Tuesday, August 16, 2016

Hackers holding stolen NSA cyber tools auction


The teaser data dump appears to contain legitimate attack code, some experts say.

The United States government can’t seem to catch a break in cyberspace.

Hackers claim to have stolen attack code from a team of sophisticated cyber spies known as “the Equation Group,” widely believed to be associated with the U.S. National Security Agency, one of the world’s top intelligence outfits. The hackers have offered to sell their purloined exploits to the highest bidder in an online auction conducted in the cryptocurrency Bitcoin.

Although the alleged breach could just be an extravagant hoax, experts who reviewed a preliminary data dump teased alongside the hackers’ garbled sales pitch said that the files, amazingly, looked authentic. “This appears to be legitimate code,” Matt Suiche, a French cybersecurity entrepreneur, wrote in a Medium blog post, echoing what others had posted on Twitter TWTR -2.54% .

Get Data Sheet, Fortune’s technology newsletter.

“We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see,” the hackers wrote Saturday on the code-sharing site Github, as well as on Yahoo-owned Tumblr YHOO -0.94% (both later taken down). “This is good proof no? You enjoy!!!”

The lifted goods include exploits allegedly designed to target firewalls and equipment produced by Cisco CSCO -0.11% , Juniper Networks JNPR -1.08% , Fortinet FTNT 3.22% , and Topsec, a Chinese firm. The latest file modifications appear to date back to 2013, and names are consistent with NSA programs leaked by whistleblower Edward Snowden that year, such as “BANANAGLEE,” “EPICBANANA,” and “JETPLOW.”


Among the sample files released by the group are exploits that target equipment sold by companies including Cisco, Juniper, Fortigate and Topsec, a Chinese network security firm, according to Matt Suiche, founder of UAE-based incident response and forensics startup Comae Technologies. Suiche says those exploits attack older versions of the equipment and don’t use “zero-days”—previously undiscovered flaws in target software or hardware. But he believes they had nonetheless remained unpublished until now and hadn’t been included in public collections of exploits like the tool Metasploit.

All of that weighs against any theory that the leaked data is a mere scam to score a few quick bitcoins. “To create [all this evidence] from scratch, it’s very unlikely but not impossible,” says Suiche. “It seems pretty legitimate to me, and I’m not the only one.”

On the other hand, the Shadow Brokers group certainly doesn’t seem to be running its auction in a very professional fashion. They require bidders to send cryptocurrency blindly to their bitcoin address, with no hope of getting their coins back if they don’t submit the winning bid. “Sorry lose bidding war lose bitcoin and files. Lose Lose. Bid to win!” the message reads. But it also promises a “consolation prize” to all bidders and adds that if bids reach the ludicrous sum of one million bitcoins, they’ll publicly release another trove of high quality data.

“Why I trust you?” reads another question in their FAQ. “No trust, risk. You like reward, you take risk, maybe win, maybe not, no guarantees.”

The Shadow Brokers’ page ends with a long message to “wealthy elites,” arguing that the tactics of hackers like Equation Group could put their control of global politics at risk, and suggesting that they too should bid on the stolen files. “We want make sure Wealthy Elite recognizes the danger cyber weapons, this message, our auction, poses to their wealth and control,” the Shadow Brokers’ message reads.

The haphazard auction and political message present a jarring disconnect: Any hackers capable of compromising the Equation Group or another NSA hacker team would likely have to be extremely sophisticated; the Equation Group, after all, went not only uncompromised, but undetected for 14 years, a remarkable track record of stealth and operational security for a team believed to have attacked targets from Russia to Belgium to Lebanon. Anyone capable of finding NSA hackers’ infrastructure, not to mention penetrating it, would likely have to possess government-level resources and talent.


Blog Widget by LinkWithin