Code dumped online came from “Omnipotent” NSA-tied hacking group

Kaspersky Lab analysis means Monday's leak almost certainly came from Equation Group.

Read the whole story

 

[Novae DeArx]

So to summarize, now that we are reasonably confident that this is data somehow exfiltrated from the NSA, there's only a couple of possible ways this could have been leaked:

1) A TAO insider exfiltrated the data, which doesn't necessarily explain why the data loss stops with the C&C server changes, or
2) Russians or another state-sponsored agency compromised a US TAO C&C server and siphoned off this data over time, ending with the Snowden revelations because the NSA switched C&C servers.

(2) seems more probable right now, but (1) isn't off the table. We'll have to wait and see what other revelations come to light. Anyone want to make popcorn while we wait?

 

[rick*d]

Novae DeArx[/url]":3n199w8z]So to summarize, now that we are reasonably confident that this is data somehow exfiltrated from the NSA, there's only a couple of possible ways this could have been leaked:

1) A TAO insider exfiltrated the data, which doesn't necessarily explain why the data loss stops with the C&C server changes, or
2) Russians or another state-sponsored agency compromised a US TAO C&C server and siphoned off this data over time, ending with the Snowden revelations because the NSA switched C&C servers.

(2) seems more probable right now, but (1) isn't off the table. We'll have to wait and see what other revelations come to light. Anyone want to make popcorn while we wait?

So what you're saying is that the Snowden leak led to security reforms that stopped an ongoing theft of USA secrets. Rather than exposing weaknesses that our enemies could exploit, Snowden caused the plugging of a hole, stopping a previously unknown leak. So he is a patriot after all. Too bad the Justice Department can't see past the end of their pointy nose.

 

[Roguish]

Novae DeArx[/url]":3cz3nx1e]So to summarize, now that we are reasonably confident that this is data somehow exfiltrated from the NSA, there's only a couple of possible ways this could have been leaked:

1) A TAO insider exfiltrated the data, which doesn't necessarily explain why the data loss stops with the C&C server changes, or
2) Russians or another state-sponsored agency compromised a US TAO C&C server and siphoned off this data over time, ending with the Snowden revelations because the NSA switched C&C servers.

(2) seems more probable right now, but (1) isn't off the table. We'll have to wait and see what other revelations come to light. Anyone want to make popcorn while we wait?

I'm leaning more towards 1, mostly because of the silly language used in the 'sales pitch' for the data. As some people posted in another thread earlier, the broken English explaining the hack demonstrates too good an understanding of the language to be true; it's like how a native English speaker might think a non-native speaker would express themselves.

As for why the data loss stops at C&C server changes, I can think of lots of reasons. Maybe that's all they could safely exfiltrate? Or maybe they've saved the actual valuable stuff for quiet sale, and this post is just to embarrass the NSA?

 

[robert.walter]

Guess NSA never heard of the dictum: "Cura te ipsum" !

 

[pauli]

That lead image is brutally hard on the eyes.

 

[Vincent294]

In Soviet Russia, you spy on NSA.
Comment burn level: 3rd degree

 

[Rommel102]

Roguish[/url]":39i59r4g]

Novae DeArx[/url]":39i59r4g]So to summarize, now that we are reasonably confident that this is data somehow exfiltrated from the NSA, there's only a couple of possible ways this could have been leaked:

1) A TAO insider exfiltrated the data, which doesn't necessarily explain why the data loss stops with the C&C server changes, or
2) Russians or another state-sponsored agency compromised a US TAO C&C server and siphoned off this data over time, ending with the Snowden revelations because the NSA switched C&C servers.

(2) seems more probable right now, but (1) isn't off the table. We'll have to wait and see what other revelations come to light. Anyone want to make popcorn while we wait?

I'm leaning more towards 1, mostly because of the silly language used in the 'sales pitch' for the data. As some people posted in another thread earlier, the broken English explaining the hack demonstrates too good an understanding of the language to be true; it's like how a native English speaker might think a non-native speaker would express themselves.

