In what security experts say is either a one-of-a-kind breach or an elaborate hoax, an anonymous group has published what it claims are sophisticated software tools belonging to an elite team of hackers tied to the US National Security Agency.







Not fully fake

In a recently published blog post, the group calling itself Shadow Brokers claims the leaked set of exploits were obtained after members hacked Equation Group (the post has since been removed from Tumblr, but a cached version here was still available as this post was going live). Last year, Kaspersky Lab researchers described Equation Group as one of the world's most advanced hacking groups , with ties to both the Stuxnet and Flame espionage malware platforms. The compressed data accompanying the Shadow Broker post is slightly bigger than 256 megabytes and purports to contain a series of hacking tools dating back to 2010. While it wasn't immediately possible for outsiders to prove the posted data—mostly batch scripts and poorly coded python scripts—belonged to Equation Group, there was little doubt the data has origins with some advanced hacking group.

"These files are not fully fake for sure," Bencsáth Boldizsár, a researcher with Hungary-based CrySyS who is widely credited with discovering Flame, told Ars in an e-mail. "Most likely they are part of the NSA toolset, judging just by the volume and peeps into the samples. At first glance it is sound that these are important attack related files, and yes, the first guess would be Equation Group."

The Shadow Broker post came the same day that Guccifer 2.0, the online persona behind high-profile hacks of the Democratic National Committee and the Democratic Congressional Campaign Committee, posted a new batch of private material purportedly taken during the breach of the latter Democratic group. Monday's Guccifer post came on the heels of Friday's separate document dump that leaked a massive amount of personal data belonging to every Democratic member of the US House of Representatives.

Taken together, the three posts, and several earlier Guccifer 2.0 dispatches, represent a major broadside against US interests, although it’s impossible to directly connect the people behind the two online personas. Shadow Brokers’ post also differed in that it was offering to auction off the stolen data in exchange for a payment reaching one million Bitcoins (current value is more than $500 million). (The 256 MB of data included in Monday’s post was offered as a small sample of what Shadow Brokers had acquired.) Many researchers doubt the group has any hope of selling the data. As international tensions over hacking remain high, those experts speculate the true aim of Shadow Brokers is to discredit and embarrass the US government and its intelligence apparatus.

Many researchers similarly doubt the data was acquired during a direct hack of Equation Group networks. Instead, researchers speculate the data came after breaching a command-and-control channel server used by a hacking group.

Samples of the stolen files are dated most recently to 2013 and contain implants, exploits, and other tools for controlling routers and firewalls, including those from Cisco Systems, Juniper, Fortigate, and China-based Topsec, according to this analysis from Matt Suiche, cofounder and CEO of security firm Comae Technologies. A separate analysis from firm Risk Based Security noted that an IP address in an exploit labeled "ESPL: ESCALATEPLOWMAN" contained an IP address belonging to the US Department of Defense.

Using broken English, Shadow Brokers posted the following:

We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files.

At the same time, the Risk Based Security post cautioned that so-called false-flag operations—in which attackers manufacture evidence that falsely implicates others—is a regular occurrence in hacking campaigns, particularly those sponsored by nations. If the claims in the Shadow Brokers’ post are true, this may be one of the only publicly known times the NSA has been compromised. But even if the claims turn out to be exaggerated, the Shadow Brokers’ post is significant, if only for the amount of work and planning that went into fabricating evidence to provoke one of the world’s most advanced hacking operations.