A mysterious group calling themselves the Shadow Brokers claims to have breached an elite hacking team with supposed ties to the National Security Agency.
Downloadable samples of exploit code were posted on several websites Monday, supposedly detailing a series offensive cyber tools reportedly once used by the Equation Group. The group has long been rumored to be affiliated with the NSA.
The Shadow Brokers originally provided code snippets — some of which appeared to be the building blocks of several surveillance tools. In addition, the group demanded millions of dollars in bitcoin for access to the full files.
“We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons,” a message by Shadow Brokers posted to a Tumblr page reads.
Last year, cybersecurity giant Kaspersky uncovered the existence of the Equation Group in an investigative report. While the Russian cybersecurity firm never explicitly stated that the Equation Group was an official NSA offshoot, the groups’ tools and identifiable connection to several high profile data breaches may suggest the existence of a relationship.
A Kaspersky spokesperson declined to comment but said the firm’s malware analysis team is looking into the event.
It remains unclear whether the leaked files are real, who actually posted them and what their motive may be. GitHub, the popular open source code management platform where a number of the tools were posted, removed the content late Monday afternoon.
“We do not allow the auction or sale of stolen property on GitHub. As such, we have removed the repository in question,” a GitHub spokesperson told Cyberscoop.
Several prominent cybersecurity researchers took to Twitter Monday to share their preliminary analysis of the incident — opinions, however, were divided concerning the data dump’s legitimacy.
If the Equation Group were in fact hacked then it would represent a significant cybersecurity incident, according to Claudio Guarnieri, a technologist for Amnesty International, because it has the potential to disrupt what could be ongoing intelligence gathering operations.
“Many breaches only end up publicly disclosing a very small sample of data to show their authenticity, but the Equation Group teaser data includes a significant trove of exploits designed to compromise firewalls,” writes Risk Based Security, a Richmond, Va.-based risk-based cybersecurity consulting firm. “This data alone has incredible value to a wide variety of companies, both offensive and defensive.”
Several cybersecurity firms told Cyberscoop they plan to release research reports in the coming weeks, which will analyze the incident in greater detail.