The Cable

Exotic Code in ‘Shadow Brokers’ Release Points to NSA

An unusual encryption scheme indicates the malware released is authentic.


After a group of mysterious hackers claimed to have broken into the NSA and posted a portion of its stolen code, security researchers were left with a pressing, vexing question: Was the material released by the so-called “Shadow Brokers” actually from the NSA?

The answer appears to be yes. On Tuesday, researchers at Kaspersky, the Russian cybersecurity firm, said their analysis of the Shadow Brokers’ code found a trail of digital breadcrumbs that leads straight back to the NSA.

The Shadow Brokers claim to have broken into the systems of hackers known as the Equation Group. That group was first identified in a Kaspersky report released last year. While Kaspersky’s report tied the Equation Group to operations carried out by U.S. intelligence, it did not definitely identify the group as an NSA outfit. Kaspersky said the group “surpasses anything known in terms of complexity and sophistication of techniques.”

Security researchers say privately that the Equation Group is all but certainly a project of the NSA.

In a highly technical analysis, Kaspersky documented how the code released by the Shadow Brokers includes an unusual system for encrypting data. That encryption scheme has only been seen previously in code associated with the NSA, and led its researches to “believe with a high degree of confidence that the tools from the Shadow Brokers leak are related to the malware from the Equation Group.”

The release by the Shadow Brokers of code claiming to have been pilfered from the NSA has been met by extreme skepticism in some quarters. The released code could in theory have been faked, doctored to smear the agency. At a time when Russia has been pilloried for hacking into the DNC and other American political organizations, the release of NSA hacking tools shows how American spies use digital tools to carry out espionage.

But the technical analysis by Kaspersky indicates that the Shadow Brokers’ release is likely not an act of digital forgery. The highly unusual encryption scheme in the code released is “highly unlikely” to have been “faked or engineered,” according to Kaspersky.

NSA via Getty Images

Elias Groll is a staff writer at Foreign Policy. Twitter: @EliasGroll

Trending Now Sponsored Links by Taboola

By Taboola

More from Foreign Policy

By Taboola