NAT SEC

Hackers Release Alleged NSA Programs

Is this a new hacktivist group, or part of a larger operation?

NAT SEC
Illustration: Vocativ
Aug 15, 2016 at 6:23 PM ET

A mysterious group has acquired and released code for programs that some experts believe appear to have been secretly created by the NSA. 

The group, calling itself Shadow Brokers, released several programs Saturday, as well as screengrabs of other programs, that it says came from a longstanding, top-tier group of likely government hackers known as Equation Group. Cybersecurity analysts at Kaspersky Labs dubbed the hackers “Equation Group” in a 2015 study in which they described the group as “a threat actor that surpasses anything known in terms of complexity and sophistication of techniques.” Other studies of that well established group, believed by Kaspersky Labs to have been operating for nearly two decades, lead many in the cybersecurity industry to believe it’s the U.S. National Security Agency. 

But the leaked programs, which are all dated 2013 and earlier, seem to be real and functional hacking tools.

“It appears to be a toolkit for router and firewall exploitation,” Nicholas Weaver, a researcher at the University of California at Berkley’s International Computer Science Institute, told Vocativ. An advanced government signals intelligence agency like the NSA would certainly have a cache like this at its disposal, though what surfaced Saturday by no means a treasure trove of all the most advanced exploits the agency is believed to possess.

The major questions of who acquired this information and why, however, remain wide open. Shadow Brokers did leave a manifesto on a Tumblr page that indicates it’s a group of hacktivists for hire. In shoddy English, it rails against “government sponsors of cyber warfare and those who profit from it !!!!” and “Wealthy Elites.”

“Elites is breaking laws, regular peoples go to jail, life ruin, family ruin, but not Elites,” the manifesto reads.

But the idea that Shadow Brokers did successfully hack the NSA is tenuous, according to cybersecurity experts who spoke to Vocativ on background since they were unready to make proclamations before conducting a comprehensive analysis. In part, that’s because the files appear to have been taken directly from someone within the NSA rather than obtained through a breach of NSA servers—though how that might have occurred is a mystery.

The NSA did not return request for comment.

It is clear, however, that Shadow Brokers is motivated by more than sheer activism. The group is collecting bitcoins—an auction, it says, for the best programs that it has not yet released to the public. Though two people have so far given a tiny amount of money—a total of .0424 bitcoin, or $23.95—that auction is strange to say the least. They offer this garbled explanation, which seems to be a promise by the group to release its remaining files if they receive an absurdly large sum. 

Q: What if bid and no win, get bitcoins back? A: Sorry lose bidding war lose bitcoin and files. Lose Lose. Bid to win! But maybe not total loss. Instead to losers we give consolation prize. If our auction raises 1,000,000 (million) btc total, then we dump more Equation Group files, same quality, unencrypted, for free, to everyone.

Besides, as Weaver said, the nature of bitcoin, where all transactions are permanently recorded on a digital ledger, means Shadow Brokers would likely expose itself and hopeful purchasers if it tried to use them. “Using bitcoin for this is like asking for a ransom in sequential, new, marked bills,” he said. 

If Shadow Brokers in fact was a sort of character created by another government’s hackers, it wouldn’t be surprising in 2016. As speculated by cybersecurity entrepreneur Matt Suiche, “Given the timeframe (Post-DNC hack), this could possibly be orchestrated by the Russian government.”

In June, after cybersecurity analysts concluded that it was the Russian government that hacked the Democratic National Convention, a character calling himself Guccifer 2.0 appeared online, sharing DNC documents and emails and promising to send them to WikiLeaks, which then disseminated them on its site. Like Shadow Brokers, Guccifer 2.0 claimed to be a non-native English speaker who railed against the global elite—”the Illuminati,” in his words—but clearly wasn’t telling his full story. While Guccifer 2.0’s identity is unknown, a body of evidence indicates he’s Russian, and not Romanian, as he had claimed, lending suspicion to where he got those DNC files, and why.

It’s unclear what Shadow Brokers’ next move is. Their Twitter accounts is still live, though inactive since their initial posts. Their actual programs held on Dropbox and Github, however, have since been deleted, as has their Tumblr page.