National Security

Mysterious group posts more alleged NSA hacking tools; Russia link suspected

A hacker group calling itself the Shadow Brokers has released new cyber surveillance tools it said were stolen from the National Security Agency.
A hacker group calling itself the Shadow Brokers has released new cyber surveillance tools it said were stolen from the National Security Agency. AP

In the latest in a drumbeat of intelligence leaks, a hacking group known as the Shadow Brokers has released another set of tools it said were designed by the top-secret National Security Agency to penetrate computer systems worldwide.

In a rambling, rant-filled statement over the weekend, Shadow Brokers also released a list of servers it said the tools had infected.

One document appeared to show that NSA spyware had been placed on servers in South Korea, Russia, Japan, China, Mexico, Taiwan, Spain, Venezuela and Thailand, among other countries. The dump included details of how the NSA purportedly had gained access to Pakistan’s main mobile network.

The release marked the most recent in a steady stream of disclosures of purported hacking tools developed by the NSA and the CIA. Shadow Brokers made a similar release in August, and in March the anti-secrecy group WikiLeaks released several batches of files that purported to show how the CIA spies on its targets. WikiLeaks has dubbed those leaks Vault7.

Cybersecurity experts differed in their assessment of the leaked material but several agreed that it would give global foes crucial information about American hacking abilities and plans.

In its statement, Shadow Brokers said the latest leak, following one eight months ago, “is our form of protest” to goad President Donald Trump into staying loyal to his followers and promoting anti-globalism. The screed included profanity, some white supremacist commentary and a password to the cache of tools.

The specific spyware was less dramatic, experts said.

“The dump appears to contain only Linux and Unix tools and exploits, so organizations running only Windows don’t need to react to tools in this release,” an Augusta, Georgia, firm, Rendition Infosec, said in a blog posting.

The NSA, which has its headquarters at Fort Meade, Maryland, did not respond to a request for comment.

Rendition Infosec said there was little doubt that Russia and the Shadow Brokers group were connected and that foreign hacking groups, some sponsored by governments, had entered an era of dribbling out leaks to influence global affairs.

“In the future, we believe that other groups are highly likely to attack organizations, steal their data and release it at timed intervals in an attempt to control the news cycle. This is classic information warfare, updated for digital espionage,” the posting said.

In its statement, Shadow Brokers denied, in broken English, that the group is linked to the Russian government.

Those who have worked in the U.S. intelligence community voiced dismay at the constant leak of alleged NSA and CIA techniques and tools.

“What is devastating is not just the loss of one exploit but the loss of your entire tool chain, particular targets you’re residing on, your methodologies, your research thrusts,” said Dave Aitel, a former computer scientist at the NSA who now is chief executive at Immunity Inc., a cybersecurity firm in Miami.

Aitel, who spoke on the sidelines of the Infiltrate 2017 conference in Miami Beach late last week, before the Shadow Brokers release, said the impact of leaks of cyberespionage tools “can be real hard to estimate or contain.”

He said such leaks could open a window on research trends that could derail entire units within the intelligence community.

“Every group has a particular set of specialties that they are good at researching. If you start exposing those capabilities, you also expose your future capabilities,” Aitel said. “It can spread across a lot of pieces of your organization. . . . . That’s when you start seeing entire networks get destroyed based on leaks.”

The Shadow Brokers group burst into the news in mid-August when it claimed to possess stolen NSA cyber weapons and surveillance tools intend to bypass firewalls and embed in network equipment or software made by Cisco Systems, Fortinet, Juniper Networks and TopSec, a Chinese security vendor.

In a bizarre twist, the group demanded an astronomical sum – 1 million bitcoins, or $1.2 trillion – for the release of additional NSA tools. When the group found no takers, it issued a petulant statement in October saying the auction was off. In January, the group said it was “going dark,” only to reappear over the weekend.

Tim Johnson: 202-383-6028, @timjohnson4