Some of the most powerful espionage tools created by the National Security Agency's elite group of hackers have been revealed in recent days, a development that could pose severe consequences for the spy agency's operations and the security of government and corporate computers.
A cache of hacking tools with code names such as Epicbanana, Buzzdirection and Egregiousblunder appeared mysteriously online over the weekend, setting the security world abuzz with speculation over whether the material was legitimate.
NSA bulk phone snooping program shuts down
The US National Security Agency is expected to end its daily vacuuming of millions of Americans' phone records on Sunday and replace the practice with more tightly targeted surveillance methods.
The file appeared to be real, according to former NSA personnel who worked in the agency's hacking division, known as Tailored Access Operations (TAO).
"Without a doubt, they're the keys to the kingdom," said one former TAO employee, who spoke on the condition of anonymity to discuss sensitive internal operations. "The stuff you're talking about would undermine the security of a lot of major government and corporate networks both here and abroad."
Said a second former TAO hacker who saw the file: "From what I saw, there was no doubt in my mind that it was legitimate."
The file contained 300 megabytes of information, including several "exploits," or tools for taking control of firewalls in order to control a network, and a number of implants that might, for instance, exfiltrate or modify information.
The exploits are not run-of-the-mill tools to target everyday individuals. They are expensive software used to take over firewalls, such as Cisco and Fortinet, that are used "in the largest and most critical commercial, educational and government agencies around the world," said Blake Darche, another former TAO operator and now head of security research at Area 1 Security.
The software apparently dates back to 2013 and appears to have been taken then, experts said, citing file creation dates, among other things.
"What's clear is that these are highly sophisticated and authentic hacking tools," said Oren Falkowitz, chief executive of Area 1 Security and another former TAO employee.
The NSA did not respond to requests for comment.
As is typical in such cases, the true identity of whoever put the tools online remains hidden. Attached to the cache was an "auction" note that purported to be selling a second set of tools to the highest bidder: "!!! Attention government sponsors of cyber warfare and those who profit from it !!!! How much you pay for enemies cyber weapons?"
The group also said that if the auction raised 1 million bitcoins - equivalent to roughly $US500 million - it would release the second file to the world.
The auction "is a joke," Weaver said. "It's designed to distract. It's total nonsense." He said that "bitcoin is so traceable that a Doctor Evil scheme of laundering $1 million, let alone $500 million, is frankly lunacy."
One of the former TAO operators said he suspected that whoever found the tools doesn't have everything. "The stuff they have there is super-duper interesting, but it is by far not the most interesting stuff in the tool set," he said. "If you had the rest of it, you'd be leading off with that, because you'd be commanding a much higher rate."
TAO, a secretive unit that helped craft the digital weapon known as Stuxnet, has grown in the past decade or so from several hundred to more than 2000 personnel at the NSA's Fort Meade, Maryland, headquarters.
"NSA is often lurking undetected for years on the . . . [proxy hops] of state hackers," former agency contractor Edward Snowden tweeted Tuesday, ending a mysterious period of silence. "This is how we follow their operations."
At the same time, other spy services, like Russia's, are doing the same thing to the United States.
It is not unprecedented for a TAO operator to accidentally upload a large file of tools to a redirector, one of the former employees said. "What's unprecedented is to not realize you made a mistake," he said. "You would recognise, 'Oops, I uploaded that set' and delete it."
Critics of the NSA have suspected that the agency, when it discovers a software vulnerability, frequently does not disclose it, thereby putting at risk the cybersecurity of anyone using that product. The file disclosure shows why it's important to tell software-makers when flaws are detected, rather than keeping them secret, one of the former agency employees said, because now the information is public, available for anyone to employ to hack widely used Internet infrastructure.
Snowden, Weaver and some of the former NSA hackers say they suspect Russian involvement in the release of the cache, though no one has offered hard evidence. They say the timing - in the wake of high-profile disclosures of Russian government hacking of the Democratic National Committee and other party organisations - is notable.
Tweeted Snowden: "Circumstantial evidence and conventional wisdom indicates Russian responsibility." He said that the disclosure "is likely a warning that someone can prove USÂ responsibility for any attacks that originated from this" redirector or malware server by linking it to the NSA.
"This could have significant foreign policy consequences," he said in another tweet. "Particularly if any of those operations targeted USÂ allies" or their elections.
"Accordingly," he tweeted, "this may be an effort to influence the calculus of decision-makers wondering how sharply to respond to the DNC hacks."
In other words, he tweeted, it looks like "somebody sending a message" that retaliating against Russia for its hacks of the political organisations "could get messy fast."
Washington Post