The NSA has been hacked— or at least that’s what an anonymous hacker group is claiming.
The news made headlines this week, but not without sparking massive controversy in the #InfoSec world. Here’s the who, what, and why of what went down:
On August 15th, an anonymous hacker group calling itself ShadowBrokers posted a cache of so-called “cyberweapons” that it claims to have obtained by hacking an NSA-linked cyber-espionage team known as the Equation Group. In a statement posted on a Tumblr page, which has since been removed, ShadowBrokers offered to sell off those “cyberweapons” in a bitcoin auction to the highest bidder. As proof, the ShadowBrokers released an unencrypted sample with 300 megabytes worth of exploits designed to target various networking appliances from companies like Cisco and Fortinet.
Though some experts and pundits initially doubted the validity of the ShadowBrokers’ claims, The Intercept has reported that previously unpublished documents leaked by NSA-whistleblower Edward Snowden confirm that “the malware is covered with the NSA’s virtual fingerprints and clearly originates from the agency.”
So far it’s not fully known what the ShadowBroker group has access to, but Cybersecurity firm Kaspersky has tackled the known quantities with a detailed breakdown of the “Equation Giveaway.”
Who are The Equation Group?
The Equation Group is a hacking team that many believe to be a part of the NSA’s Tailored Access Operations (TAO) unit, a cyber-warfare intelligence-gathering unit.
Equation Group was first discovered in 2015 by researchers at Kaspersky Labs, who claim to have found evidence that the group has been active since at least 2001, with more than 60 different actors involved. Kaspersky Labs disclosed their discovery at the 2015 Kaspersky Security Analysts Summit, calling the Equation Group “one of the most sophisticated cyber attack groups in the world.”
Who are The ShadowBrokers?
Nobody knows for sure who the ShadowBrokers are, but there are a few educated guesses being thrown out there, with most fingers firmly pointed at Russia, as usual.
For his part, Edward Snowden sent out a barrage of tweets stating that he believes the stolen files are genuinely NSA tools, and that “circumstantial evidence and conventional wisdom indicates Russian responsibility.”
However, other experts have claimed that the leak more likely points to a “second Snowden” at the NSA, aka and insider, who leaked the exploits, possibly for personal profit.
In an article for Reuters posted Monday, long-time NSA reporter James Bamfield wrote that “Rather than the NSA hacking tools being snatched as a result of a sophisticated cyber operation by Russia or some other nation, it seems more likely that an employee stole them.” Bamfield claims that Russia would not have exposed the vulnerabilities because doing so makes the worthless as affected companies scramble to patch their vulnerabilities.
In an article that appears to give some credence to Bamfield’s claims, linguistics expert Shlomo Argamon has claimed that ShadowBroker is a native English speaker masquerading as a non-English speaker.
“The texts contain a variety of different grammatical errors that are not usual in the English of US native speakers,” Argamon says in his analysis, suggesting that the ShadowBrokers used these mistakes to cast suspicion on foreign nationals such as the Chinese or Russians.
“While no one of these factors is dispositive, the cumulative effect of these multiple lines of evidence leads to the conclusion that the author is most likely a native speaker of US English who is attempting to sound like a non-native speaker by inserting a variety of random grammatical errors.”
So who exactly is affected by the NSA tools exposed in the ShadowBrokers’ data dump? So far, it seems that mostly networking appliances from companies such as Cisco and Fortinet were targeted by the NSA’s exploits.
Both Cisco and Fortinet immediately issued warnings about vulnerabilities revealed in the data dump, and both companies quickly moved to patch the vulnerabilities, but some experts are now saying that the exploits affect more machines than previously thought.
Many pundits have used the hack as damning evidence against the NSA. In a blog post published on Vox.com, cyber security expert and cryptographer Bruce Schneier writes: “The National Security Agency is lying to us. We know that because of data stolen from an NSA server was dumped on the internet. The agency is hoarding information about security vulnerabilities in the products you use, because it wants to use it to hack others’ computers. Those vulnerabilities aren’t being reported, and aren’t getting fixed, making your computers and networks unsafe.”
Damning indeed. But as others have pointed out. the NSA was just doing its job—stealing and making sense of other people’s information. Pentesting for Cisco is not the mission.
Where to from here?
In many ways, the outcome of these events depends on two things: the veracity of The ShadowBroker’s claims, and who wins the auction.
Any auction or leak of further data could have serious consequences for the security world, not least of all for many major corporate and government networks dependent on compromised systems. If a malicious actor wins the auction, the results could be disastrous. If the NSA or another government entity is able to win the auction and retain the data, we could return to status quo, though the genie is out of the bottle. In any case, it’s unlikely that the hackers would disclose the winners of such an auction.
One thing is certain: we’ll be hearing a lot more about this breach—from politicians and security pundits alike.
- 24 Vendor Profiles and Capabilities References
- 10 Top Questions for Buyer’s
- Complete Market Overview
Now watch this:
Latest posts by Jeff Edwards (see all)
- The Finance Sector and Countering Cyberthreats, A Presentation from RSAC ’17 - February 23, 2017
- The FBI Has Launched 3 Investigations Into Alleged Russian Election Hacking - February 22, 2017
- CounterTack Releases New Endpoint Threat Platform - February 17, 2017