grandeduc - Fotolia
A group attempting to auction off cyberweapons allegedly used by the NSA-linked Equation Group and Edward Snowden said this may be the beginning of the fallout.
The group, calling itself the Shadow Brokers, claimed it hacked one of the most advanced and longstanding cyberespionage actors, the Equation Group. There has been speculation that the Equation Group is part of the National Security Agency (NSA).
The Shadow Brokers posted images of the files stolen and some of the code -- the GitHub repository has since been disabled -- and experts have matched the code samples with exploits cataloged in the NSA's Advanced Network Technology (ANT) Division data leaked by Edward Snowden in 2013.
Claudio Guarnieri, a researcher at the University of Toronto's Citizen Lab, said on Twitter, "Some of those programs in the dump are parts related to network appliance implants from the ANT catalog." Guarnieri was careful to note he hadn't seen any evidence in the code of the source of the data, but the latest file modification date in the code was from June 2013 -- before the ANT catalog was published.
This #EquationGroup free dump seems mostly binary builds, installation scripts, and general configuration for a C&C. Seems credible.— Nex ~ Claudio (@botherder) August 15, 2016
The Shadow Brokers set up an auction for the data, asking bidders to send bitcoin and promising to release the code to the highest bidder, but they would not refund losing bids. And, if the bidding reached 1 million bitcoin -- approximately $581 million -- the Shadow Brokers would "dump more Equation Group files, same quality, unencrypted, for free, to everyone." Though, as of this publication, the auction address had only received 1.6 bitcoin.
Rick Holland, vice president of strategy for cybersecurity firm Digital Shadows Ltd., jointly based in London and San Francisco, said even "if the data is false, the notoriety surrounding the ad alone could be enough for Shadow Brokers to generate some profit."
"From what we have observed previously, this is a common tactic amongst cyberactors who want to profit from what they often claim is stolen information," Holland told SearchSecurity via email. "The highest bidder might be able to collect whatever data is for sale and either release it to the public or create their own sale in an attempt to generate a return on their investment -- while also maintaining the illusion that the data is legitimate."
The original announcement by the Shadow Brokers has disappeared from Tumblr, though the Google cache of the page is still available. In suspicious timing that may just be coincidence, the NSA website has been down for most of the day, and WikiLeaks claimed to have the Equation Group data.
We had already obtained the archive of NSA cyber weapons released earlier today and will release our own pristine copy in due course.— WikiLeaks (@wikileaks) August 16, 2016
Edward Snowden himself commented on the happenings on Twitter, while being careful to not specifically confirm the claims made by the Shadow Brokers. Snowden described how the NSA hacks others and claimed the NSA itself is not immune to being hacked.
6) What's new? NSA malware staging servers getting hacked by a rival is not new. A rival publicly demonstrating they have done so is.— Edward Snowden (@Snowden) August 16, 2016
Snowden went on to conjecture, as others have, who might be behind such an attack on the NSA, but Guarnieri said any claims of attribution are nothing more than speculation.
Everybody who's calling out Russia/China on this #ShadowBrokers dump has no evidence. Can we stop this trend of freestyle attribution?— Nex ~ Claudio (@botherder) August 15, 2016
Igor Baikalov, chief scientist for Securonix Inc., the Los Angeles-based security analytics firm, told SearchSecurity "too many things around this announcement don't make sense."
"There's no proof whatsoever that the code is in any way connected to [Equation Group] or NSA," Baikalov said. "Researchers who've seen it say it's good, but there's a lot more analysis [that] has to be done before any definitive conclusions, specifically on the lineage with any known code base. The most I'd give to he Shadow Brokers is that they've stumbled upon an old backup from 2013 -- that'd explain the most recent file date and names unchanged since the leak."
However, Snowden suggested whoever may be behind this release might be sending a "warning that someone can prove U.S. responsibility for any attacks that originated from this malware server. That could have significant foreign policy consequences. Particularly if any of those operations targeted U.S. allies."
13) TL;DR: This leak looks like a somebody sending a message that an escalation in the attribution game could get messy fast.— Edward Snowden (@Snowden) August 16, 2016
Learn more about what the NSA's Tailored Operations Access unit means for enterprises.
Get info on how to prevent insider information leak incidents.