On Aug. 13, a previously unknown group identifying itself publicly only as the Shadow Brokers announced on Twitter that it was selling cyber-weapons it had allegedly stolen from a breach of the Equation Group. The Equation Group itself is a shadowy group allegedly linked to the U.S National Security Agency (NSA), according to a 2015 report from security firm Kaspersky Lab.
At this point, it’s not entirely clear if there was a breach at the Equation Group or the NSA, as opinions vary, and the Equation Group itself is not an entity that is available to publicly confirm or deny that a breach occurred.
A spokesperson for Kaspersky Lab, which first uncovered the action of the Equation Group, told eWEEK that Kaspersky Lab doesn’t have any information on the breach at this time, but the company’s research team is investigating.
Security experts eWEEK contacted were not surprised by the news that the Equation Group was somehow breached.
Chris Roberts, chief security architect at security vendor Acalvio, said that the exploits being sold by the Shadow Brokers appear to be legitimate. Roberts added that while he’s not surprised, he is somewhat frustrated that once again some of the (apparent) core NSA offensive tools have been released and the organization behind them has been uncovered.
Peter Tran, general manager and senior director at RSA, EMC’s Security Division, said that the dark web and hacker underground is an unpredictable and dynamic arena.
“Cyber-hacking legitimacy is a double-edged sword and is often judged by the hacker revealing the treasure trove or ‘data grab,’ which is akin to claiming you have taken someone hostage and not revealing that you have proof of life,” Tran told eWEEK. “In this case, the jury is still out.”
NSA whistleblower Edward Snowden also isn’t all that surprised about the hack of the Equation Group, though in a series of messages on Twitter, he noted what makes the alleged hack particularly noteworthy. First off, in Snowden’s view, the breach of the Equation Group, which he refers to as an “NSA malware staging server,” is interesting because of how it is being published and auctioned by the Shadow Brokers. Snowden explained that the NSA has a practice of following the operations of other nation-state hackers, which involves sometimes stealing rival hacking tools.
“Here’s where it gets interesting: the NSA is not made of magic,” Snowden said. “Our rivals do the same thing to us—and occasionally succeed.”
Snowden also suspects that the publication of information by the Shadow Brokers is likely related to the Democratic National Committee (DNC) breach reported in June. In Snowden’s view, the Shadow Brokers are likely Russia-based or -affiliated. He also noted that anyone with access to the tools from a breached NSA-affiliated server could potentially be able to identify attacks that came from that server.
“This leak looks like somebody sending a message that an escalation in the attribution game could get messy fast,” Snowden said.
In a particularly ironic twist, while Snowden is famous for leaking information about NSA operations, his actions could well have helped prevent further damage from the Shadow Brokers. After Snowden’s disclosures in June 2013, he suspects that the NSA migrated to new servers as a defensive precaution.
“The undetected hacker squatting on this NSA server lost access in June 2013,” Snowden said. “Rare public data point on the positive results of the leak.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.