Snowden Docs Support Claim NSA Cyberweapons Stolen, Report Says
Former top NSA official says apparent hack is "unfortunate."
— -- Documents stolen from the National Security Agency by former contractor Edward Snowden support the claim that the cyberweapons apparently pilfered from the espionage agency and put up for auction online this week are the real deal, according to a report in The Intercept.
The Intercept, whose reporters have access to the trove of information Snowden took from the NSA in 2013, wrote today that a top secret NSA manual that has never been made publicly available contains the same 16-character alphanumeric string that appears throughout a portion of the code released online earlier this week by the mysterious group calling themselves the Shadow Brokers. The relevant code was part of a program dubbed SECONDDATE that was used to spy on Pakistan and a computer system in Lebanon, The Intercept reported.
Chris Inglis, former deputy director of the NSA until 2014, told ABC News he wouldn't have visibility into specific cyber toolkits used by the NSA, but he said it would be "unfortunate" if the ones published online belonged to the elite hackers at his former longtime employer.
"It's an investment that's hard-won, intellectual capital and real money. But is it a reality of present circumstances? Absolutely. So NSA needs to figure out how to recover and move on," said Inglis, now a professor at the U.S. Naval Academy and on the advisory board at the cybersecurity firm Securonix. "I'm not sure that that's the case here, that this is NSA, but if it were, I would say NSA is probably just saying, 'Got it. We've got to move on more quickly than we thought we needed to.'"
Inglis said he doubted that the NSA itself was hacked and suggested the Shadow Brokers obtained the code possibly from an external server -- a theory floated by Snowden on Twitter -- or through some other means. A former member of the NSA's hacking squad Tailored Access Operations, Oren Falkowitz, told ABC News Thursday he could think of "a dozen ways" the powerful malware could've fallen into the wrong hands.
Inglis said one thing the NSA will be doing now is attempting to find out if any of the exposed code -- or the still-hidden code the Shadow Brokers claim is more sophisticated -- could affect ongoing operations, whether it's a matter of "current capability". Researchers who have analyzed the released code have said date references end on the fall of 2013, indicating that's when the code was stolen or when hackers' access to the data was cut off.
"NSA lives in a world where whatever capabilities it brings to bear necessarily age off, either because the technology moves on or because the operational practices of the adversaries -- whether it's terrorists or rogue nations, I mean all of the things we are legitimately authorized to go after -- they change," Inglis said. "The notion of a static capability that you can preserve over years' time, that's gone. You simply cannot do that."
"Three years is a very long time," he said. "Just think about how quickly technology turns over."
While initially split on whether the Shadow Brokers hack was real when it was announced earlier this week, consensus has grown among security experts and former U.S. officials that at least the teaser code that has been released in full is legitimate -- especially after two major cybersecurity firms publicly acknowledged that some of the code would have affected their legacy firewall products and, in one case, was still a threat to current users.
The Shadow Brokers, who are unknown to the cybersecurity community and whose name could be a reference to a popular videogame, claimed to have hacked systems used by the Equation Group, a high-level hacking team that a Russian cybersecurity firm said had links to cyberattacks that were separately attributed in media reports to the NSA. The Russian firm, Kaspersky Lab, reported this week they found a "strong connection" between the cyberweapons exposed by the Shadow Brokers and their previous work on the Equation Group, which they called the "apex predator" of the cyber world.
Inglis declined to say whether Equation Group was a secret NSA hacking squad. He said they "seem to be quite capable and disciplined, and if you're going to unleash a group of people in this space, you need to make sure that they're both."
"Whoever they are, I hope that they're on our side," he said.
The Shadow Brokers claim to have taken a whole host of cyberweapons from the Equation Group and are hosting an online auction in bitcoin in order to sell off the most valuable ones.
As for who the Shadow Brokers are, there's only speculation, which runs the gamut from a disgruntled insider to a sophisticated nation-state like Russia. But the group's public posturing has thrown observers for a loop.
"Revealing the results [of a major hack] in this way is extremely atypical," former NSA hacker Falkowitz told ABC News Thursday. "To do something as childish as hold a public auction with bitcoin ... just seems like not consistent with the way really sophisticated government groups would operate."
"It's really bizarre," he said.