NSA whistleblower Edward Snowden reckons Russia is the most likely suspect behind the leak of advanced hacking tools allegedly stolen from an elite NSA hacking unit. He postulates a complex motive for the leak involving gaining diplomatic leverage that wouldn’t look out of place in a modern retelling of a John le Carré novel.
A previously unknown group of hackers calling itself Shadow Brokers last week offered samples of data it claims to have stolen from the Equation Group, an elite cyber attack unit linked to the National Security Agency (NSA). Shadow Brokers said that the data dump was a sample of what had been stolen from hacking Equation and said that the “best” files would be auctioned off to the highest bidder.
In a series of tweets, Snowden expanded on a theory that Russia was behind the hack and subsequent leak, positioning it as a bold diplomatic gambit designed partly at deflecting sanctions over Russia’s alleged involvement in a recent hack against the US Democratic Party. He stated that it’s common practice for intel agencies to hack each other’s malware delivery infrastructure.
“NSA malware staging servers getting hacked by a rival is not new. A rival publicly demonstrating they have done so is,” Snowden said. "Why did they do it? No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack."
“Circumstantial evidence and conventional wisdom indicates Russian responsibility,” according to Snowden.
Snowden - who’s resident in Russia and appears to have put attempts to seek asylum elsewhere on indefinite hold - speculates that the hacking group behind the leak might be serving a “warning that someone can prove US responsibility for any attacks that originated from this malware server”.
“This may be an effort to influence the calculus of decision-makers wondering how sharply to respond to the DNC hacks,” he added.
He concluded: "This leak looks like a somebody sending a message that an escalation in the attribution game could get messy fast."
An analysis by Symantec of the leaked files concludes that they appear to be installation scripts, configuration files, and exploits targeting a range of routers and firewall appliances. Most of the files appear to be several years old, dating back to between 2010 and 2013. Confidence in the authenticity of what’s been leaked so far has been bolstered by a decision by networking firms Cisco and Fortinet to release patches in response to Shadow Brokers’ leak.
A similar analysis by Kaspersky Lab led analysts to conclude "with a high degree of confidence that the tools from the Shadow Brokers leak are related to the malware from the Equation Group". ®