A mysterious group called the Shadow Brokers have released 300 megabytes of code that they claim contains spy tools and exploits stolen from a group linked to the US National Security Agency.
The August 13 leak set the security world buzzing as it purportedly contained tools stolen from the Equation Group, a sophisticated group of cyber attackers uncovered by Kaspersky researchers that are suspected to be tied to the NSA.
The tools in the Shadow Brokers dump were stolen up to three years ago and included exploits of firewalls made by popular vendors as well as scripts that were believed to be used to exfiltrate or change data on internal systems.
Firewall makers like Cisco have since confirmed that the exploits are legitimate, lending credence to the leaks being genuine.
In addition, an analysis by Kaspersky concluded that “several hundred tools from the leak share a strong connection with [its] previous findings” about the Equation Group, strengthening assertions that the code is indeed from or linked to the NSA.
“While the Shadow Brokers claimed the data [they had possession of] was related to the Equation group, they did not provide any technical evidence of these claims,” Kaspersky said.
The Shadow Brokers claimed they had obtained other “cyber weapons” that they would release if they received one million Bitcoin ($752 million) from an online auction.
The file that purportedly contains these additional tools remains encrypted, and Kaspersky believed the chances of the ransom amount being achieved are “optimistic at best”.
However, much damage has already been done.
First, the apparent compromise of infrastructure used by sophisticated hackers points to a hitherto unknown group of attackers with even greater capability.
“Any hackers capable of compromising the Equation Group or another NSA hacker team would likely have to be extremely sophisticated; the Equation Group, after all, went not only uncompromised, but undetected for 14 years, a remarkable track record of stealth and operational security for a team believed to have attacked targets from Russia to Belgium to Lebanon,” Wired reported.
“Anyone capable of finding NSA hackers’ infrastructure, not to mention penetrating it, would likely have to possess government-level resources and talent.”
A series of tweets by Edward Snowden shows his attempt to unpick the attack.
“The hack of an NSA malware staging server is not unprecedented, but the publication of the take is,” Snowden said.
“NSA's hackers (TAO) are told not to leave their hack tools ("binaries") on the server after an op. But people get lazy.”
A former NSA hacker told the Washington Post that “accidentally uploading a large file of tools” to a proxy server used in an operation “is not unprecedented”.
“What’s unprecedented is to not realise you made a mistake,” he said. “You would recognise, ‘Oops, I uploaded that set’ and delete it.”
Claudio Guarnieri, a researcher at the University of Toronto’s Citizen Lab, questioned whether NSA or its affiliates had even noticed the tools had been stolen.
“If TAO lost the 0days 3 years ago as it appears, means that #ShadowBrokers might have been exploiting Cisco routers all this time,” he tweeted.
“And if they were not reported before, did both sides just pwn each other like there's no tomorrow, or did TAO just not notice the hack?”
Though the motives for the leak were still unclear, Snowden believed it was a “likely a warning that someone can prove US responsibility for any attacks that originated from this malware server.”
“That could have significant foreign policy consequences. Particularly if any of those operations targeted US allies,” Snowden said.