, and what else could be sitting in the cache. Until NSA knows that, then ongoing operations are likely threatened.
“If you don’t know how it was lost, there’s then a lot of panic in terms of what else is out there, particularly from a counterintelligence perspective,” the source said. “Now you have to really worry, are all of my operations exposed? I think that’s very concerning to people because they want to be covert and stealth.”
The source added: “That’s probably the most chilling effect that you can have is to kind of have everyone second guessing themselves.”
So what’s next? Security researchers will no doubt continue poking through the files to get an understanding of what is inside, and the companies named will start developing patches that fix their vulnerabilities.
But a larger narrative seems to be emerging that a so-called “cyber cold war” is turning hot, especially when this exploit auction — which Aitel believes is “almost certainly Russia” — comes just two months after two different Russian hacker groups were found inside the network of the Democratic National Committee.
“The Russians are professionals,” Aitel said. “They have been trying to operate against the United States for a long time. They have a lot of irons in that fire. And vice versa. We catch them and attribute to them as well.”
So much for that cyber COLD war we were warned about.
— Jeremiah Grossman (@jeremiahg) August 16, 2016
“When you have someone messing with your presidential election, when you have somebody releasing this kind of capability, when you have the attention of policymakers,” he added. “It gets less cold day by day.”