A group calling itself the “Shadow Broker” posted a trove of files online Monday, claiming it contains cyberweapons stolen from hackers called the Equation Group—allegedly the elite hacking arm of the National Security Agency.
The announcement appeared in broken English on a Tumblr account—now inactive but preserved in Google’s caches—along with two encrypted file archives available for download. “Shadow Broker” provided the password for one of the archives to prove the files’ authenticity, but demanded payment in Bitcoin for the password to the second archive.
We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files.
The Equation Group, so named by Russian cybersecurity company Kaspersky Labs for consistently using advanced encryption, is said to have been behind Stuxnet, the state-sponsored virus that attacked Iranian nuclear centrifuges in 2009.
Security researchers examined the “Shadow Broker” files found actual hacking tools that exploit vulnerabilities in common pieces of internet infrastructure. They have catchy names like EPICBANANA, EXTRABACON, ELIGIBLEBACHERLOR, and EGREGIOUSBLUNDER.
Nicholas Weaver, a computer-science professor and researcher at the University of California, Berkeley, wrote Tuesday that the data dump seems real—and that it was probably snagged from an NSA server.
Because of the sheer volume and quality, it is overwhelmingly likely this data is authentic. And it does not appear to be information taken from compromised targets. Instead the exploits, binaries with help strings, server configuration scripts, five separate versions of one implant framework, and all sort of other features indicate that this is analyst-side code—the kind that probably never leaves the NSA.
Nearly all the files, however, appear to be older than June 2013, suggesting that “Shadow Broker” may have lost access to NSA files around then. Snowden commented on Twitter about the timing: That’s the same month he began leaking valuable government documents. He predicted that the agency may have migrated its offensive capabilities to new servers as a precautionary measure, thereby kicking out any intruders.