Alleged stolen NSA cyberweapons being auctioned by hackers

17 Aug 2016

NSA HQ image via Wikimedia Commons

A group of hackers going under the name Shadow Brokers has claimed it has infiltrated the NSA and obtained a number of its ‘cyberweapons’, which are now being put up for auction.

Deep within the digital vaults of the NSA is an entity referred to as the Equation Group, which was responsible for some of the US government’s most damaging cyberattacks against nations and groups, including Stuxnet and Flame.

On 13 August, however, a group of hackers of unknown origin calling itself the Shadow Brokers – named after a group found in the video game Mass Effect – claimed in a now-deleted Tumblr post that it had hacked into the Equation Group.

Coined by Kaspersky Lab in 2015, the Equation Group described it as the most organised and advanced hacking group it had ever come across.

‘We find many, many Equation Group cyberweapons’

While the Tumblr page is gone, the group’s message and demands were also posted across the software-sharing site GitHub and Pastebin.

In broken English, the group said of its latest claimed breach: “We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many, many Equation Group cyberweapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no?”

What followed was a series of screenshots, as well as links to a number of the alleged NSA files, many of which were included among the leaked files obtained by whistleblower Edward Snowden.

These file names included “BANANAGLEE”, “JETPLOW” and “EPICBANANA”, as well as some other scripts and tools that would be used to hack another system.

Shadow Brokers files

A screenshot of the file sample released by the Shadow Brokers.

The Shadow Brokers team is now putting up the entire set of files online for auction with a starting price of 1m bitcoins – which in today’s price comes in at more than €500m.

Despite it being difficult to determine whether these files are 100pc legitimate, a number of security researchers have said that this certainly looks like it could be genuine.

Speaking to Motherboard, a security researcher known as The Grugq said: “If this is a hoax, the perpetrators put a huge amount of effort in.

“The proof files look pretty legit, and they are exactly the sorts of exploits you would expect a group that targets communications infrastructure to deploy and use.”

Kaspersky Lab thinks it’s legit

The original discoverers of the so-called Equation Group, Kaspersky Lab, has also weighed in on the legitimisation debate by saying it could be genuine.

In a blog post, it said: “While we cannot surmise the attacker’s identity or motivation nor where or how this pilfered trove came to be, we can state that several hundred tools from the leak share a strong connection with our previous findings from the Equation Group.”

Kaspersky Lab went on to analyse the code from the sample files with those it found from the Equation Group in 2015 and has described with a “high degree of confidence” as being “functionally identical” to each other.

Snowden has also weighed in to offer his thoughts on the hack and – based on the assumption it is true – suggested on Twitter that this was a shot across the bow for the NSA.

Colm Gorey was a senior journalist with Silicon Republic

editorial@siliconrepublic.com