Russia emerges as prime suspect in apparent NSA hack
Hacking tools apparently purloined from the National Security Agency's cache of cyberweapons and dumped online this week raises troubling questions about the motives and means behind the attack.
While some experts say more information and analysis is necessary to determine the origin or incentives of the leak by an anonymous group, many cybersecurity experts and former NSA employees are drawing a direct line back to Moscow.
In fact, some say that exposing the agency's stockpile of custom-made malware is an effort to deter the US government from retaliating against Russia over the recent Democratic National Committee hack, which US officials and many technical experts have blamed on Kremlin operatives.
"We talk a lot about cyberdeterrence," says Dave Aitel, chief technology officer at security firm Immunity and a former NSA research scientist. “This is what it looks like.”
A previously unknown group calling themselves the Shadow Brokers released the stockpile of top secret computer hacking tools and exploits that it claimed to have obtained from the Equation Group, the moniker for a group that many believe is actually the NSA.
Security researchers who have examined the leaked hacking tools believe they are authentic. They say the tools are likely for use by the NSA to penetrate the network firewalls that many corporations or government agencies use to protect their servers from external attacks. The cyberweapons are apparently designed to target products from several large vendors of networking equipment including Cisco and Juniper.
Kaspersky Lab, one of several security firms that have analyzed the leaked tools, said code from the Shadow Brokers leak shares a strong connection with code from the Equation Group. The leaked malware reveals encryption techniques that are identical to those employed by the Equation Group, which indicates they probably came from the same source, according to Kaspersky.
Other researchers who tested the malware said the software appeared to work as intended and would give attackers a way to bypass firewalls and to spy on network traffic at target organizations.
In releasing the cyberweapons, the Shadow Brokers claimed it had in its possession a much larger – and presumably more damaging – cache of stolen data from the Equation Group that it would auction off to the highest bidder or release for free if the auction raised the equivalent of about $550 million.
The antisecrecy website WikiLeaks meanwhile announced that it obtained the full cache of code and would release it publicly soon.
It is unclear how the Shadow Brokers obtained the data, but it is highly unlikely that they managed to actually break into the NSA’s networks, Mr. Aitel says. What is more likely to have happened is that someone within the NSA transferred a file containing the tool kits to an external and less protected computer system, which was subsequently hacked.
Another possibility is that an insider with access to the data swiped it in much the same way that Edward Snowden stole vast amounts of the NSA's secret documents. In fact, most of the leaked tools date back to 2013, around the time the NSA began tightening its security protocols after Mr. Snowden's leaks.
It's likely that whoever is behind the theft, accessed and removed the data from NSA servers before the agency tightened security, Aitel said.
Either way, whoever is behind the attack wants to send the message, "We hacked the NSA," said Nicholas Weaver, a security researcher at the International Computer Science Institute at the University of California, Berkeley.
There's also an important blackmail component to the Shadow Brokers operation, he said. The group distributed two encrypted bundles this week, one with the decryption key as the "proof" files and the other missing that key.
"This latter one is basically a explicit threat," Mr. Weaver said. "There are now thousands of copies of this file all over the world and the actor behind Shadow Brokers can, with just a single tweet, ensure that the world knows what is in those files."
