This article is more than 1 year old

Snowden files confirm Shadow Brokers spilled NSA's Equation Group spy tools over the web

Tech world faces summer of emergency security patching

Documents from the Edward Snowden archive prove that the malware and exploits dumped on the public internet on Monday originated from the NSA.

Among the files leaked by whistleblower Snowden in 2013 is a draft NSA manual on how to redirect people's web browsers using a man-in-the-middle tool called SECONDDATE. This piece of software meddles with connections in real-time so targets quietly download malware from NSA-controlled servers.

The guide instructs snoops to track SECONDDATE deployments using a 16-character identification string: ace02468bdf13579.

Earlier this week, hackers calling themselves the Shadow Brokers briefly leaked on GitHub an archive of code, claiming the tools were stolen from the Equation Group – which is understood to be a computer surveillance wing of the NSA. It was hard to tell at the time if the software collection was a carefully constructed spoof, or if it truly belonged to the US spying agency.

That archive contained 14 files – including one called SecondDate-3021.exe – that feature the aforementioned ID code from the NSA manual. That top-secret document only came to light today, via The Intercept, five days after the Shadow Brokers uploaded their cyber-haul.

Matthew Green, assistant professor at the Johns Hopkins Information Security Institute, said the appearance of the string in both the manual and the leaked code is “unlikely to be a coincidence.”

According to a internal NSA presentation, SECONDDATE redirects a web user trying to visit a legitimate website – the agency uses as an example – to an NSA-managed server dubbed FOXACID, which scans the target computer and infects it with surveillance and remote-control malware.

The existence of FOXACID has been known since 2013. The new documents – thought to be drafted in 2010 – say it runs, or ran, on Windows Server 2003, and is accessible from the public internet.

SECONDDATE is a component of another piece of attack software dubbed BADDECISION, which is used to infiltrate Wi-Fi networks. A partially redacted presentation titled "Introduction to BADDECISION," says it is designed to attack 802.11 networks, can overcome WPA and WPA2 encryption, and integrates open-source software such as the network traffic analyzer Wireshark and Nmap. To set up man-in-the-middle attacks, the NSA uses piece of hardware called BLINDDATE, which intercepts wireless traffic.

A 2013 presentation gives two examples of how the system works. Using SECONDDATE and QUANTUM, the NSA's Tailored Access Operations hacking team infected an internal staff network in Pakistan’s National Telecommunications Corporation, and quietly installed surveillance code on four ZXJ10 switches. This networking gear was used to run the country's Green Line communications system, which is used by top military and political figures.

In a separate mission, SECONDDATE was also used to pull over 100MB of data from Hezbollah Unit 1800, a group set up to support Palestinian terrorist groups. The attack, dubbed REXKWONDO, was the first time the agency had been able to get into the Lebanon's international gateway routers.

It's going to be an ugly summer

The identity of the Shadow Brokers is a mystery: it could be Russian intelligence, an inside job, or private lunatics preparing to tango with Uncle Sam.

The confirmation of the veracity of the Shadow Broker archive is bad news for the NSA, but is potentially catastrophic for the rest of us.

Given the size of the archive, and the range of computer security vulnerability exploits it contains, malware authors and hackers are going to be rushing to use the information to crack systems around the world. Any vendor who has kit mentioned in the archive should get patching.

"So the risk is twofold: first, that the person or persons who stole this information might have used them against us," said Green.

"If this is indeed Russia, then one assumes that they probably have their own exploits, but there’s no need to give them any more. And now that the exploits have been released, we run the risk that ordinary criminals will use them against corporate targets."

Some companies, such as Cisco, have already begun the patching process but that's just the tip of the iceberg. In addition to router hacks and other exploits, the archive has files for decrypting Cisco PIX VPN traffic, and implanting malware in PC motherboard firmware in ways that would make it almost impossible to detect or delete.

With the newly published Snowden documents showing that the archive is real, there'll be no excuse for vendors that fail to examine it and patch accordingly. ®

More about

More about

More about


Send us news

Other stories you might like