WHO ARE THE SHADOW BROKERS?! The Shadow Brokers hack is starting to look like Russia vs. NSA

!!! Attention government sponsors of cyber warfare and those who profit from it !!!! (From Shadow Brokers Manifesto Page)

On Saturday, someone started leaking the NSA’s secrets. A pop-up Twitter account called “theshadowbrokers” posted a link to a pastebin, which in turn led to more than 300 MB of exploits and scripts. According to the Shadow Brokers, the data came from the Equation Group, an advanced malware threat long linked to the NSA. Alongside the data, the attackers posted a manifesto in broken English.

“We want make sure Wealthy Elite recognizes the danger cyber weapons, this message, our auction, poses to their wealth and control,” the message read. The data has since been removed from nearly every site that hosted it — Pastebin, Github, and Twitter itself — but as with most leaks, the take-downs arrived too late to make a difference.

After poring over files — including purported software exploits —provided by Shadow Brokers, some experts increasingly think this is the real deal.

Shadow Brokers asserts that it managed to hack “Equation Group,” a highly sophisticated cyberattack group that experts believe is Tailored Access Operations, or TAO, a hacking group within the NSA. Equation Group, the security firm Kaspersky said in 2015, is “a threat actor that surpasses anything known in terms of complexity and sophistication of techniques, and that has been active for almost two decades.”

Many are very much inclined to believe that the data Shadow Brokers has is legitimate.

Kaspersky researchers said in a blog post that “while we cannot surmise the attacker’s identity or motivation nor where or how this pilfered trove came to be, we can state that several hundred tools from the leak share a strong connection with our previous findings from the Equation group.”

it’s possible that the data was retrieved from a server used by Equation Group, or TAO, in one of its operations. NSA contractor turned exiled whistleblower Edward Snowden explored this possibility on Twitter on Tuesday, guessing that the data may have been stolen from a command-and-control server used by the cyberattack group.

Snowden suggests that this may be a “warning” to the US against publicly accusing Russia of hacking the DNC and that if the US does, Russia will retaliate by leaking potentially damaging information about US cyberintelligence operations.

snowden3

Here’s what Edward Snowden tweeted, in full:

The hack of an NSA malware staging server is not unprecedented, but the publication of the take is. Here’s what you need to know: (1/x)

1) NSA traces and targets malware C2 servers in a practice called Counter Computer Network Exploitation, or CCNE. So do our rivals.

2) NSA is often lurking undetected for years on the C2 and ORBs (proxy hops) of state hackers. This is how we follow their operations.

3) This is how we steal their rivals’ hacking tools and reverse-engineer them to create “fingerprints” to help us detect them in the future.

4) Here’s where it gets interesting: the NSA is not made of magic. Our rivals do the same thing to us — and occasionally succeed.

5) Knowing this, NSA’s hackers (TAO) are told not to leave their hack tools (“binaries”) on the server after an op. But people get lazy.

6) What’s new? NSA malware staging servers getting hacked by a rival is not new. A rival publicly demonstrating they have done so is.

7) Why did they do it? No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack.

8) Circumstantial evidence and conventional wisdom indicates Russian responsibility. Here’s why that is significant:

9) This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server.

10) That could have significant foreign policy consequences. Particularly if any of those operations targeted US allies.

11) Particularly if any of those operations targeted elections.

12) Accordingly, this may be an effort to influence the calculus of decision-makers wondering how sharply to respond to the DNC hacks.

13) TL;DR: This leak looks like a somebody sending a message that an escalation in the attribution game could get messy fast.

Bonus: When I came forward, NSA would have migrated offensive operations to new servers as a precaution – it’s cheap and easy. So? So…

The undetected hacker squatting on this NSA server lost access in June 2013. Rare public data point on the positive results of the leak.

And a bonus take:

Bonus: When I came forward, NSA would have migrated offensive operations to new servers as a precaution – it’s cheap and easy. So? So…

The undetected hacker squatting on this NSA server lost access in June 2013. Rare public data point on the positive results of the leak.

You’re welcome, @NSAGov. Lots of love.


 

Advertisements