Or is Russia retaliating for President Donald Trump’s Syria strikes through one of its cyber-proxies?
It’s been a tough few days for America’s state-sponsored hackers. On Monday, CIA hackers were outed by an American security firm who linked their work to recent WikiLeaks dumps. And over the weekend, a shadowy group of hackers calling themselves the Shadow Brokers spilled NSA hacking tools onto the internet.
The Shadow Brokers dump and the report from security firm Symantec shines the spotlight once more on the hacking capabilities of American spy agencies, amid a growing scandal about Russian intelligence agencies’ attempts to influence the American election. It also underscores the spies’ vulnerability to detection when carrying out clandestine work online and the risk of exposure in an era when reams of data can be quickly and easily leaked and publicized.
In a blog post Monday, Symantec said it had linked 40 attacks in 16 countries to material that bear the markings of the CIA hacking tools revealed by WikiLeaks last month in its so-called Vault 7 series. The CIA has not confirmed the authenticity of the leak. Symantec described the work of a group it has dubbed “Longhorn,” which it says has been active since at least 2011 and has targeted foreign governments and firms in the financial, telecommunications, and other industries for espionage.
Symantec says it has observed attacks with technical features that match material published by WikiLeaks in Vault 7. “Given the close similarities between the tools and techniques, there can be little doubt that Longhorn’s activities and the Vault 7 documents are the work of the same group,” Symantec researchers wrote.
Symantec tracked the group operating on computer systems in Middle East, Europe, Asia, and Africa. It documented one infection in the United States, which was quickly uninstalled. Operating in the United States is against the CIA’s charter, and Symantec said it believed the infection was unintentional.
Meanwhile, the leak of NSA hacking tools shed light on the kinds of organizations targeted by the intelligence agency. They include telecommunications firms and a large number of foreign universities, including the Chinese Institute of Higher Energy Physics, according to security researchers who have examined the code released on Saturday. These hardly surprising targets for America’s premier signals intelligence agency.
Some tools released allow the NSA to penetrate deep into the infrastructure of a telecommunications firm and collect call data on large numbers of phone numbers, a computer researcher who works under the name x0rz told Foreign Policy. By gathering such data, the NSA can analyze who talks to whom and for how long on foreign telephone systems.
Most of the released tools are old techniques, which may no longer be a part of NSA’s hacking arsenal. The NSA did not respond to emails seeking comment.
The identities behind the Shadow Brokers remain shrouded in mystery but the hackers seemed motivated to leak the NSA hacking tools by anger over what they perceive as President Donald Trump’s betrayal of his base. The group attacked Trump for last week’s missile strike against Syria in retaliation for the use of chemical weapons, in a statement accompanying the Saturday release of the hacking tools. It also denounced the removal of Trump adviser Steve Bannon from the National Security Council and the failure to repeal Obamacare.
“Dear President Trump, Respectfully, what the fuck are you doing?” the group wrote on the self-publishing website Medium.“TheShadowBrokers voted for you. TheShadowBrokers supports you. TheShadowBrokers is losing faith in you.” Publishing NSA hacking tools, the Shadow Brokers explain, constitutes “our form of protest.”
Some analysts have speculated the Shadow Brokers represent the work of a disgruntled NSA insider who has made off with a huge trove of material. Still others believe that it is the project of an American adversary, perhaps Russia. Under the latter theory, the leak of the hacking tools would seem a retaliation by Russia for the strike against Syria, a Russian ally. Publishing hacking tools allows a defender to block and render them ineffective.
The Shadow Brokers first surfaced last August when they published a first set of NSA hacking tools and held a second set in reserve, to be sold at auction. The hacking tools published in August included previously unknown vulnerabilities in widely used networking equipment. Researchers have so far discovered no such information in Saturday’s dump.
Last year’s auction did not generate significant bids, and the Shadow Brokers claimed on Saturday that their dump included the information they had planned to sell. But security researchers examining the dump said they believed the published archive was incomplete.
Photo by Mark Wilson/Getty Images