As for why the data loss stops at C&C server changes, I can think of lots of reasons. Maybe that's all they could safely exfiltrate? Or maybe they've saved the actual valuable stuff for quiet sale, and this post is just to embarrass the NSA?

Or maybe they knew that you would think that the English understanding was too good, and therefore would have to be a real English speaker impersonating a non-native speaker!

 

[vakrimd]

FWIW as someone who has been around a fair few Russians speaking/writing English, the hacker statement does not look like it was written by a Russian, to me. It looks like a disinfo mangle. But then again it could be a Russian trying to look like a non-Russian trying to look like a Russian. :-D

I don't get how it would be in a state-actor's best interest to release these files. If you were a state actor, wouldn't you keep this stuff under wraps and leverage the knowledge to your advantage?

 

[Vincent294]

vakrimd[/url]":cj1gqcfk]FWIW as someone who has been around a fair few Russians speaking/writing English, the hacker statement does not look like it was written by a Russian, to me. It looks like a disinfo mangle. But then again it could be a Russian trying to look like a non-Russian trying to look like a Russian. :-D

I don't get how it would be in a state-actor's best interest to release these files. If you were a state actor, wouldn't you keep this stuff under wraps and leverage the knowledge to your advantage?

For what it's worth the Cold War has turned into a hacker Kardashian feud at this point.

 

[Deleted member 192806]

The connection linking more than 300 computer files in the Shadow Brokers archive to Equation Group is found in a common implementation of the RC5 and RC6 encryption algorithms. Among other things, the leaked Shadow Broker files use the negative constant -0x61C88647 instead of the more standard 0x61C88647 to speed up subtraction operations. Kaspersky researchers scoured 20 different compiled versions of RC5/6 code in Equation Group malware and found functionally identical code, leaving little doubt that there was a clear connection between the two.

Who wrote Shakespeare?

 

[rick*d]

vakrimd[/url]":3l8ykgev]FWIW as someone who has been around a fair few Russians speaking/writing English, the hacker statement does not look like it was written by a Russian, to me. It looks like a disinfo mangle. But then again it could be a Russian trying to look like a non-Russian trying to look like a Russian. :-D

I don't get how it would be in a state-actor's best interest to release these files. If you were a state actor, wouldn't you keep this stuff under wraps and leverage the knowledge to your advantage?

"Boris, we steal secrets from Mooose and Squrril, then we sell secrets back to Mooose and Squrril?"
"Yes, Natasha. We make them pay for what they already have!"

 

[Akemi]

Roguish[/url]":jksi75p6]

Novae DeArx[/url]":jksi75p6]So to summarize, now that we are reasonably confident that this is data somehow exfiltrated from the NSA, there's only a couple of possible ways this could have been leaked:

1) A TAO insider exfiltrated the data, which doesn't necessarily explain why the data loss stops with the C&C server changes, or
2) Russians or another state-sponsored agency compromised a US TAO C&C server and siphoned off this data over time, ending with the Snowden revelations because the NSA switched C&C servers.

(2) seems more probable right now, but (1) isn't off the table. We'll have to wait and see what other revelations come to light. Anyone want to make popcorn while we wait?

I'm leaning more towards 1, mostly because of the silly language used in the 'sales pitch' for the data. As some people posted in another thread earlier, the broken English explaining the hack demonstrates too good an understanding of the language to be true; it's like how a native English speaker might think a non-native speaker would express themselves.

As for why the data loss stops at C&C server changes, I can think of lots of reasons. Maybe that's all they could safely exfiltrate? Or maybe they've saved the actual valuable stuff for quiet sale, and this post is just to embarrass the NSA?

Or proof that the goods are real, and thus drive up the price of a sale/auction.

 

[rick*d]

nutela[/url]":3sycej9b]"-0x61C88647 instead of the more standard 0x61C88647 to speed up subtraction operations"

Those numbers are identical, surely a mistake. What interesting properties does this number have?

