A mysterious group that calls itself the Shadow Brokers claims to have hacked into the National Security Agency, stolen powerful cyberweapons and surveillance tools, and put them up for auction.
If true, the claim would indicate that one of the U.S. government’s key agencies for cyberwarfare is itself vulnerable and has fallen into a pitched and escalating battle with a powerful unknown cyber foe, perhaps Russia.
News of the apparent breach came over the weekend when the Shadow Brokers released a limited number of files, claiming they were part of an arsenal “made by creators of stuxnet,” and other notorious NSA malware that helped cripple Iran’s nuclear program in 2009 and 2010 by shattering many of its centrifuges.
Neither the NSA nor the Office of the Director of National Intelligence responded to queries about whether the NSA had been penetrated. But several cybersecurity experts took the claims seriously and suggested that the penetration of the NSA marks a watershed moment and is part of rising tensions between the United States and Russia.
Among those backing that view was Edward Snowden, the former CIA employee and NSA subcontractor who in 2013 leaked a trove of secret NSA documents before seeking refuge in Russia.
Snowden tweeted Tuesday that “circumstantial evidence and conventional wisdom indicates Russian responsibility” for the apparent NSA hack, and that the public revelation of the theft is a message that a series of tit-for-tats between Washington and Moscow “could get messy fast.”
Snowden said he believed news of the apparent breach “is more diplomacy than intelligence, related to the escalation around the DNC hack.”
Last month, WikiLeaks published tens of thousands of hacked emails from the Democratic National Committee, days before the Democratic convention in Philadelphia. U.S. intelligence officials later told top members of Congress that two Russian intelligence agencies or their proxies were behind the hack, according to Reuters and other media outlets, though there has been no official determination.
The attempt at public shaming of Russia over election interference preceded this week’s developments, in which both nations appear to be “outing” the other side.
The stolen cybersurveillance tools might help foreign governments do forensics on their own computer systems to determine whether they have been targets of U.S. surveillance efforts, a potentially embarrassing development for Washington.
The files made public revealed tools to get past firewalls and embed in network equipment or software made by Fortinet, Cisco Systems and Juniper Networks in the United States, as well as TopSec, China’s largest information security vendor.
“It’s definitely significant to hack the NSA but if you look at the metadata, you would know that those files that have been provided date back to 2013. Some of the directories are very old,” said Vitali Kremez, a cybercrime intelligence analyst at Flashpoint, a New York security firm.
“One of the exploits was targeting a specific Cisco device, and it was only targeting versions that have actually been outdated and replaced with new ones,” Kremez said.
But Kremez cautioned that it is too early to attribute the hack to Russia.
“It could look like Russia … but it could also not be Russia,” he said. “Somebody is trying to mess with all of that, to create false flags and to make the NSA and the U.S. look bad.”