Did NSA Get Hacked?

A group calling itself the “Shadow Broker” posted a trove of files online Monday, claiming it contains cyberweapons stolen from hackers called the Equation Group—allegedly the elite hacking arm of the National Security Agency.

The announcement appeared in broken English on a Tumblr account—now inactive but preserved in Google’s caches—along with two encrypted file archives available for download. “Shadow Broker” provided the password for one of the archives to prove the files’ authenticity, but demanded payment in Bitcoin for the password to the second archive.

We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files.

The Equation Group, so named by Russian cybersecurity company Kaspersky Labs for consistently using advanced encryption, is said to have been behind Stuxnet, the state-sponsored virus that attacked Iranian nuclear centrifuges in 2009.

Security researchers examined the “Shadow Broker” files found actual hacking tools that exploit vulnerabilities in common pieces of internet infrastructure. They have catchy names like EPICBANANA, EXTRABACON, ELIGIBLEBACHERLOR, and EGREGIOUSBLUNDER.

Nicholas Weaver, a computer-science professor and researcher at the University of California, Berkeley, wrote Tuesday the data dump seems real—and that it was probably snagged from an NSA server.

Because of the sheer volume and quality, it is overwhelmingly likely this data is authentic. And it does not appear to be information taken from compromised targets. Instead the exploits, binaries with help strings, server configuration scripts, five separate versions of one implant framework, and all sort of other features indicate that this is analyst-side code—the kind that probably never leaves the NSA.

Nearly all the files, however, appear to be newer than June 2013, suggesting “Shadow Broker” may have lost access to NSA files around then. Snowden commented on Twitter about the timing: That’s the same month he began leaking valuable government documents. He predicted the agency may have migrated its offensive capabilities to new servers as a precautionary measure, thereby kicking out any intruders.

(A handful of files, however, have timestamps from later in 2013. It’s not yet clear what that means, but it might undermine Snowden’s claim.)

Since the leaked cyberweapons—at least those immediately made available—are a few years out of date, their release isn’t a huge threat to internet users. Most of the malware isn’t as useful anymore as it would’ve been in 2013, and some may not have been that useful in the first place.

Instead, like the recent cyberattacks that targeted the Democratic National Committee and the Democratic Congressional Campaign Committee, the release has a political tinge to it. Snowden speculated the attack could be Russian in origin, a digital warning shot to remind the U.S. of the Kremlin’s reach and to discourage it from publicly attributing the hacks that affected the Democratic organizations. But that’s just a guess—there’s not yet any clear proof of the data dump’s origin, security researchers caution.

The rules of the auction for the remainder of the cyberweapons trove are vague. “Shadow Broker” wrote the auction will end “when we feel is time to end.” But the files may come to light whether or not the group follows through with its promise to hand over the weapons to the highest bidder—the WikiLeaks Twitter account tweeted it plans to make them available in the future: