Has the NSA just been hacked? Security experts speaking with FORBES think it’s possible, after a group published malware and attack code allegedly belonging to the Equation Group, a crew linked to the US intelligence agency. But while many believe the leak looks legitimate, the hackers could have pulled off a very clever ruse.
In 2015, researchers at Russian security company Kaspersky Lab revealed a highly-advanced arsenal of hacking tools used by the Equation campaign. They were believed to have been the work of the NSA as the code was linked with previous, allegedly US-sponsored hacks, including the infamous Regin and Stuxnet attacks. That link, however, was never definitively proven nor admitted by the signals intelligence body.
Two days ago, on August 13, a group calling themselves The Shadow Brokers released files on Github, claiming they came from the Equation Group. The files included code allegedly designed to exploit firewalls from American manufacturers Cisco, Juniper and Fortinet. One Chinese company, Topsec, was also an Equation target, according to the leaks. None of the manufacturers had responded to requests for comment at the time of publication.
The hackers released 60 per cent of the files they claimed to have taken from the Equation Group. The Shadow Brokers said they would release the remaining data to the highest bidder in a Bitcoin auction (they’ve received two bids so far). If they received an extraordinary 1,000,000 Bitcoins, worth roughly $560 million, they would release all the files.
“We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons,” the hacker collective wrote (grammar errors theirs). “We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files.
“If you want know your networks hacked, you send bitcoin. If you want hack networks as like equation group, you send bitcoin. If you want reverse, write many words, make big name for self, get many customers, you send bitcoin. If want to know what we take, you send bitcoin.”
A legitimate NSA hack?
Sources who’ve been delving into the leak believe it to be legitimate, or a very well-researched hoax, and labelled the Bitcoin auction a distraction, an attempt to gain media attention (the first tweets from the Shadow Brokers were sent to various publications). The former, according to current thinking, is the most likely, however.
“The code in the dump seems legitimate, especially the Cisco exploits … and those exploits were not public before,” said Matt Suiche, founder of UAE based cybersecurity start-up Comae Technologies. “The content seems legit.”
Suiche noted, however, that attribution to the Equation Group could be faked. And one malware analyst who asked to remain anonymous said the hackers could have looked through all documents leaked by Edward Snowden, taken previously-unused information and created an elaborate ruse. But the source was close to convinced the files were real having analysed them.
Claudio Guarnieri, a malware researcher who has worked on some of the Snowden files, said the leaks seemed credible. He hypothesized the group may have hacked a “listening post” (LP), a part of surveillance infrastructure through which malware sends back information and is sent commands.
This #EquationGroup free dump seems mostly binary builds, installation scripts, and general configuration for a C&C. Seems credible.
— Nex ~ Claudio (@botherder) August 15, 2016
A review of the files revealed what appear to be vulnerabilities and exploits for some widely-used firewalls — network security technologies that aim to block digital snoops from entering. Suiche posted a handy rundown of the products affected. He said at the very least the exploits for the Cisco products included “real code” designed specifically to take control of the firewalls. “It’s not automatically generated or something like that.”
Alongside those alleged exploits were implants — malware that is covertly dropped on the network once the firewall and other security mechanisms have been bypassed. There were also some scripts and basic instructions for the malware’s usage.
Most of the exploits dated from 2013, making it an old leak, FORBES understands. As Guarnieri told me in his summation of the leak: “I think it’s credible, it seems legit, but old and very delimited.” The harm to any NSA operation will, therefore, be limited.
The NSA had not responded to a request for comment at the time of publication. Neither had the Shadow Brokers.
Who might have leaked such information? There’s some speculation Russia may be on a hacking spree, following claims in the last month that the Putin government hacked the Democratic National Committee and the Democratic Congressional Campaign Committee. But, if the Equation Group compromise is real, there’s no evidence pointing to any one player at the current time. Russia has repeatedly denied its spies hacked the Democrats.
Whatever the alleged hack’s origins, the NSA does have something to worry about: Someone is out to embarrass the agency and might have the tools to do just that at a particularly heated time in US politics. The agency should, of course, have a response plan. Snowden managed what the Shadow Brokers are shooting for on a far greater scale.
By Thomas Fox-Brewster