Skip to navigationSkip to content
Broken antenna covers of Former National Security Agency (NSA) listening station are seen at the Teufelsberg hill (German for Devil's Mountain) in Berlin
Reuters/Pawel Kopczynski
Vulnerable.
NO JOKE

Russia appears to be behind a hacker group that says it stole the NSA’s “cyber weapons” to auction them online

By Joon Ian Wong

Earlier this week (Aug. 15) a group calling itself the Shadow Brokers said it had obtained a cache of ”cyber weapons” created by the US National Security Agency (NSA). It was auctioning the files for bitcoin, and if the process raised a million bitcoins ($575 million), it promised to decrypt the files and dump them in public for all to use.

The announcement, posted on Verizon’s Tumblr service and several other websites (it has since been deleted, but here’s a cache), was greeted with derision at first. An unknown entity claiming to have breached the defenses of the vaunted Equation Group? The very group thought to be an elite unit of the NSA that’s been operating in secret for decades? (A famous example of a cyber weapon often attributed to the Equation Group is Stuxnet, a piece of malicious software that sabotaged machinery at Iran’s Natanz uranium enrichment plant in 2009.)

Surely this was a hoax at best, and a scam at worst.

Much about the announcement didn’t add up. If the hackers wanted to maximize profits, why would they promise to make the tools public if they hit an auction milestone? Why was the announcement written in convoluted broken English, with a tacked-on screed attacking “wealthy elites”? It almost read like a parody hacktivist manifesto. No one took it seriously, and that showed in the trickle of tiny bids for the purported cyber weapons.

But then researchers started examining the code snippets and the free samples the Shadow Brokers had posted. The programming looked authentic. It was complex and, more significantly, it seemed to match code linked to the NSA in the past.

Then Edward Snowden, the NSA contractor-turned-whistle-blower whose disclosures have revealed details of the Equation Group’s tools, weighed in. “Circumstantial evidence and conventional wisdom indicates Russian responsibility,” he tweeted. Further bolstering the hack’s credibility, the networking giant Cisco issued a security notice to its customers, confirming that two of the exploits from the Shadow Brokers affected its software.

The Shadow Brokers cache now appeared to be a genuine trove of secret NSA weapons, stolen by hackers linked to Russia. They weren’t a joke anymore.

As Snowden indicated, the link to Russia is based on circumstantial evidence: Expert observers say that if the code was really stolen from the NSA, then only a powerful government-backed hacking effort could be behind it. Russia is thought a likely candidate because of its suspected links to hacks around the US presidential election, including emails stolen from the Democratic National Committee.

“The real problem for us is that the Russians seem to have taken the gloves off in the cyberdomain,” said James Lewis, a cybersecurity expert at the Center for Strategic and International Studies, told the New York Times (paywall).

The potential damage from the Shadow Broker files may be limited. Researchers believe that the newest files are from 2013, just after Snowden made his disclosures public. It’s believed that the hackers were lurking on NSA servers until that time, but then had their access removed when the agency changed its security procedures in the wake of Snowden’s leaks.

But the notion that hackers had infiltrated the NSA’s servers hints at a dark future for digital warfare. As the security researcher Nicholas Weaver notes: “I’d imagine that the folks at NSA are having rather unpleasant conversations about what the other encrypted file might contain, and what other secrets this attacker may have gained access to … And—most chillingly—what else might be released before this war of leaks is over?”