Hackers Claim to Hit NSA-Linked Super-Cyberespionage Group
— -- A group of mysterious hackers recently claimed to have broken into the systems of another hacking group with suspected links to the National Security Agency, and the attackers are now attempting to auction off the cyber superweapons they said they found.
Cybersecurity experts were abuzz Monday after a group calling itself the Shadow Brokers claimed in stilted English in messages online to have hacked the Equation Group. The Equation Group was revealed last February to be an extremely high-level veteran hacking squad with "solid links" to the creators of the cyber superweapon Stuxnet, which was reportedly used in a joint NSA-Israeli intelligence operation that targeted an Iranian nuclear facility.
"How much you pay for enemies cyber weapons?" says one of the messages purportedly from the Shadow Brokers. "You see pictures. We give you some Equation Group files free, you see. This is good proof, no? You enjoy!!!"
The hackers said that they are auctioning off the best cybertools — "better than Stuxnet" — to the highest bidder and that if the auction raises a total of more than 1 million bitcoins — worth more than $560 million — they will dump more Equation Group files online to the public.
Cybersecurity experts were initially split on whether the hack was legitimate, but after initial analysis of some teaser code released by the Shadow Brokers, some have come to the conclusion that at least those tools appear to be real.
"The level that a nation-state would have to go through to fake this stuff would be like nothing we've seen before and highly unlikely," said one cybersecurity expert, who requested he not be identified because of the sensitivity of the subject.
The U.S.-based cybersecurity firm Symantec wrote today in a blog post, "It will take some time to assess all of the released files. However, early indications are that at least some of the tools released are functioning exploits."
Russia-based Kaspersky Lab, which first identified Equation Group in a report in February 2015, posted online late today that "while we cannot surmise the attacker's identity or motivation nor where or how this pilfered trove came to be, we can state that several hundred tools from the leak share a strong connection with our previous findings from the Equation Group."
The question remains if the tools yet to be seen are real and if they were stolen from an American intelligence agency — presumably the NSA or its partner hacking organization U.S. Cyber Command — a contractor, an allied intelligence agency or someone else, though some file names match the names of NSA operations revealed by former NSA contractor Edward Snowden. Four cybersecurity experts, including a U.S. official, told ABC News that from time to time the NSA outsources the development of cyberespionage tools to private contractors.
Snowden weighed in on the purported hack today on Twitter, saying that apparently an NSA "malware staging server" — essentially a holding pen for cyberweapons — had been breached. He suggested that someone, possibly Russian hacking teams, had been sitting on the server for a long time, collecting intelligence and stealing code.
"NSA's hackers (TAO) are told not to leave their hack tools ("binaries") on the the server after an op. But people get lazy," Snowden wrote. TAO refers to the NSA's elite offensive hacking squad, Tailored Access Operations.
Like some others who analyzed the teaser code, Snowden noted that the date references appear to end in 2013, the same year he walked out of the NSA with a huge cache of data on NSA operations so he could expose what he believed were illegal or unconstitutional surveillance programs. He said that's no coincidence; the NSA would have "migrated offensive operations to new servers as a precaution" and unknowingly cut off the mysterious hackers' access.
"You're welcome, @NSAGov. Lots of love," Snowden tweeted.
The Shadow Brokers claimed in their posting that the group "followed" Equation Group traffic, found its "source range" and then hacked it, finding "many many Equation Group cyber weapons."
The NSA did not respond to ABC News' requests for comment for this report. Dick Clarke — a former White House counterterrorism adviser, a cybersecurity expert and an ABC News consultant — said, "You can bet the NSA is trying to figure out whether or not this is legitimate."
According to Kaspersky Lab's profile, the Equation Group may have been born as far back as the mid-1990s and was found to have "solid links" indicating it was connected to the hacking team that created the Stuxnet worm that attacked and physically damaged the Iranian nuclear facility before Stuxnet's discovery in 2010. The New York Times reported that the NSA was deeply involved in the creation and deployment of Stuxnet, an unprecedented cyberweapon.
Kaspersky did not directly connect Equation Group with any government organization, but it noted that attacks from the Equation Group have focused on Iran, Russia, Pakistan, Afghanistan and others including China. The same targets would presumably be at the top of a list of U.S. intelligence priorities.
"[The Equation Group] is unique almost in every aspect of their activities: They use tools that are very complicated and expensive to develop, in order to infect victims, retrieve data and hide activity in an outstandingly professional way, and utilize classic spying techniques to deliver malicious payloads to the victims," said a Kaspersky online post in February 2015.
Representatives for the White House National Security Council declined to comment on specific cases and declined to elaborate on what actions, if any, the U.S. government would take to inform private companies about potential vulnerabilities in their systems that may be revealed to any number of malicious actors, should the hack and the auction prove real. In 2014 the White House laid out its criteria for when the U.S. government will alert private companies about vulnerabilities in their systems and when it will keep quiet about those vulnerabilities in order for U.S. intelligence to exploit them.
The Shadow Brokers' auction for the cyberweapons got off to a slow start and, as of this report, has received 13 bids, topping out at just under $1,000.