18 Aug 2016

Shadow Brokers Release NSA Hacking Tools to the Public

A hacking group called Shadow Brokers has reportedly stolen powerful hacking tools from the Equation Group, a hacking group believed to be NSA-backed and responsible for many of the largest state-level hacks in history. On Saturday, Shadow Brokers released a subset of these tools to the public, which several former employees of the NSA’s hacking division, known as Tailored Access Operations (TAO), have said appear to be legitimate NSA files. Shadow Brokers is auctioning the “best files” or the remaining tools, for a price of one million bitcoin (about $568 million).

“The exploits are not run-of-the-mill tools to target everyday individuals. They are expensive software used to take over firewalls, such as Cisco and Fortinet, that are used “in the largest and most critical commercial, educational and government agencies around the world,” said Blake Darche, former TAO operator and now head of security research at Area 1 Security.

To illustrate the scope of these exploits, the Equation Group is believed to have jointly created, with Israel, the hacking tool known as “stuxnet”, which was used to sabotage Iran’s nuclear program beginning in 2010.

The good news? The most recent files are from June of 2013, the same month that the Edward Snowden leaks went public. The NSA may have already taken steps to prevent the use of these tools by unauthorized operators. Further, many experts believe the files may have been stolen as a result of human error, for example, an operator accidentally uploading the tools to a proxy server (called a “redirector”) and neglecting to delete them. As such, it is unlikely that Shadow Brokers has enjoyed continued access to more recent NSA files.

The bad news? The leaked code is left behind after a hack occurs. Any targets of NSA hacking can easily identify the US as the source of the hack now that they have the reference code. As Snowden’s Twitter feed explains:

“This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server. That could have significant foreign policy consequences. Particularly if any of those operations targeted US allies. Particularly if any of those operations targeted elections. Accordingly, this may be an effort to influence the calculus of decision-makers wondering how sharply to respond to the DNC hacks.” Source

How Does this Affect Individual and Business Cybersecurity?

According to Snowden, while it is not unprecedented for hackers to steal NSA code from NSA malware staging servers, this is the first time that the stolen files have been released publicly. The fact that the hacking tools have been released publicly has positive and negative implications. While the NSA and the greater cybersecurity community are now on alert to work towards limiting these tools’ efficacy, there is now a window of opportunity for non-governmental or private hackers to potentially use or adapt some of these proven tools in new attacks targeting businesses and individuals, before any vulnerabilities are patched.