Saturday morning the news broke that a mysterious group of hackers calling themselves "The Shadow Brokers" claimed it hacked an NSA-linked group and released some NSA hacking tools with a promise to sell more private "cyber weapons" to the highest bidder.
The group dumped a bunch of private hacking tools from "Equation Group" – an elite cyber attack unit linked to the NSA – on GitHub and Tumblr.
The Shadow Brokers hacking group has published the leaked data in two parts; one includes many hacking tools designed to inject malware into various servers and another encrypted file containing the "best files" that they made available for sale for 1 Million Bitcoins.
However, GitHub deleted the files from its page, not due to any government pressure, but because the hackers were demanding cash to release more data and the company's policy don't allow the auction or sale of stolen property on its source code management platform.
NSA Hack Raises a Few Important Question? The leak of advanced hacking tools allegedly stolen from the Equation Group has raised few questions in everyone's mind:
- Is Equation Group an elite cyber attack unit linked to the NSA?
- Are the Equation Group Hack and leaked exploits legitimate?
- If Legit, Do the advanced hacking tools actually belong to Equation Group?
- Who is behind the hack? Russia?
Kaspersky Confirmed: Leaked Hacking Tools Belong to NSA-tied Group
According to a technical report published Tuesday by security firm Kaspersky Lab, the leaked advanced hacking tools contains digital signatures that are identical to those in hacking software and malware previously used by the Equation Group.
"While we cannot surmise the attacker's identity or motivation nor where or how this pilfered trove came to be, we can state that several hundred tools from the leak share a strong connection with our previous findings from the Equation group," Kaspersky researchers said in a blog post.Over 300 computer files found in the Shadow Brokers archive have a common implementation of RC5 and RC6 encryption algorithms – which has been used extensively by the Equation Group.
Also, the implementation of encryption algorithms is identical to the RC5 and RC6 code in the Equation Group malware.
"There are more than 300 files in the Shadow Brokers' archive which implement this specific variation of RC6 in 24 other forms," the researcher wrote. "The chances of all these being fakes or engineered is highly unlikely."
"The code similarity makes us believe with a high degree of confidence that the tools from the Shadow Brokers' leak are related to the malware from the Equation group."Here's the comparison of the older Equation RC6 code and the code from the new leak, which shows that they have identical functionally and share rare specific traits in their implementation:
The security firm also claimed Equation Group to be behind a variety of malware types, including Stuxnet and Flame, which are associated with cyber attacks launched by the United States.
Former NSA Personnel also Confirms the Authenticity of Leaked Data
Now, adding more proofs to the possibility and making the speculations stronger, some ex-NSA insiders say the leaked hacking tools are legitimate and linked to the NSA.
One former NSA employee who worked in its special hacking division, Tailored Access Operations (TAO), told the Washington Post that "without a doubt, they're the keys to the kingdom."
"The stuff you are talking about would undermine the security of a lot of major government and corporate networks both here and abroad," said the former TAO employee, who asked Post to remain anonymous.
Moreover, another former TAO employee who also saw the leaked file said, "From what I saw, there was no doubt in my mind that it was legitimate."
So, after Kaspersky Labs analysis and former-TAO employees statements, it is clear that the leaked NSA hacking tools are legitimate.
Hack Or An Inside Job?
Moreover, it has also been speculated that the NSA hack could be an insider's job, as concluded by Matt Suiche, founder of UAE-based security startup after he discussed this incident with a former NSA TAO employee.
"The repository containing the NSA TAO Toolkit is stored on a physically segregated network which does not touch the internet and has no reason to (remember it's a toolkit repository)," Suiche wrote in a blog post.
"There is no reason for those files to have ever been on a staging server in the first place unless someone did it on purpose. The file hierarchy and the unchanged file naming convention tends to say that the files were directly copied from its source."
Experts and Snowden suggest Russia is behind the NSA Hack
In past few weeks, WikiLeaks and an unknown hacker using an alias Guccifer 2.0 have published a large number of documents came from the breach of the Democratic National Committee (DNC) and another separate hack of the Democratic Congressional Campaign Committee (DCCC).
Several officials from US intelligence agencies and security companies have pointed fingers towards Russia for the recent Democratic hacks, though Russia has denied any involvement.
"The Federal Bureau of Investigation and U.S. intelligence agencies have been studying the Democratic hacks, and several officials have signaled it was almost certainly carried out by Russian-affiliated hackers," the WSJ reports. "Russia has denied any involvement, but several cybersecurity companies have also released reports tying the breach to Russian hackers."
Now, both Snowden and Dave Aitel, a security expert who spent 6 years as an NSA security scientist, are speculating that the latest leak by the Shadow Brokers is in response to growing tensions between the United States and Russia over the Democratic groups' hacks.
In a stream of tweets yesterday, Snowden said the hack is likely of Russian origin, tweeting "No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack."
Here's the combined statement by Snowden:
"Circumstantial evidence and conventional wisdom indicate Russian responsibility. Here's why that is significant:
This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server. That could have significant foreign policy consequences. Particularly if any of those operations targeted US allies. Particularly if any of those operations targeted elections. Accordingly, this may be an effort to influence the calculus of decision-makers wondering how sharply to respond to the DNC hacks. TL;DR: This leak looks like a somebody sending a message that an escalation in the attribution game could get messy fast."
Following Snowden tweets, Aitel also published a blog post, saying Russia is the most likely suspect behind the Democratic hacks as well as the latest leak of the NSA spying tools.
Apart from speculation, Wikileaks, which previously made it clear to harm Hillary Clinton's chances from becoming US President, also said it already own the "auction" files from the Shadow Brokers and will publish them in "due course," though the tweet has since been deleted.
Still, many questions remain unanswered — who is the Shadow Brokers, how the group broke into Equation Group and stole their private hacking tools and malware, and is the group really willing to bid the auction files for 1 Million Bitcoins or is it just a distraction?
