NSA Hack Appears Real – Sort Of
Last week a group of hackers called Shadow Brokers claimed to have a group of NSA hacker tools available for sale on the dark web. The tools were supposedly stolen from the Equation Group which has been loosely linked to the NSA.
If all of this is true, then the reality is that the NSA wasn’t hacked but rather a possible NSA vendor was hacked.
The newest files that were made available by the sellers to validate their claim were dated in 2013, around the time of the Snowden breach.
Some of the exploits targeted routers and firewalls from every major vendor – Cisco, Fortinet, Juniper and Topsec (Chinese). The initial request said that if they got 1 million bitcoins (or around a half billion dollars), they would release all the code publicly. The hackers, in broken English, said “If electronic data go bye bye where leave Wealthy Elites?” . Certainly if all of this true, they could wreak some havoc.
Snowden Tweeted that the hack may have been of a staging server that was abandoned, possibly after his release of documents, and someone either forgot about it or got sloppy and did not wipe it. That seems a whole lot more plausible than hacking the NSA itself. Still, the tools would be very interesting.
Snowden suggests that whoever released these tools (Russia) did so as a warning to the U.S. that if they tried to tie the DNC hack to the Russians, they would fight back and expose U.S. hacks of other countries, likely countries friendly to the U.S., causing diplomatic problems.
This winds up being a chess game as everyone hacks everyone else, whether they are friends or not.
The Intercept (Glen Greenwald who broke the original Snowden story), says that the tools are genuine NSA. That does not mean, however, that the release is the result of a hack of the NSA, only a hack of someone who had a copy of the tools for whatever reason – possibly because they developed them for the NSA.
A manual that had not been previously released by Snowden refers to tagging the NSA’s use of a particular malware program with the string “ace02468bdf13579” . Guess what – that string appears in the released code of one tool called SECONDDATE. Since the manual was not public until now, there would be no way for copycats to inject that string if it was not put there by NSA operatives.
If these tools were really in the possession of Russia, how long have they had them (years, possibly) and have they used them against Western organizations. Tools don’t know who the good guys and the bad guys are – they just work if they are coded right.
This could mean that the sellers may have used them and, possibly, some of the holes may have been coincidentally patched making the tools less useful (since not everyone applies patches).
Apparently, according to documentation released, SECONDDATE intercepts web requests and redirects them to an NSA controlled server, where the server replies with malware, infecting the requestor. Believe it or not, this is definitely possible, no question about it. In fact, some known attacks have used this technique. Again according to documents, this tool was used to spy on Pakistan and Lebanon. According to this manual, agents had to use the string above to avoid reinfection of target systems. That string appears 14 times in the files that Shadow Broker released.
The Intercept article goes into detail on a number of other tools that were released.
What we think we know is that these tools were likely connected to NSA activities, but we have no idea how they were gotten. We know that they are years old and date to the time of the Snowden leaks. We also know that, based on the limited set of tools that were released, the NSA has some neat stuff.
If the attackers do eventually release all of the code, it will likely identify more zero day exploits that the vendors can close, but as far as I can tell, there are way more where those came from, so don’t worry that the NSA is going to go out of business. I guess that is good news/bad news. Good news that the NSA will continue to have tools, even though they obviously don’t like it when their tools are exposed. Bad news in that the we don’t know who had access to these tools, for how long, and whether or not other agents from non-friendly countries used them against us.
This story just gets wilder.
Information for this post came from Network World, The Intercept and Network World again.