Within the NSA, the group that does the sort of offensive hacking many people now most associate with the agency is called TAO: Tailored Access Operations. TAO is the team that uses the sorts of programs Edward Snowden revealed in 2013, the ones that get foreign leaders’ cell phone records or infect terrorists’ communications networks. It’s the group that, arguably, has given the NSA a bad name in recent years. But it’s also the group that gives the NSA the majority of its real, target-specific power to advance and protect American interests. These are the best offensive hackers money and nationalism can buy — and it’s very likely that somebody just published some of TAO’s most powerful cyber-attacks.
The leak comes from a group calling itself “The Shadow Brokers,” which released an enormous trove of information via PasteBin, more than 300 megabytes of cyber-attacks in the form of uncompiled binaries. The release claims it contains part of the arsenal of a company of hackers called Equation Group, which was identified only a few years ago by Kaspersky Labs and which is widely believed to be working out of NSA or even TAO itself. The leaked data has been serially taken down by the authorities, but as usual this whack-a-mole approach to containment will do nothing to keep it out of the hands of professional hackers and security professionals.
Unlike the Snowden leak, these binaries actually are offensive hacks. While the scope each program is smaller (no sprawling XKEYSCORE-type stuff here) the potential damage is much greater. It’s one thing to alert the enemy to the fact that you have a weapon, and quite another to give them that weapon so they can use it against you, or anyone else for that matter. Everyone from Wired to The Washington Post is reporting that this leaked code is from the NSA — one anonymous NSA tipster said the data was “without a doubt, the keys to the kingdom.”
This is surely no frivolous hacker feud, but an incredibly sophisticated attack on the US cyber-security infrastructure — even though it was meant to look like it was carried out by Guy-Fawkes-mask-wearing ideological warriors, at least a bit. It even features a quasi-illiterate intro/rant railing against “the elites.” It’s a familiar refrain in an American political season dominated by anti-establishment politicians, and it fits well with the stereotype of the libertarian hacker — but it also seems to want to convince these elites not to support the sort of offensive hacking on display in their leak. Emphasis added:
We want make sure Wealthy Elite recognizes the danger cyber weapons, this message, our auction, poses to their wealth and control. Let us spell out for Elites. Your wealth and control depends on electronic data. You see what “Equation Group” can do. You see what cryptolockers and stuxnet can do. You see free files we give for free. You see attacks on banks and SWIFT in news. Maybe there is Equation Group version of cryptolocker+stuxnet for banks and financial systems? If Equation Group lose control of cyber weapons, who else lose or find cyber weapons? If electronic data go bye bye where leave Wealthy Elites? Maybe with dumb cattle?
Wait, what was that about an auction? Yes, these Shadow Broker fellows have quite an ambition: to collect 1 million Bitcoins (well over half a billion USD) in exchange for publicly releasing… something. They claim that this something will make the code they’ve already released look like nothing, but this absurdly high price makes it seem unlikely it exists at all. Notice that the group will sell to the highest bidder period, so if your goal as a bidder is to get access to these tools for your own selfish goals, then you’d be well advised to stop the bidding at 999,999 bitcoins — after that, even a win won’t get you the exclusive advantage you’re looking for. It’s a stupid enough set-up that it implies there was never any expectation of a legitimate sale.
But leaving these unlikely future leaks aside, what has been verifiably released thus far?
The attacks released are wide-ranging and powerful, but since the release was of code, and not of descriptions of code as with the Snowden leaks, the precise nature of each leaked piece of software is taking some time to ascertain. One researcher has identified a number of attacks aimed at getting access to computers and remotely executing code — directly controlling another person’s computer from afar. These are programs aimed not so much at hacking individuals, but for getting around the sort of industrial security systems that protect our banks, our cell phone towers, and our power plants. They target products from Cisco, Fortinet, Juniper, and others.
The extreme importance of the systems targeted by these attacks is part of the government’s problem here. If these attacks do originate from NSA, and of course the agency is not admitting that, then they are guilty of the same sort of negligence revealed in the Snowden leaks. These hacks exploit a number of “zero day” hacks that were unknown to the larger world of hackers and security researchers until this very release. It is inherently dangerous to knowingly allow these sorts of vulnerabilities to persist, knowing that others could stumble upon them — but it becomes particularly egregious when you consider the possibility that NSA might have known about this code theft and still kept the zero days secret.
Which leads to the million bitcoin question: how was this heist achieved, and by whom?
Both questions require speculation. Edward Snowden and others think that this theft is the result of hacking the hacked — Equation Group used these attacks to compromise a bunch of systems, and when they were done, they did an imperfect job erasing all the attack code they employed. Shadow Brokers, or whomever, then hacked those machines again to slurp up that residual code. This would make the leak almost certainly a mosaic of many successful counter-hacks, and thus a much more long-lasting and organized campaign than most criminal gangs could manage.
Others argue that the sheer scale of the hack requires a human defector to have smuggled out information — which again implies a level of competence and chutzpah that most criminals can’t manage without a militarized state to back them up. At the end of the day, your feeling on this will come down to whether you think it’s more likely the (probably) NSA would have been incompetent by forgetting to wipe an attack from a target before leaving it, or by allowing someone to walk out with a USB full of America’s most treasured secrets. Either way, it’s just speculation at this point.
As to who the Shadow Brokers really are, well, most are blaming the Russians. Partly there’s the timing, and the coincidence with another likely Russian hack of emails from the DNC, and there’s the classically anti-establishment message that came with the release. The leak also came more than three years after the attacks, which indicates quite a bit of restraint on the part of the infiltrator. The style of release, and the absurd asking price for public release of further code, also imply that there might not be a real intention to sell.
One expert told the New York Times that “this is probably a Russian mind-game, right down to the bogus accent.” That’s probably the thing people find most compelling, and lacking any real information to go on most experts are claiming that this simply feels like a Russian job. The Engrish Manifesto that accompanies the release also seems to focus on ideas that make little sense even for crypto-anarchists, like selling government-made weapons as part of your apparent protest against the danger that people might sell government-made cyber-weapons.
Note that the code released was several years old when it was stolen several years ago — as always, even the most bleeding edge understanding of the NSA’s capabilities is at least a half-decade behind the times. But first the proliferation of Stuxnet-based attacks, and now an auction of Equation Group cyber weapons, ought to show the US government just how careful it needs to be with weapons that can be smuggled with a simple Ctrl-C, Ctrl-V.