Shadow Broker's leaked files confirmed real by Snowden docs

News by Max Metzger

A dubious offering by a dubious group calling themselves The Shadow Brokers has been at least partly legitimised by disclosures from Snowden's 2013 leak

The Snowden files have apparently confirmed that a series of openly auctioned cyber-weapons do belong to the US National Security Agency (NSA)

‘The Shadow Brokers' claims were apparently verified in a draft NSA manual leaked as part of the large tranche of internal files stolen by whistleblower Edward Snowden in 2013. The manual details a tool called SECONDDATE, which tricks its targets into downloading malware by redirecting users from legitimate websites to a server called FOXACID which installs NSA viruses onto the targeted machine.

This is supposedly the same tool referenced in the taster dump that the Shadow Brokers' offered for sale last week. The Intercept, an investigative outlet, madethe revelation recently, adding that 14 references to SECONDDATE were found in the recent dump.

The group emerged last week, when it offered a taste of what it said was a much larger tranche of information on cyber-weapons from the Equation group, an APT group believed to be controlled by the NSA and supposedly implicated in large campaigns like Stuxnet and Dugu.

The Brokers wrote on PasteBin: “How much you pay for enemies cyber weapons? Not malware you find in networks. Both sides, RAT + LP, full state sponsor tool set? We find cyber weapons made by creators of stuxnet, duqu, flame.”  

Adding, in broken english, “We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files”.

The group posted a small sample of the full tranche, it claims to posses, offering ‘the best' parts for the highest bidder. However, it seems to be auctioning the info in a rather strange way: lower bids will not be returned and if the Shadow Brokers receive a total of one million bitcoin, then the whole tranche will be dumped publically.

While questioned before, this new disclosure supposedly links the Equation Group, the APT from which the cyber-weapons were supposedly taken, to the NSA. The link was previously considered dubious as concretely linking governments to their cyber-attack actors is a notoriously hard thing to do.

Snowden himself took to Twitter to give some context to the Shadow Broker offering. In the light of the recent Democratic party hacks revealled over the last couple of weeks, the NSA whistleblower said that these new disclosures are likely a roundabout way of the Russian state discreetly telling American politicians to not push the ‘Russia did it' line too hard.

Ewan Lawson, a senior fellow for Military Influence at the Royal United Services Institute, largely agreed with Snowden and told that “this would look like an effort by Russia to point out what they perceive as US hypocrisy in cyber-space. It feels as if the stakes are very definitely being raised.”

A salvo of accusations headed the Kremlin's way after the American intelligence community, the Clinton presidential campaign and a series of cyber-security companies said that the massive tranche of documents taken from the Democratic party, were likely stolen by a group working for the Russian state.

Snowden added that the cyber-weapons on offer likely came from the carelessness of NSA hackers who are routinely told to take tools off of systems they've penetrated, though sometimes don't.

Last week,  Ed Geraghty, technologist at Privacy International told SC that “this dump highlights how vulnerable critical government and corporate networks all over the world are, due to the stockpiling of vulnerabilities by government agencies. By holding on to vulnerabilities, rather than advising vendors who would fix them, governments act adversely to the security of their own citizens and businesses, whilst fueling a lucrative commercial market for such vulnerabilities.”

The reason to hold on to these things “is to enable offensive capabilities, rather than defensive - in other words, surveillance agencies want to harvest information about system vulnerabilities so they can hack those systems whenever they want to.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews