- First Look/Trevor Paglen
In the wake of an unprecedented breach of hacking tools and exploits apparently stolen from the US National Security Agency’s elite hacking unit, experts are offering two competing theories on how it happened – and they’re equally disturbing.
Some former agency employees believe that the alleged group behind the leak, the “Shadow Brokers,” may have hacked an NSA server that had a top-secret hacker toolkit left there by mistake.
Others believe that the Brokers may be just a smokescreen for another possibility: an agency mole.
“The key thing I think people are missing is that [most are talking] about how someone hacked a command-and-control box somewhere on the internet,” Dave Aitel, an ex-NSA research scientist who now leads penetration-testing firm Immunity, told Business Insider. “If you actually look at the files, it really doesn’t seem like that is the case.”
His remarks about looking at the files are interesting, especially in light of a post on Medium by Matt Suiche, the founder of Comae Technologies. He claimed that he was contacted by a former NSA analyst who offered a somewhat-redacted image of an award citation received while working inside the agency for the US Army to prove his bona fides.
In the post about this “insider theory,” Suiche’s source said that the supposed NSA toolkit usually sits on a physically segregated network that never goes near the internet. And even more interesting, the source says, is that when an NSA hacker – an operator working in what is called Tailored Access Operations (TAO) – is going to carry out a cyberattack on a target, he or she would grab the files from this offline repository and then change many of their file names before they start.
“The file hierarchy and the unchanged file naming convention tends to say that the files were directly copied from its source,” Suiche writes.
Aitel, the ex-NSA research scientist, agreed with that assessment as a valid possibility. Further, Aitel argued that putting those types of files up on a computer that an adversary could find is not a common practice.
“It’s not from a [command-and-control] server,” he said. “It’s just not C2 server stuff. It’s operational machine stuff. No one puts their exploits on a C2 server. That’s not a thing.”
- Thomson Reuters
‘There’s all kinds of ugly here’
If the leaked files didn’t actually get hacked from a server on the internet, then it’s possible that the NSA has another “insider threat” problem – an especially embarrassing prospect for a spy agency still reeling from the fallout surrounding documents taken by Edward Snowden.
The former Booz Allen Hamilton employee who was contracted to work for the NSA leaked an alleged 1.7 million documents to journalists in 2013 before eventually seeking asylum in Moscow, where he remains.
“There’s all kinds of ugly here,” John Schindler, a former NSA analyst and counterintelligence officer, told Business Insider, speculating that “there’s fear now that this will bring on a serious mole hunt – which, by the way, is completely necessary – but never fun for the workforce. This isn’t an entertaining thing to have to worry about, ‘Is the guy or girl in the next cubicle a Russian spy?'”
The previously-unknown Shadow Brokers created a number of social-media accounts earlier this month on Reddit, Github, Twitter, and Imgur, before announcing on August 13 that its “cyber weapon auction,” which promised bidders a “full state sponsor tool set” from a hacking unit believed to be within the NSA known only as “The Equation Group.”
It released a 234-megabyte archive on various file-sharing sites with half being free to view and use – which numerous experts say is legitimate – while the other half was encrypted. The winner of the auction, the group said, would get the decryption key.
- Paul Szoldra/Business Insider
But an auction for hacking tools and exploits is not something that ever happens, experts say. Instead, exploits are bought and sold on the black market for hundreds of thousands and sometimes millions of dollars in private.
Also interesting is a newly released linguistic analysis of the group’s announcement on Pastebin, a text-sharing site, in which it used broken English.
“He is a native English speaker who tried to pass himself off as a foreigner,” Jeffrey Carr, a cybersecurity expert and CEO of Taia Global, told Business Insider.
The cybersecurity firm analyzed the text of the Shadow Brokers auction announcement and found evidence seeming to indicate that the author, or authors, purposely tried to mislead readers in the way they wrote, which included inconsistent errors in the text.
“The cumulative effect of these multiple lines of evidence leads to the conclusion that the author is most likely a native speaker of US English who is attempting to sound like a non-native speaker by inserting a variety of random grammatical errors,” wrote Dr. Shlomo Argamon, an expert on linguistics and the company’s chief scientist.
So what does this all mean? As ex-NSA employees and computer-security professionals analyze the files leaked by Shadow Brokers, it’s becoming increasingly likely that they are legitimate tools, exploits, and implants that were used by NSA hackers.
But at this point, the way they ended up getting out of the NSA’s grasp is not clear, and that’s a big problem.
“If you don’t know how it was lost, there’s then a lot of panic in terms of what else is out there, particularly from a counterintelligence perspective,” a source who previously worked as a hacker with NSA’s Tailored Access Operations unit told Business Insider, on condition of anonymity in order to discuss sensitive matters. “Now you have to really worry – are all of my operations exposed? I think that’s very concerning to people because they want to be covert and stealth.”
The NSA did not immediately respond to a request for comment.