It's used in NSA hacker tools. That's a pretty interesting property.

It's also my new password.

 

[vakrimd]

nutela[/url]":2b078oyf]"-0x61C88647 instead of the more standard 0x61C88647 to speed up subtraction operations"

Those numbers are identical, surely a mistake. What interesting properties does this number have?

The internet says it's something to do with 'golden ratio'. It's all greek to me, but I was intrigued enough by your comment to do some light digging on The Goog.

Just one example:

"const GOLDEN_BITS = -1640531527;
Thirty-two bits by which to multiply a hashvalue to make all bits, more or less, significant.

This (unsigned) value is (1 << 32) * frac (0.5 + 0.5 * sqrt (5)). The value of which the fractional part is taken is the golden ratio. (0x9e3779b9)."

(source: http://gerbil.org/tom/doc/tome/x7452.html)

edit: 0x61C88647 in decimal is 1640531527

 

[blargh]

nutela[/url]":1ejfpwk1]"-0x61C88647 instead of the more standard 0x61C88647 to speed up subtraction operations"

Those numbers are identical, surely a mistake. What interesting properties does this number have?

This Ars article explains this really poorly; it's a little clearer at the linked article from Kaspersky Labs.

Apparently most implementations of the RC6 algorithm add the constant 0x9E3779B9, but this code (and others previously associated with Equation Group) subtracts the constant 0x61C88647. Since the two values are complements of each other, the mathematical result is the same, but the latter choice is fairly unique, and hence points to a connection between the code's authors.

 

[jeromeyers2]

It seems to me that all the mechanisms used to validate the code could also be used to create a hoax. Not saying that that is the case, but if Kaspersky has code available to check against, perhaps their own vaults were pierced?

 

[potato44819]

Novae DeArx[/url]":j5acapkt]So to summarize, now that we are reasonably confident that this is data somehow exfiltrated from the NSA, there's only a couple of possible ways this could have been leaked:

1) A TAO insider exfiltrated the data, which doesn't necessarily explain why the data loss stops with the C&C server changes, or
2) Russians or another state-sponsored agency compromised a US TAO C&C server and siphoned off this data over time, ending with the Snowden revelations because the NSA switched C&C servers.

(2) seems more probable right now, but (1) isn't off the table. We'll have to wait and see what other revelations come to light. Anyone want to make popcorn while we wait?

(3) The NSA is preparing a most epic of honeypots to sell to the highest bidder, and intends to own the bidder.

(4) By publishing the data under the guise of a hack, deniability is created for future hacks using these tools.

 

[Swashy]

What would prevent this group from analyzing the code and developing a good facsimile? Seems like a pretty good investment to get $500 million dollars.

 

[vakrimd]

(3) The NSA is preparing a most epic of honeypots to sell to the highest bidder, and intends to own the bidder.

(4) By publishing the data under the guise of a hack, deniability is created for future hacks using these tools.

I don't think either of those add up. In (3) you're giving what is certainly precious (0day) stuff away for a lot of uncertainty about who - if anyone - would buy. And in (4) you would be hoping your targets don't patch the vulns or audit themselves for infection.

 

[vrDrew99]

Roguish[/url]":3v58kjxl]

I'm leaning more towards 1, mostly because of the silly language used in the 'sales pitch' for the data. As some people posted in another thread earlier, the broken English explaining the hack demonstrates too good an understanding of the language to be true; it's like how a native English speaker might think a non-native speaker would express themselves.

As for why the data loss stops at C&C server changes, I can think of lots of reasons. Maybe that's all they could safely exfiltrate? Or maybe they've saved the actual valuable stuff for quiet sale, and this post is just to embarrass the NSA?

The weird language might be the way that a native Russian speaker would write what he thought a native Chinese or Korean speaker (but not necessarily a state-sponsored actor) would write in English.

IOW: This might be a Russian group that broke the code, but is trying to disguise that fact by leaving clues that point towards a Chinese or North Korean group.

