The teaser data dump appears to contain legitimate attack code, some experts say.
The United States government can’t seem to catch a break in cyberspace.
Hackers claim to have stolen attack code from a team of sophisticated cyber spies known as “the Equation Group,” widely believed to be associated with the U.S. National Security Agency, one of the world’s top intelligence outfits. The hackers have offered to sell their purloined exploits to the highest bidder in an online auction conducted in the cryptocurrency Bitcoin.
Although the alleged breach could just be an extravagant hoax, experts who reviewed a preliminary data dump teased alongside the hackers’ garbled sales pitch said that the files, amazingly, looked authentic. “This appears to be legitimate code,” Matt Suiche, a French cybersecurity entrepreneur, wrote in a Medium blog post, echoing what others had posted on Twitter TWTR 0.22% .
“We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see,” the hackers wrote Saturday on the code-sharing site Github, as well as on Yahoo-owned Tumblr YHOO 0.02% (both later taken down). “This is good proof no? You enjoy!!!”
The lifted goods include exploits allegedly designed to target firewalls and equipment produced by Cisco CSCO 0.72% , Juniper Networks JNPR 0.43% , Fortinet FTNT 0.22% , and Topsec, a Chinese firm. The latest file modifications appear to date back to 2013, and names are consistent with NSA programs leaked by whistleblower Edward Snowden that year, such as “BANANAGLEE,” “EPICBANANA,” and “JETPLOW.”
Details are still sparse, but here’s what the security community is saying. Rather than directly hacking a team within the NSA—the hackers, operating under the nom de guerre “the Shadow Brokers” —likely got their hands on software tools from some compromised computer system, some experts, including a computer security researcher who goes by the alias “the grugq,” have said.
“It might be the compromise of a [listening post] or a trampoline for attacking network appliances and routers of different types,” Claudio Guarnieri, a security researcher familiar with nation state intelligence operations, said in a post on Twitter.
Kaspersky Labs, a Russian antivirus software firm, outed the so-called Equation Group in a report last year. The company tied the NSA-linked group to operations such as “stuxnet,” a digital attack that struck Iranian nuclear infrastructure a decade ago, and “flame,” malicious code that targeted Middle Eastern states around the same time.
Some onlookers have suggested that the alleged thieves could be linked to Russian intelligence agencies, citing a recent flareup of activity by “Guccifer 2.0,” believed to be a Russia-sponsored puppet account, and the country’s well-known penchant for “false flag” operations, intended to deceive or confuse people.
Others have urged caution of those so casually proposing attributions before thorough investigations can be conducted.
At the time of writing, the Bitcoin address associated with the so-called Shadow Brokers had received a handful of Bitcoin transfers totaling about $24 (the exchange rate was $568.22 per Bitcoin at press time)—nowhere near the crowdsourced half a billion dollars requested to publicly leak an unencrypted version of the remaining 40% of the data.
The hackers said they would end the bidding “when we feel it is time to end,” and would not return money to losers. (Most people agree the auction was a clever—and successful—ploy to attract attention.)
Meanwhile, whistleblowing website WikiLeaks also said that it had acquired and would publish a copy of the “cyber weapons” cache shortly.
The hackers’ post, written in poor English, ends in a rant against “wealthy elites,” noting that they “run for president.”
“We want make sure Wealthy Elite recognizes the danger cyber weapons, this message, our auction, poses to their wealth and control,” they wrote. “If Equation Group lose control of cyber weapons, who else lose or find cyber weapons?”
The NSA, the hackers, and the companies did not immediately respond to Fortune’s request for comment.
Protect your data at: http://cyber.aspida.org