Hackers Auction Stolen NSA Cyber Weapons to Highest Bidder

Reuters/Kacper Pempel

A group of hackers called the “Shadow Brokers” claim to have stolen the National Security Agency’s “omnipotent” cyber-weapons and are auctioning them off to the highest bidder.

Time notes the Shadow Brokers are demanding non-refundable bids be submitted in advance, with the auction to end at an unspecified time, so interested parties should “keep bidding until we announce winner.”

“We follow Equation Group traffic,” they exclaimed on their website, referring to the NSA’s hacker unit. “We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files.”

While the Daily Dot perceives widespread skepticism for these claims, based in part on the broken English of the sales pitch, it is noted that upon closer examination, “cybersecurity experts are now opening up to the idea that this could actually be the real deal.”

Some of those experts suggest that the exploits crucial to these purported NSA cyber-weapons are a decade old, but they might still be legitimate. The age of the data in the free samples provided by the Shadow Brokers leads some analysts to think they might have penetrated the NSA years ago and have been waiting for the right time to reveal the breach.

Security and hardware providers, such as Cisco, have been slow to comment on whether these weaknesses in their products are real, as has the National Security Agency. The White House reportedly doesn’t want to comment, either.

The Shadow Brokers came out of nowhere with a big social media rollout over the weekend, possibly taking their name from a character in the popular Mass Effect videogame series. It looks like serious cybersecurity players started paying attention to the samples posted on the Shadow Broker website Sunday, and by Monday morning, some of them began quietly conceding that the Brokers might really have the goods, or else they’re really good at faking it.

The Daily Dot mentions one theory about the identity of the Shadow Brokers:

The timing of this Shadow Brokers–NSA revelation quickly following the DNC hack has many people wondering if and how the Shadow Brokers fit into the increasingly tense Washington–Moscow geopolitical game being played out as America’s 2016 election approaches, while Russia acts to push back against what many in the Kremlin reportedly see as decades-old American and NATO arrogance and aggression.

Foreign Policy couldn’t get a comment from the NSA, either, but they spoke with former NSA research scientist and current security-firm CEO Dave Aitel, who said the Shadow Broker hack was “at a minimum, very interesting; at maximum, hugely damaging… it’ll blow some operations, if those haven’t already been blown.”

A deeper dive into what the Shadow Brokers are offering is provided by Foreign Policy:

The files posted over the weekend include two sets of files. The hackers have made one set available for free. The other remains encrypted and is the subject of an online auction, payable in bitcoin, the cryptocurrency. That set includes, according to the so-called Shadow Brokers, “the best files.” If they receive at least 1 million bitcoin — the equivalent of at least $550 million — they will post more documents and make them available for free.

The set of files available for free contains a series of tools for penetrating network gear made by Cisco, Juniper, and other major firms. Targeting such gear, which includes things like routers and firewalls, is a known tactic of Western intelligence agencies like the NSA, and was documented in the Edward Snowden files. Some code words referenced in the material Monday — BANANAGLEE and JETPLOW — match those that have appeared in documents leaked by Snowden. Security researchers analyzing the code posted Monday say it is functional and includes computer codes for carrying out espionage.

Adding to the intrigue, Foreign Policy received a Tweet from the hacker behind the DNC raid, Guccifer 2.0, and he (or they) described the Shadow Broker offering as “bullshit,” saying “the hacking world operates differently.” That’s an interesting assessment, if both Guccifer 2.0 and the Shadow Brokers are agents, or allies, of the Kremlin.

Speaking of Edward Snowden, he commented on the Shadow Brokers in a string of Tweets summarized by Business Insider:

First, he reaffirmed what other experts have been saying — that if the hack is legitimate, the NSA itself wasn’t hacked, but rather a particular server used by Equation Group for an operation was. This kind of successful attack on an NSA server isn’t unheard of, Snowden says. “A rival publicly demonstrating they have done so is.”

“Why did they do it?” the outspoken privacy advocate asks. “No one knows, but I suspect this is more diplomacy than intelligence, related to escalation around the DNC hack … This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server [that the hacked files originated on]. That could have significant foreign policy consequences. Particularly if any of those operations targeted US allies.”

In other words, Snowden thinks Russia is sending a warning that if the US decides to publicly blame it for the DNC, it will retaliate by leaking potentially damaging information about US cyber-intelligence operations to the world.

One theory of the current cyber-Cold War holds that the DNC hack was actually the work of the NSA, or disgruntled members of its cyberwar unit, angry that Hillary Clinton appears to be getting away with compromising national security in her email scandal. In this scenario, the Shadow Brokers might be either pushback against the NSA, a warning shot fired across its bow by Moscow, or preparation for a longer and more elaborate game of hacking and finger-pointing in the years to come.