 

[arcite]

Modern Major General Thanatos[/url]":1t4x8dq6]

(3) The NSA is preparing a most epic of honeypots to sell to the highest bidder, and intends to own the bidder.

(4) By publishing the data under the guise of a hack, deniability is created for future hacks using these tools.

Mole hunt!

 

[gorgaar]

So the NSA lost its super-hacking toolkit, and maybe all of it at once, this is just great.

If there would be something like an un-patchable back door / front door / "golden key" / whatever euphemism the benevolent government overlords want to call it, that would be right in one of the modules now available to either the highest bidder or everyone in a Wikileaks dump.

No thanks once more, we don't want such a thing to exist, regular vulnerabilities are really bad enough.

Who knows, maybe one the modules contains stuff like that for certain systems? This will certainly be interesting to watch further.

 

[vnicolici]

Any reason the initial story is missing from the list of articles on the site? I can still find it by direct link ( http://meincmagazine.com/security/2016/08 ... -as-proof/ ), but it's not in the list of articles from the last few days.

 

[Studbolt]

Trying to make sense of the last few months' activities on the part of various actors, combined with watching what's posted on Russia agitprop websites like RT and zerohedge, is giving me an old familiar feeling I remember while being taught to hide under my desk during a nuclear attack. For those who weren't alive during the Cold War, a great deal of this must not seem real.

I've come to the following conclusions:

1. The US is being attacked right now by Russia in a way that goes well beyond what might normally shrug off as the normal tradecraft between nations. My guess is that after a great deal of success in Europe, Russia felt confident enough that they could open up on the US at maybe the level they were using on Ukraine in about the 2001-2004 period.

2. The advanced measures include a great deal of agitprop, being released through a lot of websites. I hear versions being repeated word for word out of the mouths of street people and political candidates and everyone in between, from every corner of the political spectrum. Lots of useful idiots and fellow travelers out there right now.

3. There are probably four or five different narratives being pumped into the US right now, causing a great deal of confusion, agitation, loss of confidence in society and/or the government, loss of confidence in democracy, alienation between social groups, and dysfunction in the US political process.

4. Syria is a weapon to pump refugees into Europe and the USA and destabilize NATO countries.

I'm just beginning to be aware of the scope of everything that's happening, but there are lots of other people more paranoid than I who have been aware of what's going on long before I got there. Generally they're people who study Russian history. Some time, when I feel like I have the time to do so, I'm going to sit down and write out the various narratives, strategic goals, and attack vectors, just for organizational edification. That's about all I can do.

I think what's happening right now is the most serious threat to the United States (and Europe) since WWII. I'm amazed at how effective it's been, and how easily it's happened right under our noses. Europe is being divided, and the United States has been effectively neutered.

 

[vakrimd]

I don't get how it would be in a state-actor's best interest to release these files. If you were a state actor, wouldn't you keep this stuff under wraps and leverage the knowledge to your advantage?

Trying to answer my own question... This stuff has I think been sat on for 3 years by the perpetrators, right? So if you were a state actor, you'd have likely hardened yourself against the vulns already in the important places. So then the actual exploit kit is of no use to you any more, but you can 'stick one in the eye' of your opponent by releasing it publicly (kit now progressively less useful to the enemy), and at the same time hit back at your adversary right when they are claiming 'Russian hacks' left, right and sundry (whether that last statement is true or not, making news about NSA hacks surely dilutes the power of 'OMG Russia is hacking us, we are such victims').

I also like Snowden's (tweeted) theory that (in my interpretation of what Snowen says) the release is a public yet coded shot across the bows of the USA/NSA, the subtext of which is 'you accuse us of rigging elections, but we know you've done the same with this kit, so back off otherwise we may reveal more'.

 

[arcite]

Trump isn't going to win, rest assured.

 

[mehaase]

nutela[/url]":1m6re8ck]"-0x61C88647 instead of the more standard 0x61C88647 to speed up subtraction operations"

Those numbers are identical, surely a mistake. What interesting properties does this number have?

