Evidence mounts that NSA computer code was stolen

Hackers say they extracted from the top secret National Security Agency

WASHINGTON, D.C. — Analysis of the cyber weapons that hackers say they extracted from the top secret National Security Agency has left a key team of outside experts increasingly certain that the files came from the NSA.

The Russia-based Kaspersky Lab, which has been at the forefront into research of NSA techniques, said it found 347 instances of encryption algorithms in the leaked files that have been seen previously only in NSA-linked computer programming.

A successful hack of the NSA — if that’s what happened — would mark a major defeat for one of the crown jewels of the U.S. government’s defense establishment. The NSA’s hacking unit has been credited with sophisticated cyber weapons, including the code that is credited with crippling the Iranian nuclear program.

A mysterious group calling itself the Shadow Brokers announced over the weekend that it had penetrated the NSA, stolen sophisticated cyber weapons and digital tools, and opened a global auction for the sale of the still-secret most valuable ones.

The group released 300 megabytes of files to the public for free, and cyber security companies and hackers rushed to examine the coding on the files, which included malware that would allow a controller to get past the most secure of firewalls.

Dave Aitel, a former NSA computer scientist who is chief executive of Immunity Inc., a penetration testing company in Miami Beach, said he found Kaspersky Lab’s assessment credible. He noted that Kaspersky Lab has been the security company most prolific in offering public analysis of software traced back to the NSA.

“They are very reliable. They are very Russian but when it comes to outing an American toolkit, they are reliable,” said Aitel.

In a blog posting late Tuesday, Kaspersky’s global research and analysis team noted that the group “cannot surmise the attacker’s identity or motivation nor where or how this pilfered trove came to be.”

But the team said it had taken a look at the “functional capabilities” of the files released by Shadow Brokers and determined that “several hundred tools from the leak share a strong connection” with previous tools linked to the NSA’s elite hacking unit, Tailored Access Operations, which Kaspersky calls The Equation Group.

That unit came to light in 2013 when Edward Snowden, the former CIA employee and NSA contractor, leaked thousands of documents revealing that the U.S. government spied on dozens of foreign leaders, tapped into fiber optic cables and cracked encryption codes. The NSA hacker team designs the algorithms and malware to monitor digital traffic, penetrate computers and activate anything connected to the internet.

The Kaspersky blog said the leaked cyber tools use two encryption algorithms, called RC5 and RC6, that employ specific setup routines, and in some variants have “only been seen before with Equation Group malware.”

“Comparing the older, known Equation RC6 code and the code used in most of the binaries from the new leak, we observe that they are functionally identical and share rare specific traits in their implementation,” the blog said, adding that the company has “a high degree of confidence” that the leaked malware comes from the NSA.

Some of the digital tools in the released files contain names like ExtraBacon, Epicbanana and Eligible Bachelor that apparently breach the firewall platforms, for example, of Cisco System’s PIX/ASA, Juniper Network’s Netscreen, and Fortigate made by Fortinet.

Another researcher who spent two days examining the cyber tools leaked by the Shadow Brokers described his findings as “terrifying.”

Brendan Dolan-Gavitt, a computer scientist at New York University’s Tandon School of Engineering, said he’d found coding that breaches seven different firewall systems or platforms made by the major manufacturers.

The coding gives a distant hacker at-will surveillance capabilities.

“Think of it as sitting on a chokepoint. You sit and watch everything that passes through,” he said.

The coding targets a hardware chip, or BIOS — basic input output system — that activates when a computer is turned on. Dolan-Gavitt said the malicious coding cannot be removed by turning a computer on or off.

Still unknown is whether the Shadow Brokers obtained the cyber tools through a hack or an inside job.

“I’d say it’s 50/50 that there was no hack, that it was a Snowden-style leak, or what we would call a spy,” Aitel said. “Somebody could’ve walked out with a USB key (flash drive). In some ways, that would have been easier.”

Outside observers said that is a constant concern at the agency.

“The (Tailored Access Operations) Team had severe concerns about how easy it was to just walk out with the data on a USB drive,” Matt Suiche, a French hacker, wrote Wednesday in a blog posting.

Cyber surveillance tools and weapons would normally be maintained on a physically segregated network that has no connection to the internet. That, in theory, at least, should make impossible for someone to hack into the system from the outside.