Cybersecurity experts are searching for answers after an unidentified group claimed on Monday to have hacked into “Equation Group” — an elite cyber-attack group associated with the NSA.
The “Shadow Brokers” claimed in a post on blogging service Tumblr to have hacked Equation Group, and say they are holding an “auction” to sell off the “cyber weapons” they were able to steal. Shadow Brokers have also provided a sample of files, free to access, to “prove” their legitimacy.
Equation Group, widely believed to be part of the NSA spy agency, was described by security firm Kaspersky in 2015 as “a threat actor that surpasses anything known in terms of complexity and sophistication of techniques, and that has been active for almost two decades.”
If it was successfully hacked, it would be a highly significant cybersecurity incident. But the facts are still far from clear, and some believe Shadow Brokers’ claims may be politically motivated — and are pointing at Russia as a potential culprit.
For context: Cybersecurity experts have accused Russia of hacking into the Democratic National Committee, and being behind the “hacker” calling itself Guccifer 2.0 that has leaked numerous internal documents from the political party.
This “hack,” whether valid or a false propaganda claim, could be the latest volley in an escalating cybersecurity conflict between the two nations, the theory goes.
Dmitri Alperovitch, CTO of security firm CrowdStrike, subscribes to this idea. In a series of tweets, he wrote (emphasis ours):
“The question everyone should be asking about #DNCHack and #ShadowBrokers is what is going to happen next? No doubt that further leaks will continue and contribute to the chaos of this already way too weird election. I think there is plenty of reasons to be concerned that the election itself would be manipulated. Results potentially only need to be changed in a dozen or so counties if it’s not a landslide election to have an impact. Even without direct manipulation of the vote. The claim from a credible hacking source of such manipulation could be enough to cast shadow on the legitimacy of elected president. And weaken them, which ultimately plays into the hands of a certain leader of a large country in Europe. [The United States Government] needs to come up with a response and soon. Continued inaction is inexcusable.”
Someone should make a US election season edition of attribution dice where every face is just “Russia trying to influence US election”
— MalwareTech (@MalwareTechBlog) August 15, 2016
Are the files themselves legitimate? “I think it’s hard to say at this stage whether the files are genuine, but they are an elaborate hoax if not, by someone who has spent a lot of time going through Snowden documents to sprinkle codenames into the files,” a security researcher who goes by the name Pwn All The Things told Business Insider.
“In terms of whether it is Russia – it’s hard to say. All of this is very early speculation. But it would certainly fit in with the current US-Russian DNCleaks dispute between the two countries’ intelligence agencies.”
Matt Suiche, CEO of cybersecurity startup Comae Technologies, has also been looking through the sample files since their publication. “I haven’t tested the exploits but they def look like legitimate exploits, using third party libraries like scapy etc – at least for the Cisco ASA we can also see several shellcodes,” he said. “Some of those codenames def belongs to the NSA as we can see from the TAO Catalogue (which I reference at the end for JETPLOW).”
Claudio Guarnieri, a technologist for Amnesty International, said on Twitter that “the most recent File Modification Date is June 2013” — suggesting that whoever is behind Shadow Brokers has been sitting on the files for years. He also claims that there is “nothing directly related to what Kaspersky cals Equation” — raising the possibility of false attribution from Shadow Brokers.
Shadow Brokers dresses up the leak in a message directed at “wealthy elites.” This may well be an attempt at obfuscation, damaging attempts at accurate attribution — in much the same way “Guccifer 2.0” has made highly dubious claims about being a lone wolf Romanian hacker. The message reads (emphasis ours):
“We know what is wealthy but what is Elites? Elites is making laws protect self and friends, lie and fuck other peoples. Elites is breaking laws, regular peoples go to jail, life ruin, family ruin, but not Elites. Elites is breaking laws, many peoples know Elites guilty, Elites call top friends at law enforcement and government agencies, offer bribes, make promise future handjobs, (but no blowjobs). Elites top friends announce, no law broken, no crime commit. Reporters (not call journalist) make living say write only nice things about Elites, convince dumb cattle, is just politics, everything is awesome, check out our ads and our prostitutes. Then Elites runs for president. Why run for president when already control country like dictatorship? What this have do with fun Cyber Weapons Auction? We want make sure Wealthy Elite recognises the danger cyber weapons, this message, our auction, poses to their wealth and control.”
If Equation Group was hacked, that doesn’t mean the NSA proper has been compromised.
“If the Shadow Brokers actually hacked something, it wasn’t ‘the NSA’. At least not in the sense that some group is now in the NSA’s many various networks reading through documents and emails and such,” said Sean Sullivan, a security advisor at F-Secure. “If something was hacked, it was a resource directly related to the Equation Group … A server of some sort was hacked.”
Sullivan believes it could be retaliatory, or politically motivated. “If this is legit, it could well be an example of ‘hacking back’. As in a previous target of the Equation Group did some forensics and discovered a resource to go after. This “auction” seems an awful good way to publicly embarrass a political rival in a way that can’t be positively attributed. (What country does that sounds like?)”
But he adds: “Or: it could be a total scam.”
This story is developing. Check back for updates.