Should the NSA Reveal Leaked Exploits?
Once attack tools are leaked, they are adopted rapidly by many attackers. Will the leaked NSA exploits quickly be used in an attack, and what is being done?On Aug. 13, a group known as the "Shadow Brokers" announced on Twitter that they would auction off a set of cyber-espionage tools taken from the server of the Equation Group, widely considered part of the United States' intelligence services and likely to be operating as part of the National Security Agency. The announcement was met first with disbelief, then chagrin, as it became apparent that the compromise and post-exploitation framework were genuine. Questions remain, James Clapper, director of national intelligence, said at an Aug. 24 event. "It's still under investigation," he said, according to the Associated Press. "We don't know exactly the full extent—or the understanding—of exactly what happened." What is known is that the leak involved an encrypted set of files weighing in at more than 250MB of data, and which included the encryption key for a folder of teaser files labeled "Firewall." The key to unlock the encrypted main body of data will only be released, the group said, if they receive 1 million bitcoin, about $580 million. The Shadow Brokers are thought to be linked to Russia. While the NSA is most known for its offensive capabilities—it's ability to spy on other nation's and group's communications—the leak of a significant collection of vulnerabilities known to only a few should signal that the agency should be considering its defensive role more heavily, according to security experts.
"If there is an attributable group in a foreign country that is going to use this against people, it is in everyone's interest for the [government behind the Equation Group] to notify the vendors so that other nations are not using Equation's IP against citizens," Logan Brown, president of threat intelligence and vulnerability acquisition firm Exodus Intelligence, told eWEEK.