‘Auction’ of NSA Tools Sends Security Companies Scrambling

FILE - In his June 6, 2013 file photo, the National Security Agency (NSA) campus in Fort Meade, Md. The leak of what purports to be a National Security Agency hacking tool kit has set the information security world atwitter — and sent major companies rushing to update their defenses. Experts across the world are still examining what amount to electronic lock picks. Here's what they've found so far. (AP Photo/Patrick Semansky, File)
The National Security Agency (NSA) campus in Fort Meade, Md. (AP Photo/Patrick Semansky, File)

The leak of what purports to be a National Security Agency hacking tool kit has set the information security world at alert — and sent major companies rushing to update their defenses.

Experts across the world are still examining what amount to electronic lock picks. Here’s what they’ve found so far.


The tool kit consists of a suite of malicious software intended to tamper with firewalls, the electronic defenses protecting computer networks. The rogue programs appear to date back to 2013 and have whimsical names like EXTRABACON or POLARSNEEZE. Three of them — JETPLOW, FEEDTROUGH and BANANAGLEE — have previously appeared in an NSA compendium of top secret cyber-surveillance tools.

The auctioneers claim the tools were stolen from the Equation Group, the name given to a powerful collective of hackers exposed by antivirus firm Kaspersky Lab in 2015. Others have linked the Equation Group to the NSA’s hacking arm, although such claims are extraordinarily hard to settle with any certainty.

The leaked tools “share a strong connection” with the Equation Group, Kaspersky said in an online post late Tuesday. The Moscow-based company said the two used “functionally identical” encryption techniques.

The leaked tools also appear to be powerful, according to a running analysis maintained by Richmond, Virginia-headquartered Risk Based Security. The group said several of the vulnerabilities targeted by the malware — including one affecting Cisco firewalls — were previously unknown, a sign of a sophisticated actor.

Security and networking companies scrambled to investigate the flaws exposed by the auction. Cisco Systems, Inc. issued an urgent update to its software late Wednesday. Fortinet, Inc., a Sunnyvale, California-based security company, also said it was investigating.

Nicholas Weaver, a researcher at the International Computer Science Institute in Berkeley, California, said that the news was terrible for the NSA, no matter the circumstances behind the leak, because companies like Cisco guard critical U.S. infrastructure.

“If the NSA discovered a breach in 2013 and never told Cisco/Fortinet, this is VERY BAD,” he said in a message posted on social media. “If they didn’t know, this is VERY BAD.”

The NSA has not returned repeated messages seeking comment.


The documents have been leaked as part of a surreal online auction by a group calling itself “Shadow Brokers.” Their madcap, Borat-like manifesto rails against the “Wealthy Elite” and the group’s name appears to be a nod to the “Mass Effect” series of video games, where an elusive Shadow Broker traffics in sensitive information.

Few take the name or the manifesto at face value. Many have floated the possibility of Russian involvement, a theory that received unexpected support when NSA leaker Edward Snowden endorsed it on social media.

In a series of messages , Snowden wondered aloud whether the server the data was stolen from might be linked to a U.S. attempt to influence a foreign election. That would be a politically charged development in the context of recent allegations that Russia is trying to tamper with America’s presidential campaign.

The leak looks like a warning that any attempt to point the finger at Moscow over alleged electoral interference “could get messy fast,” Snowden wrote. He did not return messages seeking further comment.

Comae Technologies founder Matt Suiche said the theory of a disgruntled insider couldn’t be ruled out.

In a post, Suiche said he’d been contacted by a former NSA hacker who pointed out that the tools leaked online normally resided on a segregated network and that the way they were named suggests the data was copied directly from the source. Suiche cautioned it was just a theory.

“We’ll never know,” he said in a message to AP.

Repeated e-mails and online messages seeking comment from the Shadow Brokers went unreturned.


Shadow Brokers have already published much of the data they claim to have. The rest — “the best files” — will be released, they claim, to whoever wins the auction.

The content of the files is secret, the group said in its announcement. So, too, is the length of the auction, which it said would end, in its signature broken English, “when we feel is time to end.”

Many dismiss the auction as a stunt.

Hopeful bidders have been invited to send bitcoins — the borderless electronic currency — but as of late Wednesday the address specified by the group had only gathered 1.72 bitcoins, or $981.

It’s more than pocket change. But the group’s stated goal is 1,000,000 bitcoins, or $570 million.

To Read The Full Story

Are you already a subscriber?
Click to log in!