NSA, the Shadow Brokers and Snowden: Inside the NSA hacking tools hack
Getty Images / Paul J. Richards
Some of secretive, and somewhat controversial, tools used by the National Security Agency in the US are believed to have been exposed by a group calling itself the Shadow Brokers.
In August 2016, the mysterious online group claimed to have stolen US "cyber weapons" from a hacking team called Equation Group.
The Equation Group is said to be operated by the National Security Agency and the breach of its systems led the Shadow Brokers to claim it has access to some of the agency's secretive tools.
Over an eight-month period, the mysterious group has leaked more than one gigabyte of software exploits alleged to be from the NSA.
The most recent data dump came on April 14 2017. Within the 300 megabytes of newly published exploits were a number of vulnerabilities that alleged to work against Microsoft products. However, the firm has said the problems have already been fixed.
Before this, the group unsuccessfully tried to sell the source code from the NSA online. "We want to make sure Wealthy Elite recognises the danger cyber weapons, this message, our auction, poses to their wealth and control," the group has said in an online post. "Let us spell out for Elites. Your wealth and control depends on electronic data."
Here's everything you need to know about the case so far:
The most significant dump so far
After the failed Shadow Brokers' auction, the organisation's most significant data release came in April 2017. The group published details of hacking tools, alleged to be from the CIA, that are said to allow spying on money transfers.
It was said the vulnerabilities published could create problems in the Microsoft Windows version of the SWIFT banking system. The system is used by multiple banks around the world. It was believed the exploits could still be used against Microsoft problems.
However, contrary to initial reports, Microsoft says it had already fixed the vulnerabilities before the Shadow Brokers published them. "Customers have expressed concerns around the risk this disclosure potentially creates," Microsoft's security team wrote.
"Our engineers have investigated the disclosed exploits, and most of the exploits are already patched".
As noted by Ars Technica, the firm did not say how it found out about and fixed the vulnerabilities a month before they were released by the Shadow Brokers. In most cases, Microsoft states the source of the vulnerability. The publication notes the lack of disclosure could hint the NSA told Microsoft about the upcoming publication of the security flaws.
What was on offer?
"We give you some Equation Group files free," those behind the Shadow Brokers wrote in online posts, when they first came to prominence, that provide downloads to some of the obtained files. These include malware and hacking tools. The reason for this, it says, is to prove the data it has is genuine before it sells off the rest of the tools it has accessed. The Shadow Brokers also said the Equation Group "not know what lost" [sic] and it wants the group to bid, so it won't make the details public.
[twitter id="764367732745928704"]
"The first archive contained close to 300MBs of firewall exploits, tools, and scripts under cryptonyms like BANANAUSURPER, BLATSTING, and BUZZDIRECTION," Kaspersky said in a detailed blog post. Although, it continued to say file logs it had seen dated the files as being from October 2013.
It's not fully known what the group has access to but it posted a number of images of files (and their structures) to social media. These are believed to have come from the Equation Group and are claimed to be a small part of what the Brokers have accessed. Although posts on PasteBin, Tumblr, and Github have been removed, those by the group still exist on Twitter and Imgur.
One other hacker has claimed to have stolen more of the NSA's hacking tools.
Is it real?
As The Intercept reported, using unseen documents from former NSA contractor Edward Snowden, the leak of the hacking tools appears to be genuine. "The malware is covered with the NSA's virtual fingerprints and clearly originates from the agency," the publication wrote.
Included in the malware offered by the Shadow Brokers is an identical 16-character identification code used in the NSA's own documents.
Kaspersky said similarities in code "makes us believe with a high degree of confidence" that the offerings from the Shadow Brokers are "related to the malware from the Equation group".
Meanwhile, RiskBased Security, which conducted the most comprehensive technical analysis of the incident, said it was unlikely the NSA has been hacked. Instead, it says, tools used by the agency are what have been made available.
A further level of verification has come from Cisco in August. The firm has confirmed that two of the exploits listed in the archive of exploits are real. Omar Santos, part of the company's security response team said "we are deeply concerned with anything that may impact the integrity of our products or our customers' networks".
The auction
The group ran a Bitcoin auction for some of the hacking tools it has acquired. It invited "wealthy elites" with large amounts of the cryptocurrency to bid on the unknown files. Once the auction was over, the Shadow Brokers said it would provide the winner with the information to decrypt the rest of the files.
"You bid against Equation Group, win and find out or bid pump price up, piss them off, everyone wins," the Shadow Brokers say in a removed, but cached PasteBin post.
[twitter id="768003754192932864"]
However, the auction didn't go to plan. The Shadow Brokers were unable to raise the one million Bitcoin they had originally demanded. In January 2017, The Register reported the group gave up its attempt to sell the files it had taken and provided them to hacking groups inline.
Who are the Shadow Brokers?
Since the names of the initial hacking files were published there's been a number of different actors who may have had a hand in the exposures.
What we know for sure is the Shadow Brokers was the original source promoting the disclosure. On August 15, the group announced an auction for the "cyber weapons" it had taken from the NSA. Its Tumblr account has since disappeared from the web and so have some posts on GitHub.
The identity of those working for the group has, unsurprisingly, not been revealed. Snowden, in a flurry of Tweets, said the hack of an NSA malware staging server isn't "unprecedented". But went on to say: "Circumstantial evidence and conventional wisdom indicates Russian responsibility."
Commentary from Reuters has suggested Russia wouldn't have publicised the theft of the data, if it was behind it. The analysis by James Bamford, a leading author and journalist in the US, said a "logical explanation" would put the incident at the hands of an insider.
Documents release by Edward Snowden revealed that the initial malware and exploits made public did originate from the NSA.
The files, released by Snowden in 2013, contained some of the same code that was initially publicised by the Shadowbrokers group. A string of numbers in malware called SecondDate-3021.exe appeared in both the Snowden documents and those released by the Shadow Brokers.
What could it have meant?
If there had been a successful bidder in the initial auction, there could have been a serious outcome. If an organisation connected to the NSA or other security body had bit it could have retained the data; if a malicious group had won it could have taken a more sinister turn.
Want to know more about the cyber threats of the future? WIRED Security 2017 returns to London in on September 28 to discuss the latest innovations, trends and threats in enterprise cyber defence, security intelligence and cybersecurity. Join us at King’s Place by booking your tickets today.
Gloss