The scary fallout from the recent NSA hack

Jay Leiderman
By: Jay Leiderman
October 04 2016

The Recent NSA Hack

You might have heard about the recent ongoing drama circling around the NSA hack that sparked a larger debate on the internet with regard to capabilities of US intelligence agencies, as well as stoked their own safety.

One Saturday in August came breaking news that a mysterious group of hackers calling themselves “The Shadow Brokers” claimed to have hacked an NSA-linked group and stole several NSA hacking tools with a promise to sell more private “cyber weapons” to the highest bidder.  This mysterious online group claimed to have stolen US “cyber weapons” of a hacking team named Comparison Group.  The claims have proven true.

The stolen hacking tools are used by the National Security Agency and the violation of its systems and tools led to a boast by the Shadow Brokers that it has access to a number of secret tools of the agency.  In the latest twist, the group is now selling copies of these tools online.

In a bizarre post written in broken English, the hackers said they had released 60 percent of the material they had and would release the additional 40 percent if they were paid 1 million bitcoin (currently worth more than $500 million). Forbes reported that its sources were saying the bitcoin auction was likely just an attempt to gain media attention.

“We want make sure Wealthy Elite recognizes the danger cyber weapons, this message, our auction, poses to their wealth and control. Let us spell out for Elites,” the group added. “Your wealth and control depends on electronic data.”

Here is what the hacking group said in its release of the files:

Q: Why I want auction files, why send bitcoin? A: If you like free files (proof), you send bitcoin. If you want know your networks hacked, you send bitcoin. If you want hack networks as like equation group, you send bitcoin. If you want reverse, write many words, make big name for self, get many customers, you send bitcoin. If want to know what we take, you send bitcoin.

Q: What if bid and no win, get bitcoins back? A: Sorry lose bidding war lose bitcoin and files. Lose Lose. Bid to win! But maybe not total loss. Instead to losers we give consolation prize. If our auction raises 1,000,000 (million) btc total, then we dump more Equation Group files, same quality, unencrypted, for free, to everyone.

Q: Why I trust you? A: No trust, risk. You like reward, you take risk, maybe win, maybe not, no guarantees. There could be hack, steal, jail, dead, or war tomorrow. You worry more, protect self from other bidders, trolls, and haters.

“Elites is making laws protect self and friends, lie and fuck other peoples,” the group continued in describing its apparent motivations for the hack. “Then Elites runs for president. Why run for president when already control country like dictatorship?”

“We want make sure Wealthy Elite recognizes the danger cyber weapons, this message, our auction, poses to their wealth and control. Let us spell out for Elites,” the group added. “Your wealth and control depends on electronic data.”

Foreign Policy laid out the evidence for why the release is being considered potentially legitimate and what exactly was taken:

The set of files available for free contains a series of tools for penetrating network gear made by Cisco, Juniper, and other major firms. Targeting such gear, which includes things like routers and firewalls, is a known tactic of Western intelligence agencies like the NSA, and was documented in the Edward Snowden files. Some code words referenced in the material Monday—BANANAGLEE and JETPLOW—match those that have appeared in documents leaked by Snowden. Security researchers analyzing the code posted Monday say it is functional and includes computer codes for carrying out espionage.

“Why did they do it? No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack,” Snowden wrote. “This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server.”

For more on this part of the story, see Slate’s piece on this hack.

The EFF have been strong critics of the NSA policies on spying upon Americans. Rise up against the surveillance state. Demand your right to privacy!

Here are the things you need to know about the fallout

“We will give you some free Equation Group Files,” the Shadow Brokers proclaimed in messages online that offer downloads for the code of the pilfered files. These include malware and hacking tools that are terrifying out in the open for anyone to use.  Gone are the days of security thanks to a lack of proper security by the NSA and it’s contractors.  Again (read: Edward Snowden).  The reason for this, the Shadow Brokers say, is to prove that the information was real and devastating before they sell out the rest of the NSA hacking instruments gathered in the hack. The Shadow Brokers also said the Equation Group “do not know what is lost” and would offer the group the hacking tools for a price, so it will not disclose the data.

“The first file contains close to 300MBs firewall exploits, tools and scripts under cryptonyms as BANANAUSURPER, BLATSTING, and BUZZ DIRECTION,” Kaspersky said in a detailed blog post. However, that post made clear that Kapersky saw file logs dated as far back as October 2013.

It is not quite known exactly what the group has access to, but it has a number of images of the files (and their structures) posted on social media. These are believed to come from the comparison group and is claimed to be a small part of what the Brokers have opened. Although messages on Pastebin, Tumblr, and Github have been removed, that still exists by the group on Twitter and Imgur.

