Has the US National Security Agency (NSA) been hacked in a an unprecedented manner, or is someone playing an elaborate hoax?
That is the question currently confronting the world’s cybersecurity experts, as they try to unpack the announcement by a previously unknown group calling themselves the Shadow Brokers. The anonymous hackers have posted some files and software tools online, claiming they were pilfered from an elite group of cyberwarriors that many experts have linked to the NSA, saying that the "best files" are being held back for auction.
If the breach is genuine, it could turn into a major embarrassment and headache for the NSA. At this point, the cybersecurity community seems in disagreement as to the veracity of the Shadow Brokers’ claims, leading to the conclusion that if it is a hoax, it is a job well done.
"It is extraordinary that a government based (or at least government supported) group would get comprehensively hacked, but there is evidence indicating that this may have actually happened," cybersecurity expert Steven Murdoch of University College London told the BBC.
The group Dr. Murdoch referred to, and the one the Shadow Brokers are claiming to have stolen from, has been dubbed the Equation Group, and is thought to be tied to the NSA. Having remained in the shadows for well over a decade, the outfit received widespread exposure last year after Russian cybersecurity firm Kaspersky published an exhaustive report on their alleged exploits.
In that document, the authors labelled the Equation Group as "probably one of the most sophisticated cyber attack groups in the world" and the most advanced "threat actor" they have seen. They linked them to both the Stuxnet operation, which targeted Iranian nuclear facilities a decade ago, and Flame, malicious code assaulting Middle Eastern states around the same time.
If the group's claims are legitimate, the Shadow Brokers’ move represents the latest in a series of cybersecurity setbacks that the United States itself has suffered, coming close on the heels of repeated attacks targeting the Democratic Party.
Yet this latest incident differs in that the perpetrators appear to be seeking financial gain, implementing a convoluted auction process which promises to release the remaining files to the highest bidder. But the bidding is done in secret. And no bidder receives a refund.
And if the group reaches its target of 1 million Bitcoins – the digital currency in which it is demanding payment, worth an equivalent of more than $500 million – they promise to publicize all the information.
While some security analysts picking through the files released so far do find cause to connect them to the NSA and the Equation Group, they also point out that it is unlikely the Shadow Brokers managed to infiltrate the Equation Group itself. Rather, they might have targeted some kind of a server used by the NSA hackers.
"These files are not fully fake for sure," Boldizsár Bencsáth, a researcher with Hungary-based CrySyS who is widely credited with discovering Flame, told Ars Technica. "Most likely they are part of the NSA toolset, judging just by the volume and peeps into the samples. At first glance it is sound that these are important attack related files, and yes, the first guess would be Equation Group."
Former NSA contractor Edward Snowden has also weighed in on the Shadow Brokers hack in a series of tweets. Snowden suggests that Russia – unhappy about being blamed for the Democratic National Party document leak – may have leaked the NSA cyberweapons in order to send a warning to the US.