The FBI probe into the leaked NSA cyberweapons has revealed that a former NSA employee's "mistake" during an active operation three years ago may have resulted in the eventual discovery and leak. Investigators have ruled out the theory of Russian hackers having stolen the NSA hacking tools by breaking into the spy agency's headquarters in Fort Meade.
However, the FBI is yet to rule out the possibility of the Shadow Brokers, the hacker group behind the cyberweapons dump and sales on the dark web, being affiliated with Russia. Officials have also discounted the theory of the leak being similar to the work of yet another Edward Snowden-like whistleblower.
The FBI is now investigating a theory that one of NSA's former operatives' carelessness in leaving the hacking tools available on a remote computer may have allowed Russian hackers to get their hands on them, according to four unnamed sources with knowledge of the investigation, Reuters reported. NSA officials have also admitted to the FBI about the former operative's mistake during an operation, in which the hacking tools were used.
Briefly after the Shadow Brokers dumped the NSA cyberweapons, firewall providers Cisco and Fortinet confirmed that the leaked vulnerabilities were legitimate and issued out patches to fix the exploits.
NSA did not immediately warn companies about exposure of the hacking tools
NSA officials also confirmed that the operative acknowledged the error afterward. However, the spy agency refrained from informing the companies about the potential dangers upon first discovering the exposure of the cyberweapons. According to two other unspecified sources, the investigators are also exploring the possibility that the leak was caused by more than one mistake made by NSA operatives at its headquarters or a remote location, which may in turn have compounded the situation.
Upon discovering the exposure of the hacking tools, the NSA used its sensors to detect if any of the exposed cyberweapons were being used, either by any hackers/hacker groups or by foreign adversaries like China and Russia, both of which are considered to have been involved in cyber-espionage operations in the past. However, since the sensors did not pick up any activity among cybercriminals or foreign spies using the hacking tools, the spy agency did not feel obligated to immediately report the matter to the concerned companies.
Was the NSA cyberweapon leak the work of state-sponsored hackers?
According to sources, investigators are working on the presumption that the Shadow Brokers may indeed be a hacker group affiliated with Russia. Additionally, according to officials, the probe into suspicions over a foreign government involvement instead of just another criminal element is because the hackers leaked the cyberweapons instead of choosing to sell them immediately.
Security experts believe that the NSA cyberweapons leak, on the heels of the DNC hack and the recent Colin Powell email leaks, could all be part of a disturbing pattern. The cyberattacks could also be part of targeted efforts to propagate harmful information and further Russian agenda, according to Jim Lewis, a cybersecurity expert at the Center for Strategic and International Studies.
"The dumping is a tactic they've been developing for the last five years or so," Lewis said. "They try it, and if we don't respond they go a little further next time."
More to come?
Since the NSA hacking tools were first leaked by the Shadow Group in August and following confirmation of the leaked vulnerabilities being legitimate by Cisco and Fortinet, the intelligence and security community has been speculating about how the cyber-tools can be exploited and if more unknown tools are in the wild.
Cisco recently revealed that a new vulnerability from the leaked NSA hacking tools had been used by hackers to target some of its clients. This may indicate that while investigators continue to look into how the leak was perpetrated, hackers will likely continue to leverage the now-exposed cyber-tools to conduct attacks.