Breach, Threat Management, Data Security

Snowden says Shadow Broker leak is likely a warning from Russia

Edward Snowden has shared some insight on the recent public auction of what are purported to be NSA cyber-weapons.

The infamous whistleblower let off a 13-tweet salvo explaining how the recent exposure of NSA-linked software could be an attempt by Russia to highlight the hypocrisy of the United States.

While Snowden has not worked for the US government for several years, the American exile exposed some interesting new revelations about how the NSA goes about its business.

NSA, as do its foreign counterparts, hunts malware C2 servers with something called Counter Computer Network Exploitation.

While the NSA lurks on these servers, often for years, it collects intelligence on their activities, stealing hacking tools and ‘fingerprinting' them to better detect threat actors.

Because enemies do the same thing, said Snowden, NSA hackers told not to get their tools off an enemy system after an operation. But, added the whistleblower, “people get lazy”.

What's new here, said Snowden, is the public exposure of someone hacking an NSA server. The evidence points towards Russia, although no one can know for sure.

The final tweet was perhaps the most pregnant with meaning:

The famously inscrutable leadership of the Russian state has drawn fire in recent weeks for its alleged attempts to affect the outcome of the US presidential election. The exposure of embarrassing documents from inside the democratic party laid the party low by showing that the party's executive body had heavily favoured the establishment candidate, Hillary Clinton, over her rival, Bernie Sanders.

It was not long until leading cyber-security companies and the intelligence community pointed the finger eastwards, towards Russia. Russian Foreign Minister, Sergei Lavrov, brushed off those claims soon afterwards.

This new public auction of NSA hacking tools could be a warning to US statesmen not to press this line of public attack too hard.

Snowden added that this leak is “likely a warning that someone can prove US responsibility for any attacks that originated from this malware server”. This could be profoundly damaging for US diplomacy, particularly if US cyber-weapons were found messing with the democratic processes of their allies.

A group called the Shadow Brokers published just a taste of the spoils on Pastebin several days ago, purported to be taken from the Equation Group, a hacker group associated with the NSA and linked to large campaigns like Stuxnet and Flame.

The Shadow Brokers are not so much putting out the stolen files to auction as they are crowdfunding their release. The group say its wants a million bitcoin (£441,590,000) to make the files public with the ‘best' files going to the highest bidder. Lower bidders will be provided with ‘consolation prizes'.

The leak came in the form of a small compressed archive, containing around 4000 files, including exploits, some functioning some not, against routers and firewall appliances.

Upon further investigation, Symantec found the files to to be between three and six years old. While some of the files are certainly legitimate, it is not known if the whole tranche is.

Ed Geraghty, technologist at Privacy International told that “this dump highlights how vulnerable critical government and corporate networks all over the world are, due to the stockpiling of vulnerabilities by government agencies. By holding on to vulnerabilities, rather than advising vendors who would fix them, governments act adversely to the security of their own citizens and businesses, whilst fueling a lucrative commercial market for such vulnerabilities.”

The reason to hold on to these things “is to enable offensive capabilities, rather than defensive - in other words, surveillance agencies want to harvest information about system vulnerabilities so they can hack those systems whenever they want to.

The dates highlighted in the dump show that these vulnerabilities have been around for a while. One of the problems with this, said Geraghty, “is that this stockpile is itself not just vulnerable but an active target. Now all these vulnerabilities, which may well relate to online banking services you use, or confidential medical databases, are up for grabs by criminals and foreign intelligence agencies to take advantage of”.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.