‘Shadow Brokers’ Claim to be Selling NSA Malware, in What Could Be Historic Hack




‘Shadow Brokers’ Claim to be Selling NSA Malware, in What Could Be Historic Hack

By Elias Groll
Foreign Policy

A mysterious online group calling itself “The Shadow Brokers” is claiming to have penetrated the National Security Agency, stolen some of its malware, and is auctioning off the files to the highest bidder.

The authenticity of the files cannot be confirmed but appear to be legitimate, according to security researchers who have studied their content. Their release comes on the heels of a series of disclosures of emails and documents belonging mostly to Democratic officials, but also to Republicans. Security researchers believe those breaches were perpetrated by agents thought to be acting on behalf of Moscow.

The NSA did not answer Foreign Policy’s questions about the alleged breach on Monday. But if someone has managed to penetrate the American signals intelligence agency and post its code online for the world to see — and purchase — it would constitute a historic black eye for the agency.

“It’s at minimum very interesting; at maximum, hugely damaging,” said Dave Aitel, a former NSA research scientist and now the CEO of the security firm Immunity. “It’ll blow some operations if those haven’t already been blown.”

The files posted over the weekend include two sets of files. The hackers have made one set available for free. The other remains encrypted and is the subject of an online auction, payable in bitcoin, the cryptocurrency. That set includes, according to the so-called Shadow Brokers, “the best files.” If they receive at least 1 million bitcoin — the equivalent of at least $550 million — they will post more documents and make them available for free.

The set of files available for free contains a series of tools for penetrating network gear made by Cisco, Juniper, and other major firms. Targeting such gear, which includes things like routers and firewalls, is a known tactic of Western intelligence agencies like the NSA, and was documented in the Edward Snowden files. Some code words referenced in the material Monday — BANANAGLEE and JETPLOW — match those that have appeared in documents leaked by Snowden. Security researchers analyzing the code posted Monday say it is functional and includes computer codes for carrying out espionage.

The Equation Group is a collection of hackers whose activities were first documented by Kaspersky Lab, a Russian cybersecurity firm, last year. Kaspersky connected the activities of the Equation Group, which it called “a threat actor that surpasses anything known in terms of complexity and sophistication of techniques,” to operations carried out by U.S. intelligence. While Kaspersky did not outright attribute the Equation Group to the NSA, security researchers say in private that they believe it is a project of the American signals intelligence unit.

If the leak is a genuine sample of NSA code — which, so far, researchers say is the case — then this month’s season of information warfare has taken yet another bizarre turn. In the span of several weeks, Russian hackers have posted hacked emails and other documents on a mysterious site known as DCLeaks.com. Those same hackers have infiltrated the Democratic National Committee, and then likely fed documents exfiltrated from its servers to WikiLeaks. Those documents ignited a major political firestorm within the DNC on the eve of the party’s presidential nominating convention, led to the resignation of party chief Debbie Wasserman Schultz, and prompted the Clinton campaign to argue that Moscow was intervening in the election in favor of Moscow-friendly Republican nominee Donald Trump.

To muddy the waters, a persona calling itself Guccifer 2.0 — and which intelligence agencies and security researchers say is a Russian invention — has surfaced to take credit for the attack on the DNC and other political institutions. On Monday, he posted his latest set of pilfered documents: internal assessments of Florida congressional races obtained from the Democratic Congressional Campaign Committee.

In a Twitter message to Foreign Policy, Guccifer 2.0 called the Shadow Broker dump “bullshit” but wouldn’t elaborate on what he meant. “The hacking world operates differently,” he said.

So is Russia also responsible for this alleged penetration of the NSA? Aitel believes that it is, and that we are witnessing a small part of the shadow war playing out between Washington and Moscow.

On the heels of the DNC breach, a chorus of American politicians has called for the United States to respond, and Aitel believes that the posting of NSA may be an escalating conflict in cyberspace between the two powers.

In a note along with the files, the Shadow Brokers come across as merry pranksters with a distinctly populist set of political ideas. “We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files.”

The group delivered a message to what it called “wealthy elites” and assailed the integrity of elections. “Elites is making laws protect self and friends, lie and fuck other peoples,” they wrote in idiosyncratic English. “Then Elites runs for president. Why run for president when already control country like dictatorship?”

“We want make sure Wealthy Elite recognizes the danger cyber weapons, this message, our auction, poses to their wealth and control. Let us spell out for Elites,” the group added. “Your wealth and control depends on electronic data.”

A penetration of an NSA tool of this kind, which Aitel said is similar to what an NSA agent would see when carrying out cyber operations, would probably require the tools of hackers working on behalf of nation-state because the agency is typically careful in hiding its tools and using computer defenses.

The goal of the operation remains something of a mystery. The files appear to be from late 2013 — after the Snowden revelations — in which case whoever burned this NSA operation has been sitting on explosive government files for some three years. Why post these documents now? And to what end?

Those questions are probably being debated in the White House, where a spokesman declined to answer questions on what may go down in history as a landmark day in the history of cyberwarfare.