The whistleblower Edward Snowden believes Russian Federation is behind a leak of malware allegedly belonging to the US National Security Agency (NSA). Experts say this sort of collection wouldn’t just be sitting around for some random hacker group, state-run or otherwise.
Advertisement
PARIS (AP) The leak of what purports to be a National Security Agency hacking tool kit has set the information security world atwitter and sent major companies rushing to update their defenses. Most of the code was created to break through network firewalls and get inside the computer systems of competitors like Russia, China and Iran. As numerous leaked files were dated mid-2013, the hackers have been sitting on the data for at least three years. Three of them JETPLOW, FEEDTROUGH and BANANAGLEE have previously appeared in an NSA compendium of top secret cyber surveillance tools. Kaspersky Lab, the cyber security firm that first exposed Equation Group’s cyber-espionage activities in 2015, released a blog post detailing a “strong connection” between the leaked files and their previous findings about Equation.
Cisco says the threat level of one of the vulnerabilities – Cisco Adaptive Security Appliance SNMP Remote Code Execution Vulnerability – is high. They are expensive software used to take over firewalls, such as Cisco and Fortinet, that are used ‘in the largest and most critical commercial, educational and government agencies around the world, ‘ said Blake Darche, another former TAO operator and now head of security research at Area 1 Security.
Nicholas Weaver, a researcher with the International Computer Science Institute who also has examined the files, said they appear to be legitimate NSA attack code that was copied in mid-2013.
In a series of messages posted to Twitter, Snowden suggested the leak was the fruit of a Russian attack on an NSA malware server and could be aimed at heading off US retaliation over allegations that the Kremlin was trying interfere in America’s electoral process. The agency used it to redirect users who think they’re browsing safe websites to NSA-run servers that infect their computers with malware-and then back to their destination before they know what happened.
The online news site’s editors include journalists that worked with Snowden to publicise his notorious 2013 NSA leak revealing the extent of government snooping on private data.
“This leak looks like a somebody sending a message that an escalation in the attribution game could get messy fast”, he said.
The Intercept and Matt Suiche, founder of United Arab Emirates-based cybersecurity start-up Comae Technologies and a leading analyst of the Shadow Brokers’ code, have tied that code to an NSA hacking program mentioned in the Snowden leaks. He speculated that perhaps an NSA outside “staging server” – essentially a holding pen for malware – had been hacked and the NSA migrated the malware to a different server after he went public as a security precaution, inadvertently but fortuitously cutting off the hackers’ access.
He said it was likely to be a diplomatic strategy, related to the blame being placed on Russian Federation for a recently revealed hack of computers belonging to the Democratic party in the US.
Advertisement
Publication of the actual exploits occurred on Saturday, though the story only caught wind Monday when various news outlets began investigating the legitimacy of claims made by the Shadow Brokers. Although the NSA claims to release 91 percent of the vulnerabilities it finds, there’s still no public data to verify that figure, said Jason Healey, a researcher at Columbia University. The stolen “weapons” were said to belong to Equation Group, a hacking unit believed to be backed by the NSA. So too is the length of the auction, which it said would end, in its signature broken English, “when we feel is time to end”.
