The Github auction included two files. One was free and open for examination. The other, Shadow Brokers said, was for "the party which sends most bitcoins" to their payment address and who would then get the decryption information. The free samples showed that the exploits were quite real, and alarmingly powerful.
The free samples also helped researchers figure out that the exploits had been snatched from an external staging server and not the NSA itself, as many headlines this week incorrectly suggested... in a breach that happened three years ago. See, there's nothing in the dump was newer than October, 2013.
Of course, the press is having its usual, confused feeding frenzy about anything and everything hacking and infosec, leading most people to believe that the NSA itself had actually been hacked. Well, the NSA has not been hacked; the New York Times headline asking if the NSA has been hacked and the Atlantic's stupid "Yup! The NSA Got Hacked" are as egregiously irresponsible as they are uninformed.
Think of it like this: Your local Safeway uses a separate company to buy beer for its store. That buyer "stages" some of Safeway's beer in a storage unit, which is robbed. Only the storage unit was burgled -- but the newspapers are saying that Safeway was robbed, making everyone think the Safeway store was broken into and its security compromised.
Although, there is one thing here: This might solidify a link between Equation Group and NSA: The Washington Post confirmed the authenticity of the tools with two anonymous ex-NSA employees.
The auction page had been sitting there for two days before Hypponen tweeted his discovery. It has since has been removed by Github, as well as Pastebin and Tumblr.
It read, in part:
"How much you pay for enemies cyber weapons? Not malware you find in networks. Both sides, RAT + LP, full state sponsor tool set? We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things."
Shadow Brokers added, "If our auction raises 1,000,000 (million) btc total, then we dump more Equation Group files, same quality, unencrypted, for free, to everyone."
Unfortunately for Shadow Brokers, the auction hasn't exactly been a hit. Losing bidders don't get their money back, and the kitty is only up to 1.5 BTC ($862).
Alex Rice, CTO at bug bounty platform HackerOne, told CSO Online that Shadow Brokers had given a fortune in 0day away for free in that sample file. The exploits could've sold for "north of six figures" each on the grey market to governments (Hacking Team, for example, was a grey market operator). In an incredibly detailed post, Risk Based Security thought the pilfered attacks would've pulled in between $200,000 and a million dollars -- and that's if they'd sold the booty to "good guy" bug bounty buyers.
At Lawfare, Nicholas Weaver explained that the freebie file included eight different exploits and some dead-serious implants that circumvent firewalls, among other things. He also said that the exploits "appear to target Fortinet, Cisco, Shaanxi Networkcloud Information Technology (sxnc.com.cn) Firewalls, and similar network security systems."
The fact that this is all from 2013, which continues to get overlooked in reporting and armchair-activist hysteria alike, is important. This week's headlines saying "oh noes the bad tools are being used now" are bit hyperbolic in light of the fact that these tools are three years old and have likely been used "in the wild" (to a very limited extent) since.
Some of my colleagues in the press are falling all over themselves with another genuine NSA-whodunnit on their hands. So, who is the culprit? Lawfare had three great, rational, sensible, and far-too-practical-for-CNN answers to the question:
"At present, there appear to be three possibilities:
- (1) An insider stole this data.
- (2) An adversary somehow exfiltrated data from a Top Secret system.
- Or (3) an NSA operator, seriously breaches operational security protocols and copied all these files—presumably a substantial part of an 'ops disk'—onto an unclassified system for attack staging and then left it there for four months."
While the sideshows of conspiracy theories and government hyperbole spin-up, Risk Based Security wrote an extremely grounded post. It included this salient section about the timing of it all:
"While technical evidence may be completely lacking and speculation ruling the day, it cannot be ignored that the timing of this leak in the current U.S. political climate is suspect. With the last few weeks of U.S. news dominated by Donald Trump and questionable ties to Russia and Vladimir Putin, as well as Trump's speeches calling for Russia to hack U.S. government resources (in jest or not), it begs the question if the Equation Group leaks are part of a political agenda.
The Register is one of many news outlets to put that theory forward, in addition to hundreds of Twitter denizens. This is the type of speculation that is important to discuss, but prudence demands that it remain part of the discussion until evidence surfaces."
Of course, Edward Snowden struck a few suggestive poses on Twitter while confirming the validity of the finds (hey, it's a living). The sycophantic elite cooed; The Intercept released code from deep in their years-old and coveted treasure trove of Snowden files that matched a couple exploits in the dump.
The Intercept triggered another simultaneous release -- of public anger at the organization's hoarding of critical information on tracking malware strains.
Hacker Matt Suiche has a great post with an ex-NSA analyst, who had many great points, including this one:
"Technically speaking, Edward Snowden is also just speculating and the only major leak we have heard of from the NSA was actually from him and he was an insider. And that media tend to take every 'speculative statements' he makes as a "fact" (which is true, many of my friends complained about it) — especially since the NSA cannot confirm or deny any of those 'facts' publicly."
And that's a much needed dose of common sense in this whole NSA circus revival.