Claimed NSA hacker outfit Equation group confirmed to be breach victim.
One of the most interesting hacks in recent memory is almost certain to be a compromise of infrastructure operated by an ultra-elite hacking group thought to be the United States’ National Security Agency.
The breach involves the public release of more than 300 files that showcase a host of exploits against companies including Cisco and Fortinet, plus tools known to be part of the National Security Agency’s arsenal.
Initial analysis by the likes of Kaspersky Labs, NSA whistleblower Edward Snowden, and a host of independent security researchers shore up claims by a hacking group calling itself Shadow Brokers that the exploits and toolsets it hopes to auction for millions of dollars in Bitcoins are legitimate Equation group weaponry.
Kaspersky Labs last year revealed the Equation group to be almost certainly a state-sponsored actor and, according to deep analysis of its activities, highly likely to be a wing of the National Security Agency given a series of very striking operational and technical similarities.
It is a group that until February last year had conducted global hacking campaigns of the highest sophistication in complete stealth including interdiction attacks and persistent hard disk firmware re-writing using a suite of unique malware families.
Its attacks had gone unnoticed for more than 14 years.
Now the same Kaspersky Labs analysts who revealed Equation group confirm it has been compromised in the Shadow Brokers breach.
“This code similarity makes us believe with a high degree of confidence that the tools from the ShadowBrokers leak are related to the malware from the Equation group,” researchers from Kaspersky Labs’ GReAT research team say.
The team’s confirmation is based on “highly specific crypto implementations” which link the files in the online dump to those found as part of the February Equation Group research.
That encryption uses an unusual implementation of negative RC5 and RC6 algorithms.
Both Equation Group files and those in the online dump use a subtract operation with the constant 0x61C88647 which speeds certain hardware.
“The dumped files contains some 20 different compiled versions of the RC5 / RC6 code in the Equation group malware,” Kaspersky researchers say.
Separate security research efforts have confirmed some of the exploits contained in the sample dump.
The breach, if Kaspersky’s analysis is correct, does not mean the NSA has been hacked or compromised in a traditional sense.
Rather it appears likely the hack is a 2013 compromise of a command and control server which harboured the dumped tools and exploits, a feat which intelligence boffins say is not uncommon.
Analysis of time stamps shore up the argument.
The last known file access date of around June to October 2013 coincides with the time Snowden fled the US to reveal the extent of the NSA’s global spying apparatus.
The former NSA analyst explains that the agency may have cycled servers used in offensive operations after he fled out of caution, an act that would have cut off any attacker with a foothold in command and control boxes.
The compromise of NSA intelligence command and control servers is uncommon but not unheard of in intelligence circles, says Snowden and other security figures, but the publication of the files found within, known as take, is unprecedented.
Snowden suggests the auction is a ruse, and attackers are using the dump as a warning shot to the NSA.
Any compromise of civilian or military infrastructure that is subsequently linked to the breached command and control server will be tied to the NSA, the theory goes.
This could be a veiled threat by Russia to the NSA should it retaliate for the Democratic National Committee attacks, Snowden suggests.
Attribution is a difficult game, much troubled by false flag operations and the difficulties of linking a single compromise to a real world identity.
But linking the Equation group attack to Russia is not fanciful, because the attack requires a large amount of resources and expertise. You’d also need to be highly-motivated to pull it off.
The auction, as most attempts to sell breached data go, has fallen flat.
About $70 was raised of the ceiling-less goal put in the tens of millions of dollars.
That failure would mean little to an attacker motivated by something other than cash. ®
Sponsored: 2016 Cyberthreat defense report