Another hacker has claimed to have more of hacking tools stolen from the NSA.  According to another technical report published again by security firm Kaspersky Labs, the leaked sophisticated hacking tools include digital signatures that are identical to those in the hacking software and malware that have been previously used by the Equation Group.

“Although we have neither the identity or motivation of the attacker, nor where or how they came to be stolen treasure, we can say that a few hundred tools from the leak share a strong bond with our earlier findings from the Equation Group,” said Kaspersky researchers in a blog post. More than 300 computer files found in the online Shadow Brokers archive have a common implementation of RC5 and RC6 encryption algorithms – which are known to have been used extensively by the Equation Group.

There are more than 300 files in the archives of the Shadow Brokers

Also, the implementation of encryption algorithms is identical to the RC5 and RC6 code in the Equation Group malware. “There are more than 300 files in the archives of the Shadow Brokers,” who carry out this specific variant of RC6 in 24 different forms, wrote by the Kapersky researchers.  “The chance that these are fakes or manipulated is highly unlikely.”

The group ran a Bitcoin auction for some of the hacking tools it acquired. It is inviting “elites” with large amounts of cryptocurrency to bid on the unknown files. Once the auction is over, the Shadow Brokers says it will be decoded to provide the winner of the information to the rest of the files. “You bid against Equation Group, to win and to find out whether quotation pump price up, they piss off, everyone wins,” the shadow Brokers say in a deleted but cached Pastebin post.

The group ran a Bitcoin auction for some of the hacking tools it acquired

However, the Shadow Brokers group claims to be offering an additional inducement for those who offer and losses. “If our auction offers 1,000,000 (one million) BTC total, we dump more Equation Group files the same quality, unencrypted, free, for everyone,” it says. The million figure is unlikely to be achieved, however, in that the total number of Bitcoin presently in circulation is only 15m. It is made even more unlikely in that the Block Chain registers only the total so far 1.76139345 BTC. Presently, there are no facts divulged by the Shadow Brokers as to when the auction is due to the end.

The names of the hacking files were published, and it became clear that there have been a number of different actors who may have had a hand in the hacking tool leak.  What we know for sure is the Shadow Brokers were promoting the original source of the disclosure. On August 15, the group announced it had acquired an auction for the “cyber weapons” to the NSA.  It’s Tumblr account has since disappeared from the web, likewise have a number of messages on GitHub.

The identity of those working for the group, not surprisingly, has not been revealed. Snowden, in a flurry of Tweets, said the hacking of an NSA malware staging server is “unmatched.” He went on to say: “Circumstantial evidence and conventional wisdom gives Russian responsibility.”

Comments by Reuters suggested Russia would not be behind the theft of the hacking tools.  Analysis by James Bamford, a leading computer security writer, and journalist in the US said a “logical explanation” would put the incident in the hands of an insider.

If and when the auction comes to an end, there can be serious consequences. Whichever person or group wins the auction would present wide variables in terms of the disposition of the tools.  The outcome would be wildly different if an organization is connected to the NSA or any other cyber security institution bids could save the data; as an evil group wins it would take a more sinister turn.

“Without a doubt, they’re the keys to the kingdom,” said one former TAO employee to the Washington Post, who spoke on the condition of anonymity to discuss sensitive internal operations. “The stuff you’re talking about would undermine the security of a lot of major government and corporate networks both here and abroad.”

Said a second former TAO hacker who saw the file: “From what I saw, there was no doubt in my mind that it was legitimate.”

“From what I saw, there was no doubt in my mind that it was legitimate.”

But wait, there’s more …

As of yesterday (3 October 2016) there were widespread reports like this: “No-one wants to buy the Shadow Brokers’ stolen NSA tools”

The Shadow Brokers have not had any significant offers to buy their trove of NSA hacking tools.  On Saturday, the group put up yet another Borat-esque rant, this one about its conclusion that “peoples is not thinking auction is being real” because “TheShadowBrokers is thinking this is information communication problem.” They went on: “Peoples is having interest in free files … But people is no interest in #EQGRP_Auction”  This is, no doubt, due to the fact that: “Equation Group is pwning you everyday, because you are giant fucking pussies.”  The Shadow Brokers also complained that “media no make big story” about them. At the time that Motherboard covered the auction’s lackluster progress – on Saturday, at 4 p.m. EST – the Shadow Brokers had received bids totaling only 1.76 bitcoins, or about $1,082.


3 thoughts on “The scary fallout from the recent NSA hack

  1. This blog is really cool. I have bookmarked it.
    Do you allow guest posting on your blog ? I can provide high quality articles for you.

    Let me know.

Leave a Reply

Your email address will not be published. Required fields are marked *