In 'Bizarre' NSA-Linked Hacking Saga, Some Exploits Prove Real

Firewall maker says unveiled zero-day vulnerability still threatens security.

ByABC News
August 18, 2016, 1:11 PM

— -- At least some of the hacking weapons possibly pilfered from an NSA-linked cyberoperation and exposed publicly earlier this week are real and include a zero-day exploit, according to two companies whose products were targeted.

Cybersecurity companies Cisco and Fortinet announced online Wednesday that some code published by the mysterious Shadow Brokers affected legacy versions of their firewalls, but the vulnerabilities already were addressed in upgraded versions. More severely, however, Cisco said one of the exploits in the code was unknown to the company until it popped up online and is still a threat.

If the right configurations are present, Cisco said, the vulnerability "could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system."

Yvonne Malmgren, a spokeswoman for Cisco, told ABC News that the company is directing its customers to workarounds to "mitigate that particular vulnerability" and that a fix is coming "in the near future."

Cybersecurity experts and former U.S. officials who have analyzed some of the code released online by the Shadow Brokers were already convinced at least some of it appeared very real. Zero-day vulnerabilities — those that are unknown to makers of the target software — are particularly valuable on the cyber black market because, by definition, there's no specific defense against them.

The Shadow Brokers — a name that's new to the cybersecurity community and could be a reference to a popular video game — popped up online over the weekend claiming to have broken into the files of another elite hacking team known as the Equation Group. The Equation Group was first identified in February 2015 by the Russian cybersecurity firm Kaspersky Lab, which recently described it as the "apex predator" of the hacking world.

In its initial report, Kaspersky said that the Equation Group "is unique almost in every aspect of their activities: They use tools that are very complicated and expensive to develop, in order to infect victims, retrieve data and hide activity in an outstandingly professional way, and utilize classic spying techniques to deliver malicious payloads to the victims."

Kaspersky also said the Equation Group appeared to have "solid links" with the creators of the cyber-superweapon Stuxnet, which was reportedly the product of a joint U.S. National Security Agency–Israeli intelligence operation. That link, along with Equation Group's reported long-time targeting of Iranian, Russian, Chinese and Pakistani systems, among others, has led observers to suspect the Equation Group is at least connected to the NSA or some Western intelligence agency.

The names of some of the exploits released by the Shadow Brokers refer to operations exposed by former NSA contractor Edward Snowden, but researchers pointed out that since his revelations in 2013, those names have been public information.

The Shadow Brokers announced in stilted English earlier this week that they plan to put the best of the cyberweapons up for auction and that if it nets at least 1 million bitcoins (worth over $560 million), they will release more Equation Group files to the public. As of this report, the auction has pulled in less than $1,000.

It's unclear how the Shadow Brokers got a hold of the cyberweapons; the group claims to have "followed" Equation Group traffic to its "source range" and then hacked it.

The question remains whether the Equation Group — or another U.S.-aligned or -allied hacking group, private contractor or intelligence agency — was actually hacked and, more immediately, whether the yet-to-be-released cyberweapons are as real as the teaser code. The Shadow Brokers billed the unseen payloads as "better than Stuxnet," the game-changing worm that physically damaged an Iranian nuclear facility.

Snowden noted on Twitter that date references in the released code end in the fall of 2013, just after he went public with revelations about NSA surveillance operations. He speculated that perhaps an NSA outside "staging server" — essentially a holding pen for malware — had been hacked and the NSA migrated the malware to a different server after he went public as a security precaution, inadvertently but fortuitously cutting off the hackers' access.

Oren Falkowitz, a former NSA hacker with the agency's elite Tailored Access Operations, said he strongly doubted the NSA itself was hacked — a sentiment shared by two other cybersecurity experts who spoke to ABC News.

"I can think of a dozen ways" the tools could have been stolen, Falkowitz said, such as being taken from an outside server and being pilfered from an unsecured laptop. The NSA from time to time outsources the development of offensive cyberweapons to private contractors, according to cybersecurity experts.

As for who the Shadow Brokers are, there's only speculation, which runs the gamut from a disgruntled insider at a U.S.-linked group to a sophisticated nation-state like Russia. But the group's public posturing has thrown observers for a loop.

"Revealing the results [of a major hack] in this way is extremely atypical," Falkowitz said. "To do something as childish as hold a public auction with bitcoin ... just seems like not consistent with the way really sophisticated government groups would operate."

"It's really bizarre," he said.

Fortinet did not immediately respond to a request for comment for this report.

[Editor's Note Aug. 19, 2016: In the original version of this report, some references to the Shadow Brokers incorrectly identified them as the Shadow Group. This report has been updated.]

Related Topics