A mysterious group that calls itself the Shadow Brokers claims to have hacked into the National Security Agency, stolen powerful cyber weapons and surveillance tools, and put them up for auction.
If true, the claim would indicate that one of the U.S. government’s key agencies for cyber warfare is itself vulnerable and has fallen into a pitched and escalating battle with a powerful unknown cyber foe, perhaps Russia.
News of the apparent breach came over the weekend when the Shadow Brokers released a limited number of files, claiming they were part of an arsenal “made by creators of stuxnet,” and other notorious NSA malware that helped crippled Iran’s nuclear program in 2009 and 2010 by shattering many of its centrifuges.
Neither the NSA nor the Office of the Director of National Intelligence responded to queries about whether the NSA had been penetrated. But several cyber security experts took the claims seriously and suggested that the penetration of the NSA marks a watershed moment and is part of rising tensions between the United States and Russia.
Among those backing that view was Edward Snowden, the former CIA employee and NSA subcontractor who in 2013 leaked a trove of secret NSA documents before seeking refuge in Russia.
Snowden tweeted Tuesday that “circumstantial evidence and conventional wisdom indicates Russian responsibility” for the apparent NSA hack, and that the public revelation of the theft is a message that a series of tit-for-tats between Washington and Moscow “could get messy fast.”
Snowden said he believed news of the apparent breach “is more diplomacy than intelligence, related to the escalation around the DNC hack.”
Last month, WikiLeaks published tens of thousands of hacked emails from the Democratic National Committee (DNC), days before the Democratic convention in Philadelphia. U.S. intelligence officials later told top members of Congress that two Russian intelligence agencies or their proxies were behind the hack, according to Reuters and other media outlets, though there has been no official determination.
The attempt at public shaming of Russia over election interference preceded this week’s developments, in which both nations appear to be “outing” the other side.
The stolen cyber surveillance tools might help foreign governments do forensics on their own computer systems to determine whether they have been targets of U.S. surveillance efforts, a potentially embarrassing development for Washington.
It’s definitely significant to hack the NSA but if you look at the metadata, you would know that those files that have been provided date back to 2013.
Vitali Kremez, cybercrime intelligence analyst
Someone who posted under the the Shadow Brokers Twitter account wrote in imperfect English that the cyber weapons it had obtained were from the Equation Group, a moniker given by Kaspersky Lab, a respected global software security group headquartered in Moscow, to software widely believed to have been created by the NSA.
“We find many many Equation Group cyber weapons,” the message said. “You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions.”
The files made public revealed tools to get past firewalls and embed in network equipment or software made by Fortinet, Cisco Systems and Juniper Networks in the United States, as well as TopSec, China’s largest information security vendor.
“It’s definitely significant to hack the NSA but if you look at the metadata, you would know that those files that have been provided date back to 2013. Some of the directories are very old,” said Vitali Kremez, a cybercrime intelligence analyst at Flashpoint, a New York security firm.
“One of the exploits was targeting a specific Cisco device, and it was only targeting versions that have actually been outdated and replaced with new ones,” Kremez said.
The Shadow Broker name comes from a video game, Mass Effect, released in 2007, in which a central broker trades in secrets, halting any player from getting significant advantage.
The group said it had released to the public 60 percent of the stolen files but retained the rest, and would offer them to the highest bidder in a Bitcoin auction. If the auction reaches one million Bitcoins (about $580 million), the group said it would release all the files.
The messages from the Shadow Brokers were cheeky in tone, messy in syntax, and brazen in their thrust.
We want (to) make sure Wealthy Elite recognizes the danger (of) cyber weapons.
The Shadow Brokers
“We want (to) make sure Wealthy Elite recognizes the danger (of) cyber weapons,” one message said. “Let us spell out for Elites. Your wealth and control depends on electronic data. . . . If Equation Group lose control of cyber weapons, who else lose or find cyber weapons? If electronic data go bye bye where leave Wealthy Elites? Maybe with dumb cattle?”
The hackers suggested that those opposed to U.S. government policies would join the auction, bidding up the price of the hacked files and maybe drawing the U.S. government into the auction to retrieve the cyber tools.
“Equation Group not know what (was) lost,” one Shadow Brokers message said. “We want Equation Group to bid so we keep secret. You bid against Equation Group, win and find out or bid pump price up, piss them off, everyone wins.”
One high-profile cyber entrepreneur, Matt Suiche, a French hacker who was cofounder of CloudVolumes, a high-tech California company, suggested a political motive for the attack.
“This could possibly be orchestrated by the Russian government so America will be stuck with Donald Trump as a President,” Suiche wrote on medium.com, a publishing platform.
But Kremez cautioned that it is too early to attribute the hack to Russia.
“It could look like Russia . . . but it could also not be Russia,” he said. “Somebody is trying to mess with all of that, to create false flags and to make the NSA and the U.S. look bad.”
Tim Johnson: 202-383-6028, @timjohnson4