U.S. Govt. Hackers Get Burned by Online Vigilantes, Researchers

Or is Russia retaliating for President Donald Trump’s Syria strikes through one of its cyber-proxies?

GettyImages-51044440crop
GettyImages-51044440crop

It’s been a tough few days for America’s state-sponsored hackers. On Monday, CIA hackers were outed by an American security firm who linked their work to recent WikiLeaks dumps. And over the weekend, a shadowy group of hackers calling themselves the Shadow Brokers spilled NSA hacking tools onto the internet.

The Shadow Brokers dump and the report from security firm Symantec shines the spotlight once more on the hacking capabilities of American spy agencies, amid a growing scandal about Russian intelligence agencies’ attempts to influence the American election. It also underscores the spies’ vulnerability to detection when carrying out clandestine work online and the risk of exposure in an era when reams of data can be quickly and easily leaked and publicized.

In a blog post Monday, Symantec said it had linked 40 attacks in 16 countries to material that bear the markings of the CIA hacking tools revealed by WikiLeaks last month in its so-called Vault 7 series. The CIA has not confirmed the authenticity of the leak. Symantec described the work of a group it has dubbed “Longhorn,” which it says has been active since at least 2011 and has targeted foreign governments and firms in the financial, telecommunications, and other industries for espionage.

It’s been a tough few days for America’s state-sponsored hackers. On Monday, CIA hackers were outed by an American security firm who linked their work to recent WikiLeaks dumps. And over the weekend, a shadowy group of hackers calling themselves the Shadow Brokers spilled NSA hacking tools onto the internet.

The Shadow Brokers dump and the report from security firm Symantec shines the spotlight once more on the hacking capabilities of American spy agencies, amid a growing scandal about Russian intelligence agencies’ attempts to influence the American election. It also underscores the spies’ vulnerability to detection when carrying out clandestine work online and the risk of exposure in an era when reams of data can be quickly and easily leaked and publicized.

In a blog post Monday, Symantec said it had linked 40 attacks in 16 countries to material that bear the markings of the CIA hacking tools revealed by WikiLeaks last month in its so-called Vault 7 series. The CIA has not confirmed the authenticity of the leak. Symantec described the work of a group it has dubbed “Longhorn,” which it says has been active since at least 2011 and has targeted foreign governments and firms in the financial, telecommunications, and other industries for espionage.

Symantec says it has observed attacks with technical features that match material published by WikiLeaks in Vault 7. “Given the close similarities between the tools and techniques, there can be little doubt that Longhorn’s activities and the Vault 7 documents are the work of the same group,” Symantec researchers wrote.

Symantec tracked the group operating on computer systems in Middle East, Europe, Asia, and Africa. It documented one infection in the United States, which was quickly uninstalled. Operating in the United States is against the CIA’s charter, and Symantec said it believed the infection was unintentional.

Meanwhile, the leak of NSA hacking tools shed light on the kinds of organizations targeted by the intelligence agency. They include telecommunications firms and a large number of foreign universities, including the Chinese Institute of Higher Energy Physics, according to security researchers who have examined the code released on Saturday. These hardly surprising targets for America’s premier signals intelligence agency.

Some tools released allow the NSA to penetrate deep into the infrastructure of a telecommunications firm and collect call data on large numbers of phone numbers, a computer researcher who works under the name x0rz told Foreign Policy. By gathering such data, the NSA can analyze who talks to whom and for how long on foreign telephone systems.

Most of the released tools are old techniques, which may no longer be a part of NSA’s hacking arsenal. The NSA did not respond to emails seeking comment.

The identities behind the Shadow Brokers remain shrouded in mystery but the hackers seemed motivated to leak the NSA hacking tools by anger over what they perceive as President Donald Trump’s betrayal of his base. The group attacked Trump for last week’s missile strike against Syria in retaliation for the use of chemical weapons, in a statement accompanying the Saturday release of the hacking tools. It also denounced the removal of Trump adviser Steve Bannon from the National Security Council and the failure to repeal Obamacare.

“Dear President Trump, Respectfully, what the fuck are you doing?” the group wrote on the self-publishing website Medium.“TheShadowBrokers voted for you. TheShadowBrokers supports you. TheShadowBrokers is losing faith in you.” Publishing NSA hacking tools, the Shadow Brokers explain, constitutes “our form of protest.”

Some analysts have speculated the Shadow Brokers represent the work of a disgruntled NSA insider who has made off with a huge trove of material. Still others believe that it is the project of an American adversary, perhaps Russia. Under the latter theory, the leak of the hacking tools would seem a retaliation by Russia for the strike against Syria, a Russian ally. Publishing hacking tools allows a defender to block and render them ineffective.

The Shadow Brokers first surfaced last August when they published a first set of NSA hacking tools and held a second set in reserve, to be sold at auction. The hacking tools published in August included previously unknown vulnerabilities in widely used networking equipment. Researchers have so far discovered no such information in Saturday’s dump.

Last year’s auction did not generate significant bids, and the Shadow Brokers claimed on Saturday that their dump included the information they had planned to sell. But security researchers examining the dump said they believed the published archive was incomplete.

Photo by Mark Wilson/Getty Images

Twitter: @EliasGroll

More from Foreign Policy

Russian President Vladimir Putin chairs a commission on military-technical cooperation with foreign states in 2017.
Russian President Vladimir Putin chairs a commission on military-technical cooperation with foreign states in 2017.

What’s the Harm in Talking to Russia? A Lot, Actually.

Diplomacy is neither intrinsically moral nor always strategically wise.

Officers with the Security Service of Ukraine (SBU) wait outside an apartment in Kharkiv oblast, Ukraine.
Officers with the Security Service of Ukraine (SBU) wait outside an apartment in Kharkiv oblast, Ukraine.

Ukraine Has a Secret Resistance Operating Behind Russian Lines

Modern-day Ukrainian partisans are quietly working to undermine the occupation.

German Chancellor Olaf Scholz and French President Emmanuel Macron wave as they visit the landmark Brandenburg Gate illuminated in the colors of the Ukrainian flag in Berlin on May 9, 2022.
German Chancellor Olaf Scholz and French President Emmanuel Macron wave as they visit the landmark Brandenburg Gate illuminated in the colors of the Ukrainian flag in Berlin on May 9, 2022.

The Franco-German Motor Is on Fire

The war in Ukraine has turned Europe’s most powerful countries against each other like hardly ever before.

U.S. President Joe Biden holds a semiconductor during his remarks before signing an executive order on the economy in the State Dining Room of the White House in Washington, D.C.
U.S. President Joe Biden holds a semiconductor during his remarks before signing an executive order on the economy in the State Dining Room of the White House in Washington, D.C.

How the U.S.-Chinese Technology War Is Changing the World

Washington’s crackdown on technology access is creating a new kind of global conflict.