According to this (http://www.agner.org/optimize/instruction_tables.pdf), addition and subtraction are equivalent operations. But the geniuses at NSA can't be entirely wrong. Can anybody explain this optimization?

 

[bri2000]

Studbolt[/url]":10wyni2d]Trying to make sense of the last few months' activities on the part of various actors, combined with watching what's posted on Russia agitprop websites like RT and zerohedge, is giving me an old familiar feeling I remember while being taught to hide under my desk during a nuclear attack. For those who weren't alive during the Cold War, a great deal of this must not seem real.

I've come to the following conclusions:

1. The US is being attacked right now by Russia in a way that goes well beyond what might normally shrug off as the normal tradecraft between nations. My guess is that after a great deal of success in Europe, Russia felt confident enough that they could open up on the US at maybe the level they were using on Ukraine in about the 2001-2004 period.

2. The advanced measures include a great deal of agitprop, being released through a lot of websites. I hear versions being repeated word for word out of the mouths of street people and political candidates and everyone in between, from every corner of the political spectrum. Lots of useful idiots and fellow travelers out there right now.

3. There are probably four or five different narratives being pumped into the US right now, causing a great deal of confusion, agitation, loss of confidence in society and/or the government, loss of confidence in democracy, alienation between social groups, and dysfunction in the US political process.

4. Syria is a weapon to pump refugees into Europe and the USA and destabilize NATO countries.

I'm just beginning to be aware of the scope of everything that's happening, but there are lots of other people more paranoid than I who have been aware of what's going on long before I got there. Generally they're people who study Russian history. Some time, when I feel like I have the time to do so, I'm going to sit down and write out the various narratives, strategic goals, and attack vectors, just for organizational edification. That's about all I can do.

I think what's happening right now is the most serious threat to the United States (and Europe) since WWII. I'm amazed at how effective it's been, and how easily it's happened right under our noses. Europe is being divided, and the United States has been effectively neutered.

I've been saying the same thing for a while. No one wants to hear it. I'd also include the UK's EU referendum in the list of things they've been influencing. I'm not certain if Putin is "only" looking for freedom of action in what used to be Imperial Russia/Soviet Union or has something more far reaching in mind. The second seems a bit paranoid even to me.

I'm a firm believer in Mark Twain's observation that history doesn't repeat but does rhyme. At the moment things are scarily harmonious with the 20s and 30s. Populists on the rise on both the hard left and right; countries retreating from international trade and into protectionism and isolationism; a religious minority collectively blamed for terrorism committed by a few (in the 20s and 30s it was widely believed that the Jews were responsible for Bolshevism; the fact we know that was just more anti-Semitic bullshit doesn't change how people reacted to it for purposes of assessing what could happen now); a contempt for elites and experts; economic stagnation for which bankers (I'm not sure if it's progress that this time around it isn't prefixed with Jewish or if that's implicit) are blamed. That is by no means a comprehensive list.

There are plenty of novel threats as well. A nuclear armed Pakistan falling to fundamentalists is something that seems plausible on a 10 to 20 year time frame.

I'm not much fun at parties.

 

[Vidi Vici Veni]

Novae DeArx[/url]":277akxjs]So to summarize, now that we are reasonably confident that this is data somehow exfiltrated from the NSA, there's only a couple of possible ways this could have been leaked:

1) A TAO insider exfiltrated the data, which doesn't necessarily explain why the data loss stops with the C&C server changes, or
2) Russians or another state-sponsored agency compromised a US TAO C&C server and siphoned off this data over time, ending with the Snowden revelations because the NSA switched C&C servers.

(2) seems more probable right now, but (1) isn't off the table. We'll have to wait and see what other revelations come to light. Anyone want to make popcorn while we wait?

It's more likely the equation group is multi-state .. ie. US, Israel & possibly GB, and the relevant code likely exists in more than one place.

