Yesterday we reported that in a historic first, an unknown group of hackers, the "Shadow Brokers" had hacked the NSA's cuberattack hacking division, "The Equation Group." Many were wondering what are the strategic implications of this dramatic escalation, which took place just as the US was accusing Russia of virtually every other recent prominent hacking, and whether it suggested something bigger was taking place behind the scenes.

Today, the most famous NSA (ex) employee, Edward Snowden, chimed in on this topic in a tweetstorm in which he tries to explain who did it:

Circumstantial evidence and conventional wisdom indicates Russian responsibility. I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack

... why they did it:

This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server.

... and the consequences:

That could have significant foreign policy consequences. Particularly if any of those operations targeted US allies. Particularly if any of those operations targeted elections. Accordingly, this may be an effort to influence the calculus of decision-makers wondering how sharply to respond to the DNC hacks.

and concludes as follows:

this leak looks like a somebody sending a message that an escalation in the attribution game could get messy fast.

In effect, Snowden suggest that Russia has either had enough of being accused for every hack in the US, or of being hacked itself, and is now retaliating. If he is correct, this is a far greater transgression by the Kremlin, and one which would absolutely necessitate a proportional US response to something which very well may have originated in Russia. The question is whether the administration, which has so far lobbed softballs as Putin for DNC hacks which may well have been done by 16 year old American hacker, will have the guts to retaliate to what is the first real act of global cyberagression.

Here is his full series of tweets on the topic (it can be found here in its original).

The hack of an NSA malware staging server is not unprecedented, but the publication of the take is. Here's what you need to know: 1) NSA traces and targets malware C2 servers in a practice called Counter Computer Network Exploitation, or CCNE. So do our rivals.

2) NSA is often lurking undetected for years on the C2 and ORBs (proxy hops) of state hackers. This is how we follow their operations.

3) This is how we steal their rivals' hacking tools and reverse-engineer them to create "fingerprints" to help us detect them in the future.

4) Here's where it gets interesting: the NSA is not made of magic. Our rivals do the same thing to us -- and occasionally succeed.

5) Knowing this, NSA's hackers (TAO) are told not to leave their hack tools ("binaries") on the server after an op. But people get lazy.

6) What's new? NSA malware staging servers getting hacked by a rival is not new. A rival publicly demonstrating they have done so is.

7) Why did they do it? No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack.

8) Circumstantial evidence and conventional wisdom indicates Russian responsibility. Here's why that is significant:

9) This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server.

10) That could have significant foreign policy consequences. Particularly if any of those operations targeted US allies.

11) Particularly if any of those operations targeted elections.

12) Accordingly, this may be an effort to influence the calculus of decision-makers wondering how sharply to respond to the DNC hacks.

A convenient summary:

13) TL;DR: This leak looks like a somebody sending a message that an escalation in the attribution game could get messy fast.

And a bonus take:

Bonus: When I came forward, NSA would have migrated offensive operations to new servers as a precaution - it's cheap and easy. So? So... The undetected hacker squatting on this NSA server lost access in June 2013. Rare public data point on the positive results of the leak. You're welcome, @NSAGov. Lots of love.

The ball is now in the NSA's court.