The recent leak of advanced hacking tools allegedly stolen from the Equation Group, an elite cyberattack unit linked to the National Security Agency (NSA), does appear to be legitimate, former NSA personnel have told the Washington Post.
One former employee who worked in the agency's hacking division, Tailored Access Operations (TAO), and who spoke to the Post on the condition of anonymity, said that "without a doubt, they're the keys to the kingdom."
"The stuff you're talking about would undermine the security of a lot of major government and corporate networks both here and abroad," the former TAO employee said.
Another former TAO employee who saw the file as well said, "From what I saw, there was no doubt in my mind that it was legitimate."
Cybersecurity firm Kaspersky Lab has also found that "several hundred tools" from the leak do "share a strong connection" with their previous findings from the Equation Group.
"While we cannot surmise the attacker's identity or motivation nor where or how this pilfered trove came to be, we can state that several hundred tools from the leak share a strong connection with our previous findings from the Equation group," Kaspersky Lab's Global Research and Analysis Team wrote in a blog post published on 16 August.
According to Kaspersky researchers, an implementation of RC5 and RC6 encryption algorithms — used extensively by the Equation Group across its creations — was found in the data published by Shadow Brokers and is identical to the RC5 and RC6 code in the Equation Group malware.
"Comparing the older, known Equation RC6 code and the code used in most of the binaries from the new leak we observe that they are functionally identical and share rare specific traits in their implementation," the researchers wrote. "This specific RC6 implementation has only been seen before with Equation group malware."
"There are more than 300 files in the Shadowbrokers' archive which implement this specific variation of RC6 in 24 other forms. The chances of all these being fakes or engineered is highly unlikely."
The file also reportedly included various expensive exploits targeting equipment by Cisco, Fortinet and others that are used by "the largest and most critical commercial, educational and government agencies around the world," according to former TAO operator and current head of security research at Area 1 Security Blake Darche.
The anonymous hacking group announced on 13 August that it had breached the Equation Group's computer systems, claiming to have stolen some of the group's advanced cyberweapons. Shadow Brokers said they would "auction" off the tools to the highest bidder, providing a sample of the stolen data to legitimise their claims and a second encrypted file whose decryption key was up for sale for a whopping 1m bitcoin (more than $550m).
"The code similarity makes us believe with a high degree of confidence that the tools from the Shadow Brokers leak are related to the malware from the Equation group," Kaspersky researchers wrote. "While the Shadow Brokers claimed the data was related to the Equation group, they did not provide any technical evidence of these claims. The highly specific crypto implementation...confirms these allegations."
Kaspersky previously described the Equation Group as one of the world's most advanced hacking groups and a "threat actor that surpasses anything known in terms of complexity and sophistication of techniques."
Following the leak, numerous cybersecurity experts have scanned the sample files to analyse the alleged NSA leak and its legitimacy. While some were sceptical about the data's link to the Equation Group or any other NSA-linked cyberattack teams, others said the leak could either be a legitimate one or a well-researched, elaborate hoax.
"Faking this information would be monumentally difficult, there is just such a sheer volume of meaningful stuff," said Nicholas Weaver, a computer security researcher at the University of California at Berkeley. "Much of this code should never leave the NSA."