The perpetrator behind the dumping of tools penned by the probably-the-NSA hacking squad called"Equation Group" appears to be a native English speaker, according to linguistic data researcher Shlomo Argamon.
Earlier this month some 300 files were circulated online purporting to be stolen from the Equation Group, which is thought to be an offensive Tailored Access Operations wing of the NSA given similarities in tools and techniques.
Those files were confirmed to be working exploits, zero day, and tools largely ascribed to the NSA.
The breach cache was part of a larger stash that accompanied text describing a bitcoin auction at the conclusion of which the decryption key to unlock the remaining files would be handed to the highest bidder.
The script appeared to be written by an author with slippery command of English, riddled with grammatical and structural errors.
Argamon, a researcher with Taia Global and computer science professor at the Illinois Institute of Technology says initial analysis of the sentence structure and in grammatical errors indicates a false flag as errors appear to have been deliberately introduced by a native English speaker
"The texts contain a variety of different grammatical errors that are not usual in the English of US native speakers," Argamon says in analysis.
"While no one of these factors is dispositive, the cumulative effect of these multiple lines of evidence leads to the conclusion that the author is most likely a native speaker of US English who is attempting to sound like a non-native speaker by inserting a variety of random grammatical errors."
The author has used sentence structures correctly in some parts while introducing errors where the same phrases are used elsewhere.
There are no erroneously autocorrect words, such as replacing "consultation" with "Cupertino".
Idioms characteristic of native English speakers and uncommon for those with looser command of the language were used with awkward errors appearing to be inserted, such as the phrase "or bid pump price up".
Argamon says the author's native tongue could be a Slavic language such as Russian or Polish, but that is far less likely than the writer is a native English speaker.
One theory posited by NSA leaker Edward Snowden is that the authors are Russian spies who leaked the contents of a NSA command and control server they hacked in 2013.
It continues that the Russians have taken the unprecedented action of dumping the contents publicly in a veiled threat to the NSA after the Democratic National Committee breach, which the US blames on Moscow. Another possible motive is to draw attention to the American spy agency should any subsequently discovered attacks be linked to the hacked command and control server.
Rival theories are emerging that the leak is the work of insiders. Motherboard cited unnamed NSA sources saying the work reeks of insiders, and that the neat documentation of the dumps suggests the caches were stolen from within the spy agency. ®