NSA files compromised in Equation Group hack; former agency employees say leak is legitimate: report
Andrew Blake, Washington Times, Aug 17 2016
Computer source code purportedly stolen from the NSA’s hacking division and published online this week appears to be authentic, former members of the Pindo intelligence community said Tuesday. Several former government employees have now vouched for the validity of the documents, more than 300 files said to have been stolen from an entity known as the Equation Group, a team of state-sponsored hackers widely believed to be an arm of the NSA. A former employee of the NSA’s Tailored Access Operations division, the agency’s official hacking team, told the Washington Post on condition of anonymity Tuesday:
Without a doubt, they’re the keys to the kingdom. The stuff you’re talking about would undermine the security of a lot of major government and corporate networks both here and abroad.
A second former NSA TAO employee told the WaPo:
From what I saw, there was no doubt in my mind that it was legitimate.
Individuals calling themselves “Shadow Broker” published the cache of computer code online this week and said they’d provide access to additional files in exchange for millions of dollars in digital cryptocurrency. Shadow Broker said in a statement accompanying the release:
We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons.
But while skepticism concerning the documents’ origins surrounded news reports of its release earlier this week, security experts now say the file appear to be actual exploits from the NSA’s arsenal of cyber weapons. Kaspersky Lab, a Moscow-based security firm that revealed the Equation Group’s existence in a 2015 report, said that the file circulated online this week are “functionally identical and share rare specific traits” with older source code associated with the group. Kaspersky researchers said in a blog post Tuesday:
While we cannot surmise the attacker’s identity or motivation nor where or how this pilfered trove came to be, we can state that several hundred tools from the leak share a strong connection with our previous findings from the Equation group. The chances of all these being faked or engineered is highly unlikely. This code similarity makes us believe with a high degree of confidence that the tools from the ShadowBrokers leak are related to the malware from the Equation Group. While the ShadowBrokers claimed the data was related to the Equation group, they did not provide any technical evidence of these claims. The highly specific crypto implementation above confirms these allegations.
In its 2015 Equation Group report, Kaspersky said its researchers had uncovered “a threat actor that surpasses anything known in terms of complexity and sophistication of techniques.” While the firm fell short of linking the group explicitly to the NSA, subsequent examination of the source code discussed in that report has led various leading security experts to conclude as much due to similarities shared between Equation Group’s available data and known NSA operations and attack methods.
Evidence mounts that NSA computer code was stolen
Tim Johnson, McClatchy, Aug 17 2016
Analysis of the cyber weapons that hackers say they extracted from the top secret NSA has left a key team of outside experts increasingly certain that the files came from the NSA. The Russia-based Kaspersky Lab, which has been at the forefront into research of NSA techniques, said it found 347 instances of encryption algorithms in the leaked files that have been seen previously only in NSA-linked computer programming. A successful hack of the NSA, if that’s what happened, would mark a major defeat for one of the crown jewels of the Pindo government’s defense establishment. The NSA’s hacking unit has been credited with sophisticated cyber weapons, including the code that is credited with crippling the Iranian nuclear program. A mysterious group calling itself the Shadow Brokers announced over the weekend that it had penetrated the NSA, stolen sophisticated cyber weapons and digital tools, and opened a global auction for the sale of the still-secret most valuable ones. The group released some 300 MB of files to the public for free, and cyber security firms and hackers rushed to examine the coding on the files, which included malware that would allow a controller to get past the most secure of firewalls. Dave Aitel, a former NSA computer scientist who is chief executive of Immunity Inc, a penetration testing firm in Miami Beach, Florida, said he found Kaspersky Lab’s assessment credible. He noted that:
Kaspersky Lab has been the security firm most prolific in offering public analysis of software traced back to the NSA. They are very reliable. They are very Russian but when it comes to outing a Pindosi toolkit, they are reliable.
In a blog posting late Tuesday, Kaspersky’s global research and analysis team noted that the group “cannot surmise the attacker’s identity or motivation nor where or how this pilfered trove came to be.” But the team said it had taken a look at the “functional capabilities” of the files released by Shadow Brokers and determined that “several hundred tools from the leak share a strong connection” with previous tools linked to the NSA’s elite hacking unit, Tailored Access Operations, which Kaspersky calls The Equation Group. That unit came to light in 2013 with the Snowden leaks. The NSA hacker team designs the algorithms and malware to monitor digital traffic, penetrate computers and activate anything connected to the internet. The Kaspersky blog said the leaked cyber tools use two encryption algorithms, called RC5 and RC6, that employ specific setup routines, and in some variants have “only been seen before with Equation Group malware.” It said:
Comparing the older, known Equation RC6 code and the code used in most of the binaries from the new leak, we observe that they are functionally identical and share rare specific traits in their implementation.
The blog added that the company has “a high degree of confidence” that the leaked malware comes from the NSA. Some of the digital tools in the released files contain names like ExtraBacon, Epicbanana and Eligible Bachelor that apparently breach the firewall platforms, for example, of Cisco System’s PIX/ASA, Juniper Network’s Netscreen, and Fortigate made by Fortinet. Another researcher who spent two days examining the cyber tools leaked by the Shadow Brokers described his findings as “terrifying.” Brendan Dolan-Gavitt, a computer scientist at New York University’s Tandon School of Engineering, said he’d found coding that breaches seven different firewall systems or platforms made by the major manufacturers. The coding gives a distant hacker at-will surveillance capabilities. He said:
Think of it as sitting on a chokepoint. You sit and watch everything that passes through.
The coding targets the BIOS that activates when a computer is turned on. Dolan-Gavitt said the malicious coding cannot be removed by turning a computer on or off. Still unknown is whether the Shadow Brokers obtained the cyber tools through a hack or an inside job. Aitel said:
I’d say it’s 50/50 that there was no hack, that it was a Snowden-style leak, or what we would call a spy. Somebody could’ve walked out with a USB key. In some ways, that would have been easier.
Outside observers said that is a constant concern at the agency. Matt Suiche, a French hacker, wrote Wednesday in a blog posting:
The TAO Team had severe concerns about how easy it was to just walk out with the data on a USB drive.
Cyber surveillance tools and weapons would normally be maintained on a physically segregated network that has no connection to the internet. That, in theory, at least, should make impossible for someone to hack into the system from the outside.