Hackers who leaked NSA tools likely have U.S. insider
WASHINGTON — Cybersecurity experts believe the hacker who leaked the potent software tool that powered last week’s global ransomware attacks is an American — perhaps a disgruntled insider in the U.S. intelligence community.
Such a finding would raise the stakes for halting The Shadow Brokers group, which has bedeviled the National Security Agency with releases of its hacked weaponized cyber exploits for months.
One of those leaked NSA tools allowed extortionists to spark havoc last Friday by encrypting the hard drives of more than 200,000 computers in 150 countries, the largest such cyberattack ever to hit the globe. The attackers demanded $300 or more to unlock each computer.
The NSA did not respond to a request for comment.
Surfaced in August
The Shadow Brokers group surfaced last August, claiming to have breached the NSA and stolen sophisticated cyber tools. It sought to auction off the NSA exploits but failed to find many buyers, releasing some for free. It periodically has resurfaced with statements.
The latest statement came at 2:16 a.m. Tuesday, a long, rambling screed that used broken syntax to make it seem as if it were written by a foreigner with poor English. But the message was filled with U.S. cultural references that experts said were likely to have come only from someone with a native’s familiarity.
“I think they are Americans, and I think they are inside somewhere,” said Dave Aitel, chief executive at Immunity, a Miami cybersecurity company, who formerly was a chief scientist at the NSA. “Some of the idioms they use are straight-up native. You have to be a native to use them.”
Domestic cultural and political references fill the 1,100-word statement, which carries the headline: “OH LORDY! Comey Wanna Cry Edition.”
“I always thought there had to be an insider somewhere on the chain for The Shadow Brokers,” said John Bambenek, a threat intelligence manager at Fidelis Cybersecurity, a company in Bethesda, Md.
Bambenek said he had been struck by the language in the statement.
“The homophobic slurs kind of thing is common in American hacker culture,” he said.
May have more tools’
If The Shadow Brokers group is simply a oneperson show by an insider, or an American in a larger group, he or she would join a long list of insiders who’ve divulged some of the U.S. government’s most classified secrets in recent years, Bambenek said.
“How much s--t is walking out the front door of our frigging intelligence agencies? And why is nobody getting fired for it?” he asked. “There have been a lot of large bulk leaks.”
In its online statement, The Shadow Brokers said it had many more stolen NSA tools to reveal, including ones that would allow hacking of mobile phones and newer Microsoft Windows software. It said it intended to create a “dump of the month” club that would allow subscribers to hack computers and cellular phones and to taint late-model browser software with malicious code, including Microsoft’s Windows 10.