An anonymous group this week dumped a cache of hacking tools allegedly linked to the National Security Agency (NSA) on the Internet, claiming it has another set of files for release to the highest bidder and raising speculation that Russia is behind yet another high-profile attack.
Although questions continue to swirl around the release, its attribution, and motivation, some experts say it points to Moscow’s efforts in the cyber realm. This is just the latest incident which suggests a possible Kremlin link, following on the heels of the Democratic National Committee hack, according to James Lewis, a senior vice president and director of the Strategic Technologies Program at CSIS.
“The Russian doctrine is to use cyber techniques for political purposes, what they call opinion shaping,” he said. “We tend to think of hackers, geeks, and people in front of their computers — but this is a political operation intended to shape global and American opinions that damage the U.S. and protect Russia.”
“This is part of a Russian campaign to confuse and to disrupt,” Lewis added.
A group dubbing itself The Shadow Brokers released on the web a trove of code and exploits it claimed it had stolen from the so-called Equation Group, an elite hacking unit that Russia-based security firm Kaspersky Lab reported it uncovered last year. The Equation Group has been linked by some to the NSA.
The NSA has not yet responded to a request for comment.
Kaspersky Lab wrote in a blog post that “while we cannot surmise the attacker’s identity or motivation nor where or how this pilfered trove came to be, we can state that several hundred tools from the leak share a strong connection with our previous findings from the Equation group.”
The Shadow Brokers claim they have another archive they will try to sell to the highest Bitcoin bidder. The released files, which the code suggests may date to mid-2013, “mainly appear to be installation scripts, configuration files, and exploits targeting a range of routers and firewall appliances,” according to Symantec. Some of the exploits would likely serve to target and take over firewalls to gain access to a network. If in fact these were NSA hacking tools, the likely targets would be foreign government networks.
Christopher Porter, manager for FireEye iSIGHT Intelligence, said that “this is clear messaging that Moscow wants the U.S. to back down on attributing the DNC hack to the Russian government.”
“The Kremlin has a longstanding strategy of ‘escalate to deescalate’ — meaning that, rather than giving a proportional response to geopolitical events, they often want to preempt a painful response by an adversary by showing that they are capable of doing much worse,” Porter said. “This activity is part of a long trend by Russian actors demonstrating that they are highly capable of influencing world events using cyber tools, probably as part of a push to encourage restrictions on the use of cyber tools that they have been making for over a decade but which the United States has been hesitant to embrace.”
Intel Security’s chief technology officer Steve Grobman, however, cautioned against attributing any breach too early to a specific actor. Grobman said technical forensics are very easy to forge and manipulate, and strong attribution can only come from combining technical information with traditional intelligence from intelligence or law enforcement agencies.
“In the DNC hack and this case, no reputable government body is providing traditional intelligence or a statement of attribution, so I believe it is premature for anyone to jump to conclusions about who the actor is,” he said. “With that said, it doesn’t mean it wasn’t any particular entity — I just think we should be very careful jumping to a conclusion.”
In a series of tweets, NSA leaker Edward Snowden wrote that “circumstantial evidence and conventional wisdom indicates Russian responsibility.” Snowden, who remains in hiding in Russia, wrote that “no one knows” why they did it, “but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack.”
This incident suggests the United States will continue to face a troubling cyber landscape, according to Lewis, and highlights the issue of how secure U.S. government and intelligence networks really are. It also raises the broader question of what may come next from this seemingly sustained Russian campaign to use cyber means to disrupt American politics, he said.
“The Russians now have a new way and a better way to shape public opinion than in the past,” Lewis said. “It’s a great tool, a political tool, and they’re making full use of it.”
Beyond the suspected Moscow connection, the alleged hack also offers a reminder that those in the national security sphere need a more sophisticated understanding of cybersecurity to face off against powerful threats, Lewis said.
Grobman also said this incident demonstrates key lessons for government agencies concerning cybersecurity measures and how to handle accidental release of information.
“Whether or not this data has been held for a short or long period of time, there’s absolutely the potential it has been used by bad actors to infiltrate legitimate organizations,” he said. “It’s critical that any code that can cause damage is safeguarded with multiple levels of security and with a defense using multiple techniques to protect its environment.”
Regardless of where the code came from, Grobman said “it’s clearly sophisticated and it’s clearly developed by a group that has a strong understanding of security.”
“This is a good reinforcement point that even isolated networks, even environments that are are air gapped [a security measure where computers or networks are not able to establish an external connection], still need a comprehensive cyber defense environment and strategy in order to protect them,” he said.