Earlier this week, a mysterious hacker group calling itself the Shadow Brokers claimed it was auctioning off a trove of cyberweapons allegedly stolen from the Equation Group, an elite cyberattack unit linked to the National Security Agency. Newly released documents from the cache of documents leaked by NSA whistleblower Edward Snowden now seem to confirm that the 301MB archive of NSA hacking tools, exploits and data are indeed authentic.
The Intercept reports that the smoking gun lies in an unreported, top-secret draft NSA manual, dating no earlier than 2010, which instructs agents to track their malware deployments using a 16-character string. The exact same code, "ace02468bdf13579," also appeared in 14 places throughout the code for a program called "SECONDDATE" that was included in the archive leaked by the Shadow Brokers.
According to an internal NSA presentation from the Snowden trove, the tool allows the NSA to carry out "man-in-the-middle" attacks against targeted computers to intercept traffic on a network and reroute web requests to the NSA.
The agency explains that a targeted web user trying to visit a legitimate website such as CNN.com, which the NSA provided as an example, is redirected to an NSA-handled server called FOXACID, which then scans the user's computer and deploys malicious malware code.
The documents released by The Intercept also note that the program was successfully used to spy on systems in both Pakistan and Lebanon.
Although it is still unclear how such sensitive information was leaked from the NSA and who is responsible for the breach, it does mark the first time the intelligence agency's cyberattack tools have become publicly available.
Following the Shadow Brokers leak, multiple cybersecurity experts and firms have trawled the sample file, provided by the hacker group as proof of legitimacy, to determine whether the included code was actually developed by the NSA. The group also provided a second encrypted file, selling its decryption key for a massive 1m bitcoin (over $550m).
Russian cybersecurity firm Kaspersky Lab, which previously described the Equation Group as one of the most advanced hacking groups in the world, found that several hundred tools from the leak do "share a strong connection" to malware from the Equation Group. Former NSA personnel also confirmed that the NSA leak does appear to be legitimate saying, "without a doubt, they're the keys to the kingdom."
Firewall makers Cisco and Fortinet also issued security advisories and fixes addressing the exploits mentioned in the leak, further adding to the growing evidence that the data exposed in the leak is authentic.
"The danger of these exploits is that they can be used to target anyone who is using a vulnerable router," John Hopkins University cryptographer Matthew Green told The Intercept. "This is the equivalent of leaving lockpicking tools lying around a high school cafeteria.
"It's worse, in fact, because many of these exploits are not available through any other means, so they're just now coming to the attention of the firewall and router manufacturers that need to fix them, as well as the customers that are vulnerable."
Many experts believe Russia could be behind the high-profile breach. Earlier this week, Snowden speculated that the leak could be a warning from Russia, saying "the hack of an NSA malware staging server is not unprecedented, but the publication of the take is."
"Circumstantial evidence and conventional wisdom indicates Russian responsibility," Snowden wrote in a series of tweets on 16 August. "This leak is likely a warning that someone can provide US responsibility for any attacks that originated from the malware server. That could have significant foreign policy consequences. Particularly if any of those operations targeted US allies. Particularly if any of those operations targeted elections."
Wikileaks also announced it will soon publish its own "pristine copy" of the cyber-espionage toolset as well.