National Security Agency (NSA) leaker Edward Snowden is backing a theory that Russia — not money-seeking hackers — is behind the release of possible NSA source code.

The Shadow Brokers, a previously unknown hacking entity, and WikiLeaks have both announced they have copies of the source code used by a vaunted cyber espionage operation called the Equation Group. The Equation Group is widely believed to be connected to the NSA.

ADVERTISEMENT

The Shadow Brokers are auctioning off the code, and WikLeaks says it will release it for free.

In a series of tweets on Tuesday, Snowden said he believed the effort to expose the source code was a shot from Russian intelligence operatives meant to warn the NSA against publicly attributing recent cyberattacks on the Democratic Party to President Vladimir Putin.

“This leak is likely a warning that someone can prove US responsibility for any attacks that originated from [a specific] malware server,” Snowden tweeted.

The code was not necessarily taken from NSA headquarters. It could have been taken from an external command and control server running the Equation Group’s software. Being able to identify that server could implicate the NSA in a variety of other attacks around the world.

“That could have significant foreign policy consequences. Particularly if any of those operations targeted US allies,” Snowden tweeted.

He is not the first person to bring forward this idea, which has become a popular theory in the information security community.

Many security experts agree that Russia was behind hacks targeting the Democratic National Committee and Democratic Congressional Campaign Committee, and that the Obama administration is holding off from publicly blaming the country while officials contemplate the U.S.'s next move.

Russia’s role the military campaign against the Islamic State in Iraq and Syria also makes it risky for the U.S. to shake the already fragile relationship between the countries.

The hack of an NSA malware staging server is not unprecedented, but the publication of the take is. Here's what you need to know: (1/x) — Edward Snowden (@Snowden) August 16, 2016

1) NSA traces and targets malware C2 servers in a practice called Counter Computer Network Exploitation, or CCNE. So do our rivals. — Edward Snowden (@Snowden) August 16, 2016

2) NSA is often lurking undetected for years on the C2 and ORBs (proxy hops) of state hackers. This is how we follow their operations. — Edward Snowden (@Snowden) August 16, 2016

3) This is how we steal their rivals' hacking tools and reverse-engineer them to create "fingerprints" to help us detect them in the future. — Edward Snowden (@Snowden) August 16, 2016

4) Here's where it gets interesting: the NSA is not made of magic. Our rivals do the same thing to us -- and occasionally succeed. — Edward Snowden (@Snowden) August 16, 2016

5) Knowing this, NSA's hackers (TAO) are told not to leave their hack tools ("binaries") on the server after an op. But people get lazy. — Edward Snowden (@Snowden) August 16, 2016

6) What's new? NSA malware staging servers getting hacked by a rival is not new. A rival publicly demonstrating they have done so is. — Edward Snowden (@Snowden) August 16, 2016

7) Why did they do it? No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack. — Edward Snowden (@Snowden) August 16, 2016

8) Circumstantial evidence and conventional wisdom indicates Russian responsibility. Here's why that is significant: — Edward Snowden (@Snowden) August 16, 2016

9) This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server. — Edward Snowden (@Snowden) August 16, 2016

10) That could have significant foreign policy consequences. Particularly if any of those operations targeted US allies. — Edward Snowden (@Snowden) August 16, 2016

11) Particularly if any of those operations targeted elections. — Edward Snowden (@Snowden) August 16, 2016

12) Accordingly, this may be an effort to influence the calculus of decision-makers wondering how sharply to respond to the DNC hacks. — Edward Snowden (@Snowden) August 16, 2016

13) TL;DR: This leak looks like a somebody sending a message that an escalation in the attribution game could get messy fast. — Edward Snowden (@Snowden) August 16, 2016

Bonus: When I came forward, NSA would have migrated offensive operations to new servers as a precaution - it's cheap and easy. So? So... — Edward Snowden (@Snowden) August 16, 2016