Earlier this week, a group calling itself “The Shadow Brokers” announced it was selling a number of cyber weapons — auction-style — that it claimed were hacked and stolen from an alleged NSA hacking group dubbed “The Equation Group.”
Beside the fact that NSA getting hacked is eyebrow-raising in itself, the leak of the data and the claim from this mystery group that it’s just trying to make money doesn’t seem to add up.
Their claim to have “hacked” a server belonging to the NSA is fishy.
According to ex-NSA insiders who spoke with Business Insider, the agency’s hackers don’t just put their exploits and toolkits online where they can potentially be pilfered. The more likely scenario for where the data came from, says ex-NSA research scientist Dave Aitel, is an insider who downloaded it onto a USB stick. Instead of a “hack,” Aitel believes, it’s much more likely that this was a more classic spy operation that involved human intelligence.
“This idea that a group of unknown hackers are going to take on the NSA seems unlikely as well,” Aitel told BI. “There’s a long arm and a long memory to the US intelligence community and I don’t think anyone wants to be on the other end of that without good reason. I don’t necessarily think a million bitcoin is a good enough reason.”
When hackers gain access to a server, they keep quiet about it so they can stay there.
One of the many strange things about this incident is the very public nature of what transpired. When a hacker takes over your computer, they don’t start activating your webcam or running weird programs, because you’d figure out pretty quickly that something was up and you’d try to get rid of them.
The same is true for NSA.
If the “Shadow Brokers” owned the NSA’s command and control server, it would probably be a much better approach to just sit back, watch, and try to pivot to other interesting things they might be able to find. Instead, the group wrote on Pastebin, “we follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons,” which immediately signals to this alleged NSA hacker group that they have a big problem.
Though this seems problematic, it’s probable the group no longer has access to the server, so it no longer cares about getting back on it. Since the files are years old, this could be the case. However, it’s still out of the ordinary since any claim like this can be later investigated by the victim, which will be going through everything trying to figure out who they are.
If this was some random hacking group, it would have been better to keep their mouth shut, especially when their victim is NSA.
People sell exploits all the time, but they hardly ever talk about it.
Software exploits are digital gold for hackers, since they often give a key inside a system or network that no one has ever noticed before, and thus, hasn’t fixed. Which is why the marketplace for these “zero-day” exploits is so lucrative. We’re talking hundreds of thousands to millions of dollars for this kind of code.
Most of the time, an exploit is either found by a security research firm which then writes about it and reports it to the company, so they can fix the problem. Or a hacker looking for cash will take that found exploit and sell it on the black market.
So it would make sense for a group like “Shadow Brokers” to want to sell their treasure trove, but going public with it is beyond strange.
“From my perspective, its extremely bizarre behaviour,” an ex-NSA hacker who spoke on condition of anonymity told Business Insider. “Most groups who either identify or trade in exploits do one of two things. If you identify, like a security research firm [does] … they will typically publish their findings. They’re really in the best interest of the companies and users who use these products.”
The source added: “In the other scenarios, folks who sort of deal in the exploit markets. They quietly sell these things. To come out with this public auction is the more bizarre variance of that that I’ve ever seen. So it’s not clear what the intent here is.”
So what is the intent?
If you ask ex-NSA contractor Edward Snowden, the public leak and claims of the “Shadow Brokers” seem to have Russian fingerprints all over them, and it serves as a warning from Moscow to Washington. The message: If your policymakers keep blaming us for the DNC hack, we can use this hack to implicate you in much more.
“That could have significant foreign policy consequences,” Snowden wrote on Twitter. “Particularly if any of those operations targeted US allies. Particularly if any of those operations targeted elections.”
Aitel seems to agree, though he criticised Snowden as being, at some level, a “voice piece” for Russian intelligence now, since he lives in asylum in Moscow.
“He has the same theory — the DNC hack happened. The US political people got upset. They probably made the NSA do a covert response,” Aitel speculated. “This is another response to the NSA’s covert response. There’s a lot of sort of very public messages here going back and forth, which is interesting to look at.”
Aitel also doesn’t think anyone is going to actually pony up the money required to win the auction. And that prediction is probably going to be right, since WikiLeaks claims it already has the archive.
“We had already obtained the archive of NSA cyber weapons released earlier today,” its official Twitter account wrote, “and will release our own pristine copy in due course.”
The “Shadow Brokers” did not respond to an emailed request for comment.