Hacker Group Claims to Be Selling NSA Files

Senior editor, security, privacy and gaming
Updated

UPDATED Tuesday morning with Edward Snowden's comments, Tuesday afternoon with a comprehensive list of purported NSA tools referenced in the data dump and Friday morning with a statement from WatchGuard Technologies.

It's either a very elaborate hoax, or it's evidence that someone has hacked into the U.S. National Security Agency.

On Saturday (Aug. 13), tweets and other online postings from a new group calling itself "Shadow Brokers" said that it was auctioning off files stolen from the "Equation Group." Equation Group is Kaspersky Lab's name for an extremely sophisticated cyberespionage group with ties to the Stuxnet computer worm, which in 2010 damaged Iranian nuclear-fuel-processing facilities. The unspoken understanding is that the Equation Group is part of the NSA.

"We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no?" read an entertaining message posted on Pastebin by Shadow Brokers. "You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files."

MORE: 7 Ways to Stop NSA Spying on Your Smartphone

As proof, Shadow Brokers posted links to various file-sharing services, from which a 235MB Zip file could be downloaded. Shadow Broker said that the Zip file was just a sample of the Equation Group files it had. Security experts who have looked at the files say they bear names like EGREGIOUSBLUNDER, ELIGIBLEBACHELOR and ESCALATEPLOWMAN, and detail ways to get through commercially available firewall software.

Documents leaked in 2013 by former NSA contractor Edward Snowden, along with other evidence, indicated the existence of NSA tools with similarly sillly-sounding names, such as IRATEMONK, STELLARWIND and EGOTISTICALGIRAFFE.

A screenshot of files provided by Shadow Brokers.A screenshot of files provided by Shadow Brokers.

Hoax or not, some of the files in the Shadow Brokers data dump appear to be genuine malware, said researchers.

"There are actual exploits in the dump, with a 2013 timestamp on files," wrote Matt Suiche, a well-known French security researcher, in a Medium post Monday (Aug. 15). "We do not know if they are working as nobody has tried them, but they are actual exploits and not only references."

"Equation Group's ELIGIBLECANDIDATE exploits an RCE [remote code execution] vulnerability in HTTP cookies in a TOPSEC firewall CGI script," tweeted Mustafa Al-Bassam, a British researcher who was once a member of the Lulzsec hacking crew. (TOPSEC is a Chinese cloud-security provider.) "ESCALATEPLOWMAN is actually a privilege escalation exploit against WatchGuard firewalls."

In more (deliberately?) broken English, the Shadow Brokers missive instructed interested parties to bid for the files using Bitcoin. The document didn't say how many files in total Shadow Brokers had.

"If you like free files (proof), you send bitcoin," says the message. "If you want know your networks hacked, you send bitcoin. If you want hack networks as like equation group, you send bitcoin. If you want reverse, write many words, make big name for self, get many customers, you send bitcoin. If want to know what we take, you send bitcoin."

If the documents really are from the NSA, how did Shadow Brokers get their hands on them? Who's crafty enough to hack the NSA? The Grugq, a pseudonymous South African bug broker — i.e., he sells newly found "zero-day" software exploits to intelligence agencies such as the NSA — put forward a theory on Twitter earlier Monday.

"This dump does not support the assertion that NSA was hacked. That sort of access is too valuable to waste for (almost) any reason," the Grugq tweeted. "I would guess: the dump is the take from a counter hack against a pivot/C2 [malware command-and-control server] that was mistakenly loaded with too much data. [Stuff] happens."

UPDATE: Edward Snowden himself Tuesday (Aug. 16) piped in on Twitter about the purported NSA files, agreeing with the Grugq that they came from a malware command-and-control server. Snowden blamed Russian state-sponsored hackers trying to do damage control in the wake of the theft, and subsequent release, of embarrassing documents from the Democratic National Committee's email servers.

"NSA malware staging servers getting hacked by a rival is not new. A rival publicly demonstrating they have done so is," Snowden wrote. "I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack.

"Circumstantial evidence and conventional wisdom indicates Russian responsibility," he continued. "Here's why that is significant: This leak is likely a warning that someone can prove U.S. responsibility for any attacks that originated from this malware server."

"That could have significant foreign policy consequences. Particularly if any of those operations targeted U.S. allies. Particularly if any of those operations targeted elections," Snowden wrote. "Accordingly, this may be an effort to influence the calculus of decision-makers wondering how sharply to respond to the DNC hacks."

UPDATE: Mustafa Al-Bassam has posted a list of the purported Equation Group tools and exploits referenced in the "free" documents released by Shadow Brokers. Our favorite is EPICBANANA, which Al-Bassam describes as "a privilege escalation exploit against Cisco Adaptive Security Appliance (ASA) and Cisco Private Internet eXchange (PIX) devices."

UPDATE: In a statement provided to Tom's Guide, WatchGuard Technologies responded to the Shadow Brokers data dump:

"WatchGuard takes all reported vulnerabilities seriously and values the effort that security researchers put into the responsible disclosure of potential exploits. We investigated the reported exploit and found that it cannot be used against any of our currently supported appliances. The referenced vulnerability was actually targeting RapidStream appliances, a company WatchGuard acquired in 2002. This RapidStream exploit did not carry over into any WatchGuard appliances and is not a vulnerability for our current customers."