Threat Management, Vulnerability Management

The Shadow Brokers’ NSA hack claim unlikely, say experts


The claim by the hacking group the Shadow Brokers that it has pilfered surveillance tools from another group, allegedly associated with the National Security Agency (NSA), is being called bogus by security experts.

Over the weekend the Shadow Brokers posted a message on Github, since removed, stating it would auction off a variety of “cyber weapons” obtained by hacking another shadowy organization called Equation Group. Kaspersky Lab has linked Equation Group to a variety of malware types, including Stuxnet and Flame, which are associated with attacks supposedly launched by the United States. However, the company will not directly confirm or deny if Equation Group is associated with any U.S. government agency saying to in an email that "With threat actor groups as skilled as the Equation Group accurate attribution is extremely difficult."

Gizmodo posted a portion of the Shadow Broker statement before it was removed.

“How much you pay for enemies cyber weapons? Not malware you find in networks. Both sides, RAT + LP, full state sponsor tool set? We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons.”

In an August 16 SecureList blog post Kaspersky Lab's Global Research and Analysis Team wrote, "While we cannot surmise the attacker's identity or motivation nor where or how this pilfered trove came to be, we can state that several hundred tools from the leak share a strong connection with our previous findings from the Equation group."

Igor Baikalov, chief scientist at Securonix, told in an emailed statement that there are too many problems with both what the Shadow Brokers said and the data the group has so far revealed.

“It stinks. Too many things around this announcement don't make sense,” Baikalov said.

While the group did post a sampling of its wares, Jerome Segura, senior security researcher at Malwarebytes, told SCMagazine in an email that it's too early to make a connection between the data and any group.

“The data dump form the Shadow Broker group is interesting in that it contains many different scripts and tools but claiming a direct link to the NSA via a hack or a leak is too early at this point. It will take painstaking analysis of each file to get a better idea of where this came from,” Segura said.

However, Kaspersky Lab, which first reported on Equation Group in 2015 said it sees in the available data some evidence that confirms the Shadow Brokers claims. Kaspersky said it sees in the Shadow Broker's data dump the use of RC5 and RC6 encryption algorithms, which are also used by Equation Group.

"In case you're wondering, this specific RC6 implementation has only been seen before with Equation group malware. There are more than 300 files in the Shadowbrokers' archive which implement this specific variation of RC6 in 24 different forms. The chances of all these being faked or engineered is highly unlikely. This code similarity makes us believe with a high degree of confidence that the tools from the ShadowBrokers leak are related to the malware from the Equation group," the Kaspersky team wrote.

Baikalov refuted the Shadow Broker's claim in even stronger terms saying Shadow Broker may well have simply done an internet search to come up with its information.

“Let's start with the attribution: there's no proof whatsoever that the code is in any way connected to EQ or NSA. The names look like the ones in the documents released (publicly) by Snowden or Der Spiegel? Well, that would take the whole 10 minutes to research and reproduce,” he said, adding, “The most I'd give to The Shadow Brokers is that they've stumbled upon an old backup from 2013 - that'd explain the most recent file date and names unchanged since the leak.”

However, even if the data is not from a government agency some useful nuggets could still be gleaned, Segura noted, saying he is certain cybercriminals are now sifting through whatever is found online for something useful.

“Cyber criminals are analyzing them as well and will use anything they can find to add firepower to their current toolset. We saw this for example last year with the HackingTeam leak, which was a treasure trove that included zero-days quickly weaponized in the wild,” he said.

"The only we thing we can be certain of is that there are bits of code that appear to be related to firmware tampering in the dump. Beyond that everything else surrounding this event is suspect. As usual, attribution is difficult, if not impossible," said John Shier, senior security advisor for Sophos, told in an email.

Kaspersky and other analysts did find the Shadow Broker's method of selling off the data troubling.

"The passphrase is being ‘auctioned', but having set the price at 1 million BTC (or 1/15th of the total amount of bitcoin in circulation), we consider this to be optimistic at best, if not ridiculous at face value," Kaspersky wrote.

"And now the auction. Reminds me a lot of the changing demands around Sony breach - same glaring mismatch between supposed skills needed to execute the breach and dopey ramblings after all. No catalog, no escrow account, no inspection clause? Just gimme half a billion dollars," Baikalov said.

Gizmodo reported the Shadow Group saying if 1 million Bitcoins were received by bidders it would make all the files public. However, if that mark was not reached the data would go to the highest bidder, but those submitting losing bids would not get their money back.

Updated Tuesday to include this Kaspersky Lab's quote threat actor groups as skilled as the Equation Group accurate attribution is extremely difficult.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.