On 13 August, a mysterious hacking collective called the Shadow Brokers announced it had stolen and leaked a trove of computer exploits from a National Security Agency (NSA) linked unit titled the Equation Group.
This secretive group of hackers, branded as "one of the most sophisticated cyberattack groups in the world" by security experts at Kaspersky Lab, then released one file as proof of legitimacy and another that would be 'auctioned' off for a massive 1m bitcoin – equivalent to over $550m.
In a series of posts online – on websites including Tumblr, GitHub and PasteBin – the hacker's revealed convincing evidence that Equation Group had been breached. As a result, numerous cybersecurity experts are now trawling the 301MB-sized leak for more information.
What are the cyberweapons?
Based on initial analysis, the main aim of the suspected NSA exploits was penetrating network gear made by Cisco, Juniper, and other major firms, said cybersecurity researcher Matt Suiche in a blog post on Medium.
"Most of the code appears to be batch scripts and poorly coded python scripts, and seems to be a toolkit against firewalls. Nonetheless, this appears to be legitimate code," he wrote. "For clarification, yes there are actual exploits in the dump, with a 2013 timestamp on files. We do not know if they are working as nobody has tried them, but they are actual exploits and not only references."
The leak included a number of 'codenames' that were first disclosed in files leaked by former NSA whistleblower Edward Snowden three years ago. These included 'BANANAGLEE', and 'JETPLOW', alongside others dubbed 'EPIC BANANA', 'EGREGIOUS BLUNDER' and 'EXTRA BACON'.
Each of the codenames include exploits with specific targets, however not all have been identified at this stage. EPICBANANA, for example, has been linked with several models of Cisco firewalls and Cisco Adaptive Security Appliance (ASA) devices. While another code, titled ELIGIBLEBOMBSHEL, is a web-based exploit that reportedly targets Chinese-made Topsec firewalls.
According to US-based Risk Based Security (RBS) the timestamps on the encrypted files are 25 July this year. Meanwhile, the one file released as proof of legitimacy is dated as 2013. Additionally, a number of directories have dates as far back as 2010.
In one test of the sample file, RBS revealed the code of at least one exploit contained an IP address registered to the US Department of Defense (DoD).
"In the coming days and weeks, we expect to see a variety of blogs further analysing the exploits as well as the affected vendors scrambling to evaluate the information to provide patches." RBS said in its analysis. "While this leak seems extremely damaging to the NSA on the surface, we caution readers to remember that false flag operations are a critical part of high-level hacking activity."
Of course, a degree of scepticism remains about the legitimacy of the alleged NSA data. Some critics believe the so-called Shadow Brokers may have simply compromised a computer system storing the exploits – meaning the NSA itself was not technically breached in this instance.
Well-known information-security researcher 'The Grugq', wrote on Twitter the data dump does "not support the assertion" the US intelligence agency was compromised.
"That sort of access is too valuable to waste for (almost) any reason," the researcher said. "I would guess: the dump is the take from a counter hack against a pivot/C2 that was mistakenly loaded with too much data. Sh*t happens."
Furthermore, it could be an elaborate ruse. To date, the NSA has not released any statements regarding the potential leak or its suspected Equation Group hacking unit. However, whistleblowing organisation WikiLeaks recently indicated the data is real – claiming it would be releasing the same data "in due course."
Nicholas Weaver, senior researcher at the International Computer Science Institute in Berkeley, California, believes the data to be genuine.
"Because of the sheer volume and quality, it is overwhelmingly likely that this data is authentic," he wrote in a blog post. "It does not appear to be information taken from compromised targets. Instead, the exploits, binaries with help strings, server configuration scripts, 5 separate versions of one implant framework, and all sort of other features indicate that this is analyst-side code—the kind that probably never leaves the NSA.
"It is also unlikely that this data is from the Snowden cache. Those documents focused on PowerPoint slides and shared data, not detailed exploits. Besides NSA, the only plausible candidate for ownership is GCHQ—and the implications of stealing Top Secret data from GCHQ and modifying it to frame the NSA would themselves be startling.
"All this is to say that there is relatively high confidence that these files contain genuine NSA material."
Who is responsible?
While attribution remains far from certain, some experts believe that Russian state hackers may be involved in the leak - much like the ongoing hacks targeting the US Democratic Party which have been blamed on politically-charged state sponsored hacks.
Dave Aitel, a former NSA research scientist who now runs security firm Immunity told Foreign Policy he believes Putin's nation is responsible. "[The leak is] at minimum very interesting; at maximum, hugely damaging. It'll blow some operations if those haven't already been blown," he said.
Edward Snowden, former NSA analyst-turned-whistleblower, has said he believes the leak may have been a warning from Russia. In a series of Tweets published on 16 August, he said: "The hack of an NSA malware staging server is not unprecedented, but the publication of the take is."
He elaborated: "Circumstantial evidence and conventional wisdom indicates Russian responsibility [...] This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server. That could have significant foreign policy consequences. Particularly if any of those operations targeted US allies. Particularly if any of those operations targeted elections."
Snowden continued: "This may be an effort to influence the calculus of decision-makers wondering how sharply to respond to the DNC hacks. This leak looks like somebody sending a message that an escalation in the attribution game could get messy fast."
What will happen next?
Dmitri Alperovitch, co-founder of US security firm CrowdStrike, has speculated the latest Shadow Brokers disclosure may be linked to the ongoing incident at the DNC and DCCC. He has serious concerns about how the situation could now escalate.
"The question everyone should be asking about #DNCHack and #ShadowBrokers is what is going to happen next?" he wrote in a series of Twitter posts. "No doubt that further leaks will continue and contribute to the chaos of this already way too weird election. USG [United States Government] needs to come up with a response and soon. Continued inaction is inexcusable."
Since news of the leak broke, the Shadow Brokers hacking team have remained silent and some of its postings – including on GitHub – have been removed. Yet the data will continue to spread regardless and, if it proves to be legitimate, could still prove to be a major embarrassment for the NSA, state-sponsored hack or not.