The public release by a previously unknown group called the Shadow Brokers of information purportedly stolen from a server run by the National Security Agency’s hacking team is providing a lot of fodder for conspiracy theorists, but hard facts are in short supply.
Shadow Brokers announced in a Tweet that the group was auctioning the results of a hack of a server operated by an NSA team known outside of the U.S. spying agency as the Equation Group.
The Equation Group is a name given to a team of U.S. state-sponsored hackers by researchers at Kaspersky Lab which has collected a great deal of information that seems to indicate that the NSA has created an office with extremely talented developers who appear to have unlimited resources. This is the group that is generally credited with creating the Stuxnet worm that wreaked havoc on Iranian nuclear labs.
When Kaspersky Lab revealed the existence of the Equation Group, one thing the security researchers didn’t do was to specifically name the NSA. However, their description of the group, made it clear that there was only one likely sponsor, which was the NSA.
Shadow Brokers claim to be offering for sale the contents of a computer containing exploits for a variety of operating systems, along with software designed to implant those exploits and to clean up evidence of the penetration. It all looks very official, with file names that echo code words revealed by former NSA contractor Edward Snowden.
It all looks very real, but is it?
And if it is real does it really matter at this point? While the revelation (assuming it’s real) will be of great interest to security researchers and to cyber-warriors generally, the fact is that it’s probably not a big deal to the average CISO trying to keep employees from writing their passwords on their monitors or who is trying to keep up with the reports from the network intrusion detection system.
The fact is that even if the information allegedly revealed by Shadow Brokers is both real and current it won’t really change the threat landscape for your business. If your organization is going to be the focus of state-sponsored hackers with an unlimited budget and a global reach, your problems are going to extend far beyond password management and software upgrades.
On the other hand, if the information released by Shadow Brokers is real, you know that this could be a viable means of asking for a rational security budget. There’s nothing like a mysterious threat with shadowy figures and maybe even some black helicopters to free up some security funding.
Hard Facts Scarce in Purported Theft of Hacking Tools From NSA Server
But even if your CFO isn’t asking for details, it’s important to know if the information revealed about those alleged leaks is real. Right now, nobody really knows. The leak uses code word references that sound real.
The files contained in the public directory look real, and it’s likely that some of them are in fact bonafide software flaw exploits. But then, this could also be the result of some careful collections of suspicious code, placed in such a way to help Shadow Brokers make some easy money.
I asked the current experts on the Equation Group what they thought. “Kaspersky Lab doesn’t have any information on this at this time,” a spokesperson said in an email, “but our research team is investigating it.”
That research is already yielding some preliminary results. Examples include common encryption methods and some common binary information. “Comparing the older, known Equation RC6 code and the code used in most of the binaries from the new leak we observe that they are functionally identical and share rare specific traits in their implementation,” Kaspersky Lab said in a new blog post analyzing the Shadow Brokers data.
“This code similarity makes us believe with a high degree of confidence that the tools from the Shadow Brokers leak are related to the malware from the Equation group.”
The details are available, of course, to anyone who wants to put up the money demanded by the Shadow Brokers. All you need to do is come up with a million Bitcoins. But before you grab your checkbook, it’s worth noting that a number of researchers have said that the data that’s currently public seems to be at least three years old.
Even if everything is real, the Equation Group will have certainly improved their methods and updated their code by the time you’re likely to see it. It’s likely that the current state of the Equation Group’s technology will likely have advanced beyond what’s available now. Is it worth an estimated $450 Million, the amount Bloomberg estimates is the value of a million Bitcoins?
Maybe for a government that needs to jump-start its cyber warfare team, but it’s hard to see who else might need this data for such a price.
For everybody else, this is more entertainment than actual threat. After all, if Shadow Brokers had been able to use the malware tools, they would have done so already. For now, any threat from this information is theoretical at best. But we’ll likely be entertained by continuing speculation and hand-wringing.