In what is either an incredibly elaborate hoax or a historic public breach of national security, hackers claim to have gained access to a set of files from a hacking group that is thought to be an offshoot of the National Security Agency.
If the hack is real, experts believe a foreign government must have helped the group in order for it to have exploited NSA resources in this way. On Tuesday, Edward Snowden speculated on Twitter that the Russians were responsible for the attack—and that it was connected to speculation about the country’s involvement with the recent breach and leak of Democratic National Committee emails.
Russia is widely believed to have been behind the July release of hacked DNC emails, and last week it was reported that the top lawmakers in the country had been briefed a year ago that Russia had infiltrated the DNC’s servers.
On Saturday, a group calling itself the Shadow Brokers sent notices to media outlets about its purported hack of the Equation Group, an organization that was exposed last year by Russian security firm Kaspersky Lab as likely one of the world’s most sophisticated hacking collectives. As Foreign Policy wrote, Kaspersky Lab called Equation Group “a threat actor that surpasses anything known in terms of complexity and sophistication of techniques.” Without directly calling Equation Group an NSA organization, Kaspersky linked the group to the intelligence agency and pointed to involvement with the Stuxnet malware software that was widely believed to be a U.S.–Israeli cyberattack against Iran’s nuclear program.
Then on Monday, the Shadow Brokers released on Tumblr a series of files it claimed had been taken from the Equation Group. In a bizarre post written in broken English, the hackers said they had released 60 percent of the material they had and would release the additional 40 percent if they were paid 1 million bitcoin (currently worth more than $500 million). Forbes reported that its sources were saying the bitcoin auction was likely just an attempt to gain media attention.
Here is what the hacking group said in its release of the files:
Q: Why I want auction files, why send bitcoin? A: If you like free files (proof), you send bitcoin. If you want know your networks hacked, you send bitcoin. If you want hack networks as like equation group, you send bitcoin. If you want reverse, write many words, make big name for self, get many customers, you send bitcoin. If want to know what we take, you send bitcoin.
Q: What if bid and no win, get bitcoins back? A: Sorry lose bidding war lose bitcoin and files. Lose Lose. Bid to win! But maybe not total loss. Instead to losers we give consolation prize. If our auction raises 1,000,000 (million) btc total, then we dump more Equation Group files, same quality, unencrypted, for free, to everyone.
Q: Why I trust you? A: No trust, risk. You like reward, you take risk, maybe win, maybe not, no guarantees. There could be hack, steal, jail, dead, or war tomorrow. You worry more, protect self from other bidders, trolls, and haters.
“Elites is making laws protect self and friends, lie and fuck other peoples,” the group continued in describing its apparent motivations for the hack. “Then Elites runs for president. Why run for president when already control country like dictatorship?”
“We want make sure Wealthy Elite recognizes the danger cyber weapons, this message, our auction, poses to their wealth and control. Let us spell out for Elites,” the group added. “Your wealth and control depends on electronic data.”
Foreign Policy laid out the evidence for why the release is being considered potentially legitimate and what exactly was taken:
The set of files available for free contains a series of tools for penetrating network gear made by Cisco, Juniper, and other major firms. Targeting such gear, which includes things like routers and firewalls, is a known tactic of Western intelligence agencies like the NSA, and was documented in the Edward Snowden files. Some code words referenced in the material Monday—BANANAGLEE and JETPLOW—match those that have appeared in documents leaked by Snowden. Security researchers analyzing the code posted Monday say it is functional and includes computer codes for carrying out espionage.
“Why did they do it? No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack,” Snowden wrote. “This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server.”
“That could have significant foreign policy consequences. Particularly if any of those operations targeted US allies,” he continued. “Accordingly, this may be an effort to influence the calculus of decision-makers wondering how sharply to respond to the DNC hacks.”
If it is a hoax, experts have said that it would have to have been an incredibly elaborate one with lots of effort put into it. The more likely answer at this point appears to be a successful hack.
“It looks very much as if the NSA attacked someone, and that someone managed to source the origin of the attacks, and counter-hacked them,” Claudio Guarnieri, a researcher at the University of Toronto’s Citizen Lab who specializes in state-sponsored malware analysis, told Wired.
The released stolen data is dated back to mid-2013, which means the hackers have likely had the info for at least three years—and have been saving this for the right moment. Apparently, that’s now.