Ed Snowden Explains Why Hackers Published NSA's Hacking Tools

from the you-break-many-things. dept

Yesterday, the news broke that a "mysterious" hacking group had gotten its hands on some NSA hacking tools and was releasing some of the tools as proof (it was also demanding lots of Bitcoin to reveal more). The leak came with a neat little message that feels like it was written by a Hollywood script writer trying to sound Russian.
How much you pay for enemies cyber weapons? Not malware you find in networks. Both sides, RAT + LP, full state sponsor tool set? We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files.
You break many things indeed! (For what it's worth, it appears that GitHub and Tumblr both killed the accounts where whoever hacked this stuff first posted it).

The files that were leaked were mostly installation scripts, but also exploits designed for specific routers and firewalls. And, it's noted, that some of the tools named line up with previously leaked NSA codenames. One other interesting point from the Motherboard link above: the files are a bit dated:
The most recent file is dated June 2013, though the hackers could have tampered with the dates. Dmitri Alperovitch, the co-founder of security firm CrowdStrike, theorized that “the leakers were probably sitting on this information for years, waiting for the most opportune time to release.”
Of course, June 2013 is interesting for another reason. That's when Ed Snowden passed on his documents to a small group of reporters and the very first stories based on the Snowden leaks started. So it seems noteworthy that Snowden has put together a bit of a tweetstorm for his take on the hack and release of the hacking tools. To make it easier to read, we've put it all together here:
The hack of an NSA malware staging server is not unprecedented, but the publication of the take is. Here's what you need to know:

NSA traces and targets malware C2 servers in a practice called Counter Computer Network Exploitation, or CCNE. So do our rivals. NSA is often lurking undetected for years on the C2 and ORBs (proxy hops) of state hackers. This is how we follow their operations. This is how we steal their rivals' hacking tools and reverse-engineer them to create "fingerprints" to help us detect them in the future.

Here's where it gets interesting: the NSA is not made of magic. Our rivals do the same thing to us -- and occasionally succeed. Knowing this, NSA's hackers (TAO) are told not to leave their hack tools ("binaries") on the server after an op. But people get lazy.

What's new? NSA malware staging servers getting hacked by a rival is not new. A rival publicly demonstrating they have done so is.

Why did they do it? No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack. Circumstantial evidence and conventional wisdom indicates Russian responsibility. Here's why that is significant: This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server. That could have significant foreign policy consequences. Particularly if any of those operations targeted US allies. Particularly if any of those operations targeted elections. Accordingly, this may be an effort to influence the calculus of decision-makers wondering how sharply to respond to the DNC hacks.

TL;DR: This leak looks like a somebody sending a message that an escalation in the attribution game could get messy fast.

Bonus: When I came forward, NSA would have migrated offensive operations to new servers as a precaution - it's cheap and easy. So? So... The undetected hacker squatting on this NSA server lost access in June 2013. Rare public data point on the positive results of the leak.

You're welcome, @NSAGov. Lots of love.
Sure, it's speculation, but it's pretty informed speculation and it makes a lot of sense. There's still plenty of talk about what to do about the DNC hack, and we've talked about "cybersecurity firms" (who profit from FUD and scare stories) arguing that we should "declare cyberwar" on Russia based on loose attribution. But, as Snowden notes, this hack and partial release could very well be a warning shot that escalation won't end up looking good for the US if they go that route.

Reader Comments

Subscribe: RSS

View by: Time | Thread

  • identicon
    Baron von Robber, 16 Aug 2016 @ 12:15pm

    DNC hacks seem to lead to Russia state sponsor.
    Putin says he favors Drumpf.
    Ivanka pictured with alleged girlfriend of Putin.
    Manafort putting up Putin backed ruler of the Ukraine.
    Now this from Snowden.

    I feel like like I'm reading a Tom Clancy book.

    Have I infringed?!

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Aug 2016 @ 12:47pm

    All this confusion and cloak and dagger tricks. If only there was an administration that was transparent and open.

    reply to this | link to this | view in chronology ]

  • identicon
    SpaceLifeForm, 16 Aug 2016 @ 1:14pm

    Not convinced ES has this correct

    I would suspect another party.

    reply to this | link to this | view in chronology ]

  • icon
    Unfrozen Caveman (non-lawyer) (profile), 16 Aug 2016 @ 3:15pm

    Is it daft to think this could be another self-inflicted wound to try to paint ES in a bad light? He is gaining more and more support. As the author points out, the overdone accent-in-text seems very contrived indeed, and the intersection of ES/Russia in context of the US Gov secrets being exposed will certainly have the toothless inbreeds reaching for their pitchforks and shouting for Ed's head again, won't it?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 16 Aug 2016 @ 4:28pm

    so our butt's in the crack again? not a surprise.

    when will we ever learn? when will we ever learn?

    reply to this | link to this | view in chronology ]

  • icon
    David (profile), 16 Aug 2016 @ 4:39pm

    1 million bitcoins?

    Seems like the writer forgot to check how much that is (supposedly) worth?

    Sure, pick up a half a billion in cash from the drawer. No problem.

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 17 Aug 2016 @ 8:45am

      Re: 1 million bitcoins?

      There are a number of nations that could come up with half a billion for this without much problem.

      But I suspect that they aren't really as interested in selling the stuff as they are in sending a signal that they could sell the stuff.

      I agree with Snowden in that the way all this went down only really makes sense if its part of a political play. This is about message more than the actual tools.

      reply to this | link to this | view in chronology ]

  • identicon
    Rocket J. Squirrel, 17 Aug 2016 @ 2:56pm

    Is anyone else feeling a twinge of nostalgia ...

    ... for Boris and Natasha?

    reply to this | link to this | view in chronology ]

  • icon
    GEMont (profile), 17 Aug 2016 @ 4:30pm

    Spy VS Spy Cartoons

    So, in short, one gang from one nation is warning another gang that runs another nation, that should the 2nd gang continue to expose the crimes of the first gang's members, the first gang will then leak information exposing the crimes of the second gang's members.

    Two criminal organizations, just making sure that both stay within the bounds of their populace fleecing gentleman's agreement, in the only way they know how.

    Nothing new to see here folks.


    reply to this | link to this | view in chronology ]

  • identicon
    Joe K, 19 Aug 2016 @ 5:10pm

    You break many things. You find many intrusions. You write many words.

    Hollywood-Russian? Really?

    It sounds more like the English translations of classic asian martial arts movie dialogue.

    reply to this | link to this | view in chronology ]

  • identicon
    Reak1, 25 Sep 2016 @ 1:41am



    reply to this | link to this | view in chronology ]

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Special Affiliate Offer

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.