After a never-before-seen group announced it was in possession of a trove of malware developed by the elite hacking arm of the National Security Agency early this week, professional security researchers began working to try and determine whether the code the group released was truly developed by the NSA.
Working off of hints they found in the code, which was released by a group calling itself the “Shadow Broker,” researchers guessed it was authentic—but new documentation straight from the source appears to confirm the code’s provenance.
According to NSA documents obtained by Edward Snowden and reviewed by The Intercept, several elements in the released code line up with details in the agency’s own manuals and materials.
One manual, for example, instructs agents to use a specific 16-character string, “ace02468bdf13579,” to track a certain strain of government-developed malware as it makes its way through networks. That string shows up character-for-character in one of the leaked hacking tools, “SECONDDATE.”
The tool allows the NSA to execute “man-in-the-middle” attacks, which intercept traffic on a network as it’s traveling from its origin to its destination. The agency used it to redirect users who think they’re browsing safe websites to NSA-run servers that infect their computers with malware—and then back to their destination before they know what happened. In a slide deck, the NSA used “cnn.com” as an example of the sort of site it could exploit to deliver its malicious code.
The documents released by The Intercept reveal that SECONDDATE has been used to spy on systems in Pakistan and in Lebanon, where it gained access to data belonging to Hezbollah.
It’s still not clear how the tools leaked from the NSA. Snowden speculated on Twitter that the tools could have been found on a server it used to infect a target, but former NSA staffers interviewed by Motherboard said the leak could be the work of a “rogue insider,” claiming that some of the files in the leak would never had made it to an outside server.