Modern field guide to security and privacy

Russia emerges as prime suspect in apparent NSA hack

A previously unknown group dumped a cache of hacking tools on the web that appear to be from the National Security Agency. Now, cybersecurity experts say Moscow is once again behind a cyberattack on the US.

An undated aerial handout photo shows the National Security Agency headquarters building in Fort Meade, Maryland.

Hacking tools apparently purloined from the National Security Agency's cache of cyberweapons and dumped online this week raises troubling questions about the motives and means behind the attack.

While some experts say more information and analysis is necessary to determine the origin or incentives of the leak by an anonymous group, many cybersecurity experts and former NSA employees are drawing a direct line back to Moscow.

In fact, some say that exposing the agency's stockpile of custom-made malware is an effort to deter the US government from retaliating against Russia over the recent Democratic National Committee hack, which US officials and many technical experts have blamed on Kremlin operatives. 

"We talk a lot about cyberdeterrence," says Dave Aitel, chief technology officer at security firm Immunity and a former NSA research scientist. “This is what it looks like.”

A previously unknown group calling themselves the Shadow Brokers released the stockpile of top secret computer hacking tools and exploits that it claimed to have obtained from the Equation Group, the moniker for a group that many believe is actually the NSA.

Security researchers who have examined the leaked hacking tools believe they are authentic. They say the tools are likely for use by the NSA to penetrate the network firewalls that many corporations or government agencies use to protect their servers from external attacks. The cyberweapons are apparently designed to target products from several large vendors of networking equipment including Cisco and Juniper.

Kaspersky Lab, one of several security firms that have analyzed the leaked tools, said code from the Shadow Brokers leak shares a strong connection with code from the Equation Group. The leaked malware reveals encryption techniques that are identical to those employed by the Equation Group, which indicates they probably came from the same source, according to Kaspersky. 

Other researchers who tested the malware said the software appeared to work as intended and would give attackers a way to bypass firewalls and to spy on network traffic at target organizations.

In releasing the cyberweapons, the Shadow Brokers claimed it had in its possession a much larger – and presumably more damaging – cache of stolen data from the Equation Group that it would auction off to the highest bidder or release for free if the auction raised the equivalent of about $550 million.

The antisecrecy website WikiLeaks meanwhile announced that it obtained the full cache of code and would release it publicly soon.

It is unclear how the Shadow Brokers obtained the data, but it is highly unlikely that they managed to actually break into the NSA’s networks, Mr. Aitel says. What is more likely to have happened is that someone within the NSA transferred a file containing the tool kits to an external and less protected computer system, which was subsequently hacked.

Another possibility is that an insider with access to the data swiped it in much the same way that Edward Snowden stole vast amounts of the NSA's secret documents. In fact, most of the leaked tools date back to 2013, around the time the NSA began tightening its security protocols after Mr. Snowden's leaks.

It's likely that whoever is behind the theft, accessed and removed the data from NSA servers before the agency tightened security, Aitel said.

Either way, whoever is behind the attack wants to send the message, "We hacked the NSA," said Nicholas Weaver, a security researcher at the International Computer Science Institute at the University of California, Berkeley. 

There's also an important blackmail component to the Shadow Brokers operation, he said. The group distributed two encrypted bundles this week, one with the decryption key as the "proof" files and the other missing that key.

"This latter one is basically a explicit threat," Mr. Weaver said. "There are now thousands of copies of this file all over the world and the actor behind Shadow Brokers can, with just a single tweet, ensure that the world knows what is in those files."


You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to Russia emerges as prime suspect in apparent NSA hack
Read this article in
QR Code to Subscription page
Start your subscription today