The “Shadow Brokers” are in the spotlight.
The mysterious group has seized the attention of the cybersecurity world with its claim to have stolen code from the Equation Group — a team of hackers who have been tied to the National Security Agency.
On a website written in broken English, the Shadow Brokers revealed some files and promised “better” ones available, for sale to the highest bidder. One caveat: By “bidding,” they mean sending bitcoins, and losing bidders don’t get them back. (“Sorry lose bidding war lose bitcoin and files. Lose Lose. Bid to win!”)
The group also said it would make a new batch of files public if it received 1 million bitcoins to a specified address. That’s more than half a billion dollars, and nearly 1/15th of all the bitcoins in circulation.
As of Wednesday afternoon, the Shadow Brokers appear to have received 1.6 bitcoins, or less than $1,000, based on the public ledger showing funds sent to that bitcoin address.
The auction is “absurd” and “weird,” as Wired puts it, but the magazine notes that there’s a “growing consensus” that the files themselves — at least the ones released so far — are legitimate.
Matt Suiche, a security researcher who analyzed the code that has been publicly released by the Shadow Brokers, tells NPR’s Aarti Shahani that it does appear to be a compilation of tools used by the NSA.
But the “teaser” files don’t include any very valuable information, he says — and the question now is whether the hackers actually have more files.
“The sample files … are complete, but they are not extremely significant enough to shut down the Internet,” Suiche told Aarti. “If that would be the best of what they had, it would be disappointing. It’s like Pokémon Go. You hear the hype, it’s interesting. Then you pay for more — but you get bored.”
Other experts say they, too, believe the files contain actual NSA code.
The Washington Post reports that the hacking tools released in the teaser file — with names such as Epicbanana, Buzzdirection and Egregiousblunder — are highly sophisticated.
“The file contained 300 megabytes of information, including several ‘exploits,’ or tools for taking control of firewalls in order to control a network, and a number of implants that might, for instance, exfiltrate or modify information.
“The exploits are not run-of-the-mill tools to target everyday individuals. They are expensive software used to take over firewalls, such as Cisco and Fortinet, that are used ‘in the largest and most critical commercial, educational and government agencies around the world,’ said Blake Darche, another former TAO operator and now head of security research at Area 1 Security.”
(TAO stands for Tailored Access Operations, the NSA’s hacking division, the newspaper explains.)
The New York Times writes that the NSA could have used the code to “get inside the computer systems of competitors like Russia, China and Iran,” with the exploits, and “lurk unseen for years” with the implants.
“Whoever obtained the source code apparently broke into either the top-secret, highly compartmentalized computer servers of the N.S.A. or other servers around the world that the agency would have used to store the files,” the Times writes.
The code released by the Shadow Brokers dates most recently to 2013, the same year Edward Snowden leaked classified information about the NSA’s surveillance programs.
Via Twitter, Snowden commented on the apparent hack, saying the most notable thing wasn’t that NSA servers were breached but that the hack has now been publicized.
“Why did they do it?” Snowden asked. “No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack.”
The hackers could be advertising that they have the ability to identify actions the NSA took on the compromised server, Snowden suggests — a warning of sorts.
Snowden also noted that the released files end in 2013. “When I came forward, NSA would have migrated offensive operations to new servers as a precaution,” he suggested — a move that would have cut off the hackers’ access to the server.
“You’re welcome,” he tweeted.
As for who is responsible for acquiring and leaking the code on the Shadow Brokers’ site, Snowden says “circumstantial evidence and conventional wisdom” suggest Russia.
King’s College London cybersecurity expert Thomas Rid tells NPR’s Mary Louise Kelly the same thing.
There’s no hard proof, he says, but the capabilities required and the timing of the release suggest Russia. That’s all circumstantial, but “more than speculation,” as he puts it.
U.S. Rep. Adam Schiff, the ranking Democrat on the House Intelligence Committee, also spoke with Mary Louise. He said he couldn’t comment on the accuracy of any reports about the leak.
But he said, “If these allegations were true, I’d be very concerned about the impact on the intelligence community. I’d also obviously want to know who the responsible parties were. … If this were a Russian actor — and again, this is multiple ‘ifs’ here — we’d have to ask what is causing this escalation.”
Meanwhile, WikiLeaks has also stepped into the cyberdrama.
“We had already obtained the archive of NSA cyber weapons released earlier today and will release our own pristine copy in due course,” the leak-publishing website tweeted two days ago, without any further explanation.