National Security

Hacker group that leaked NSA spy tools likely includes a U.S. insider, experts say

Patients waited near a queue number dispenser affected by the “WannaCry” attack at Dharmais Cancer Hospital in Jakarta, Indonesia on Monday. Global cyber chaos followed a weekend ransomware attack.
Patients waited near a queue number dispenser affected by the “WannaCry” attack at Dharmais Cancer Hospital in Jakarta, Indonesia on Monday. Global cyber chaos followed a weekend ransomware attack. AP

Cybersecurity experts believe the hacker who leaked the potent software tool that powered last week’s global ransomware attacks is an American – perhaps a disgruntled insider in the U.S. intelligence community.

Such a finding would raise the stakes for halting The Shadow Brokers group, which has bedeviled the National Security Agency with releases of its hacked weaponized cyber exploits for months.

One of those leaked NSA tools allowed extortionists to spark havoc last Friday by encrypting the hard drives of more than 200,000 computers in 150 countries, the largest such cyberattack ever to hit the globe. The attackers demanded $300 or more to unlock each computer.

The NSA did not respond to a request for comment.

The Shadow Brokers group first surfaced last August, claiming to have breached the NSA and stolen sophisticated cyber tools. It sought to auction off the NSA exploits but failed to find many buyers, releasing some for free. It periodically has resurfaced with statements.

The latest statement came at 2:16 a.m. Tuesday, a long, rambling screed that used broken syntax to make it seem as if it were written by a foreigner with poor English. But the message was filled with U.S. cultural references that experts said were likely to have come only from someone with a native’s familiarity.

“I think they are Americans, and I think they are inside somewhere,” said Dave Aitel, chief executive at Immunity, a Miami cybersecurity company, who formerly was a chief scientist at the NSA. “Some of the idioms they use are straight up native. You have to be a native to use them.”

Domestic cultural and political references fill the 1,100-word statement, which carries the headline: “OH LORDY! Comey Wanna Cry Edition.”

In addition to references to James Comey, the ousted FBI director, and the WannaCry ransomware that the extortionists deployed last Friday, the statement made liberal use of idioms like “BFF” – or “best friends forever” – and a vulgar expression that “Late Show” host Stephen Colbert employed May 1 in talking about President Donald Trump.

“I always thought there had to be an insider somewhere on the chain for The Shadow Brokers,” said John Bambenek, a threat intelligence manager at Fidelis Cybersecurity, a company in Bethesda, Maryland.

Bambenek said he had been struck by the language in the statement.

“The homophobic slurs kind of thing is common in American hacker culture,” he said.

If The Shadow Brokers group is simply a one-person show by an insider, or an American in a larger group, he or she would join a long list of insiders who’ve divulged some of the U.S. government’s most classified secrets in recent years, Bambenek said.

“How much s--t is walking out the front door of our frigging intelligence agencies? And why is nobody getting fired for it?” he asked. “There have been a lot of large bulk leaks.”

A widely known French hacker who founded Comae Technologies in the United Arab Emirates, Matthieu Suiche, also tweeted his belief that The Shadow Brokers may be an insider.

“Did the @NSAGOV have a disagreement with a contractor?” he asked.

In its online statement, The Shadow Brokers said it had many more stolen NSA tools to reveal, including ones that would allow hacking of mobile phones and newer Microsoft Windows software. It said it intended to create a “dump of the month” club, like a monthly book or wine delivery service, that would allow subscribers to hack computers and cellular phones and to taint late-model browser software with malicious code, including Microsoft’s Windows 10.

It assailed Microsoft, the Redmond, Washington, software giant, accusing it and other U.S. high-tech companies of taking money from the NSA in order to leave vulnerabilities its hacking team had discovered unresolved so that U.S. government hackers could continue to operate. It paid homage to the NSA’s Tailored Access Operations unit, which has been dubbed The Equation Group because of its use of sophisticated algorithms

Last Friday’s extortion wave used malware that exploited a vulnerability in Microsoft’s Windows XP programming.

“Despite what scumbag Microsoft Lawyer is wanting the peoples to be believing Microsoft is being BFF with theequationgroup,” it said, adding a string of colorful insults that included “douche bag, dumbass (and) libtard.”

It hinted at enjoyment at last week’s massive global ransomware attack, saying it passed time “eating popcorn and watching ‘Your Fired’ and WannaCry.”

The statement toggled between mangled English and standard English.

In noting a certain respect for the NSA’s elite Tailored Access Operations unit, which infiltrates networks around the world, including of U.S. adversaries like Iran and Russia, the statement said, “TheShadowBrokers is taking pride in picking adversary equal to or better than selves, a worthy opponent. Is always being about theshadowbrokers vs theequationgroup,” the statement said.

But in listing the kinds of leaked tools it could offer in its “data dump of the month” service, it resorted to standard English, saying the deliveries might include “web browser, router, handset exploits and tools” and “newer exploits for Windows 10.”

It also promised “compromised network data” to attack central banks around the world and to make use of the SWIFT banking transfer system, and information related to “Russian, Chinese, Iranian or North Korean nukes and missile programs.”

If The Shadow Brokers does include an American, it would not be the first time a disgruntled intelligence agency contractor had vexed the U.S. government by spilling secret documents.

In March, the anti-secrecy group WikiLeaks began publishing what it claimed were cyber tools belonging to a special unit of the CIA. The group dubbed the release Vault 7. Experts said the likeliest explanation for the leak was a contractor or employee working for the unit, although no arrests have been made.

Two former contractors for the NSA also are accused of pilfering secrets.

Edward Snowden splashed into the headlines in 2013 after revealing the gamut of spying activities of the agency, then taking refuge in Moscow.

Harold T. Martin III was indicted in February on charges of stealing more than a half-billion pages of classified material and storing them at his Glen Burnie, Maryland, home.

One of the most notorious insiders was Army Pvt. Chelsea Manning, who swept up 750,000 military and diplomatic cables and documents and provided them to WikiLeaks in 2010. Manning, who once was known as Bradley Manning, is to walk out of prison Wednesday. In January, then-President Barack Obama commuted Manning’s 35-year prison term to the nearly seven years she’s served.

Tim Johnson: 202-383-6028, @timjohnson4

Related stories from McClatchy DC