clock menu more-arrow no yes

Filed under:

The Shadow Brokers hack is starting to look like Russia vs. NSA

New, 54 comments

The new leak is more sophisticated than your average data dump

On Saturday, someone started leaking the NSA’s secrets. A pop-up Twitter account called "theshadowbrokers" posted a link to a pastebin, which in turn led to more than 300 MB of exploits and scripts. According to the Shadow Brokers, the data came from the Equation Group, an advanced malware threat long linked to the NSA. Alongside the data, the attackers posted a manifesto in broken English. "We want make sure Wealthy Elite recognizes the danger cyber weapons, this message, our auction, poses to their wealth and control," the message read. The data has since been removed from nearly every site that hosted it — Pastebin, Github, and Twitter itself — but as with most leaks, the takedowns arrived too late to make a difference.

It was a startling dump, made even more complicated by the bizarre manifesto — but the data made it impossible to ignore. The link led to a large and sophisticated implant framework, including software to exploit previously undiscovered flaws in popular security tools. As researchers have looked more closely at that data, the seemingly haphazard leak now looks more like an international conflict. All evidence suggests the leaked data came from the NSA, and the timing strongly suggests Russia as the leaker. What’s less clear is how and why.

The seemingly haphazard leak now looks more like an international conflict

The strongest evidence comes from the leaked data itself. The dump contains uncompiled binaries for a sophisticated malware delivery system, the product of months if not years of sustained offensive security work. Security researchers poring through the dump have found novel methods for breaking through firewalls and other security tools — discoveries that would be very difficult to fake. Kaspersky Lab strengthened the connection even further, confirming that the leaked tools have "a strong connection" with the Equation Group, which the lab has been tracking for years and has long connected to the NSA. Attribution is never a sure thing, but all evidence points to the Shadow Brokers material coming directly from the NSA.

The timing of the dump is even more specific. Most of the files were most recently copied in 2013, suggesting the attackers have been sitting on the data for more than three years.

"probably some Russian mind game"

It’s unclear how the Shadow Brokers got their hands on those exploits, but the combination of broad data and specific exploits suggest it came from some third-party infrastructure targeted by the NSA but not properly sanitized. On Twitter yesterday, Edward Snowden offered an even more concrete theory, suggesting the materials came from a proxy server used by an NSA-targeted group, compromised by the NSA, and then counter-compromised by the Shadow Brokers. Of course, best practice would be to delete that material from the server after the compromise took place, but it’s exactly the kind of housekeeping that might slip through the cracks. Others are less convinced, arguing the dump is so comprehensive that it suggests a more direct attack: "someone walked out of a secure area with a USB key."

There are only a few groups capable of pulling off that scale of attack — and given the timing and method of the dump, all eyes (including Snowden’s) have turned to Russia as the most likely culprit. That attribution is far less certain and there’s far less evidence to base it on. We still don’t know when or how the Equation Group infrastructure was compromised, making traditional attribution all but impossible. Still, many foreign policy analysts see Russia as by far the most likely culprit, with James A. Lewis of the Center for Strategic and International Studies describing the dump as "probably some Russian mind game" in a New York Times article this morning.

If true, the result would be unlike anything we’ve seen before. This surely wouldn’t be the first time a group has compromised an NSA-compromised server, but it’s the first time the resulting data has been released to the public. It suggests a new stance for signals intelligence agencies, one that wouldn’t have been possible even five years ago. The Snowden leaks made it impossible to deny the existence of NSA operations of this kind, and also gave us a powerful way to publicly confirm the docs authenticity. The fact that the Shadow Brokers’ matches exploits match code names and descriptions found in the Snowden-leaked TAO catalog is still among the best evidence we have that the dump is genuine. What would have been a conspiracy theory in 2012 is now far easier to prove. That makes the NSA far more public than its ever been, and far more vulnerable to the same sort of strategic leaks that Guccifer 2.0 used against the Clinton campaign.

That strategy has its risks. The operational damage caused by the dump appears to be minimal, burning a few three-year-old exploits but no major tactical tricks. It’s more of a provocation than an attack, maybe timed to coincide with the Guccifer 2.0’s ongoing Russia-linked leak campaign against the Democratic Party. It’s an alarming trend, but one that’s already hardening sentiments in and out of government against Russia and making it harder for actors like Guccifer 2.0 to claim independence. Even before the Shadow Brokers dump, support was growing for stronger action against Russia in response to the DNC hack. It’s too early to say if that push will amount to anything, but it suggests the Shadow Brokers are playing a very dangerous game.