 

[HueHueHue]

Can you please change the headline? "Confirmed: hacking tool leak came from “omnipotent” NSA-tied group"

It implies that the NSA-tied group "leaked" the items intentionally. The headline needs to clearly separate the attackers from the NSA-tied group. For example:

Kaspersky: Leaked hacking tools resemble NSA-tied tools

It might have to be longer to really convey the message, but the headline is currently too short to accurately convey what it's trying to say. You might have to remove some nuance or stretch it out.

 

[vrDrew99]

The one thing that I can't quite get away from is this:

The only people who've spoken publicly about this issue happen to be sitting in Moscow right now. Eugene Kaspersky - a trained former Russian intelligence agent. And Edward Snowden, a man who was given sanctuary in Putin's Russia after betraying his employer and his country.

I think the possibility that one or both of them aren't telling the whole truth about this has to be considered.

Quite what the long-term goal here is, I can only speculate.

But let's keep in mind that it was Kaspersky who revealed the existence of the alleged "Equation Group", and that conveniently all of the files and and codewords and clues he used to back up his claims had dates of 2013 and prior. Or the same time as Snowden fled to Russia.

Is it possible that this entire thing is an elaborate piece of misinformation? That Kaspersky used information he got from Snowden to essentially create the Equation Group out of thin air? Or from bits and pieces of legitimate (if thats the word) NSA code, combined with what Snowden's Russian debrief told him?

And then we need to ask why this is happening now?

 

[Chromauk]

arcite[/url]":23kkyse5]Trump isn't going to win, rest assured.

Larry Sabato[/url]":23kkyse5]If Trump is nominated [as a presidential candidate], then everything we think we know about presidential nominations is wrong.

I wish i had your confidence but mere months ago everyone was laughing his nomination as a candidate off as an absurdity. I was one of them, I mean trump as a presidential candidate? seriously? Surely hes just a humorous outlier. No one can possibly take him seriously.
Fast forward 6 months and I'm sat here sweating nervously.

As an outsider looking in i i would have placed cash money down that Dubya would never see a second term, i mean what moron would rationally vote GB back in after his first train wreck? Idealistically i assumed people where made of smarter stuff. Im far more pragmatic now. Understanding now that elections have very little to do with any rational metric and way more to do with how many decent soundbites you can spew.

Say what you will about trump but hes proven hes got a specific subset of people well under his thumb at this point, the Bern fallout dividing the Democratic camp certainly doesn't help either.

I'm by no means even a remote supporter of anything the man does or says but at this point id be very surprised if in fact he did not win.

 

[MdNvS]

bri2000[/url]":2vjo1m9a]

I've been saying the same thing for a while.

Same here, but all I get in response are "did you know the Earth could be flat" or conspiracies about death camps in the USA, prince Putin's greatness (although none of them ever spoke to a Russian - I have), CERN scientists disintegrating, Russian pseudoscience being great just because a headline says so, any news about Russia dismissed as "NATO propaganda!!!" even if the source is Sputnik - nobody even reads the source, let alone checks the facts. Then, about the EU falling apart, praise about the nationalism in Europe to spite the invisible "elites" and so on.
I'd like to think that they spread so much nonsense because they have nothing solid, but to a lot of people nonsense makes sense.

 

[Deleted member 192806]

Chromauk[/url]":4k8iw61g]

arcite[/url]":4k8iw61g]Trump isn't going to win, rest assured.

Larry Sabato[/url]":4k8iw61g]If Trump is nominated [as a presidential candidate], then everything we think we know about presidential nominations is wrong.

I wish i had your confidence but mere months ago everyone was laughing his nomination as a candidate off as an absurdity. I was one of them, I mean trump as a presidential candidate? seriously? Surely hes just a humorous outlier. No one can possibly take him seriously.
Fast forward 6 months and I'm sat here sweating nervously.

As an outsider looking in i i would have placed cash money down that Dubya would never see a second term, i mean what moron would rationally vote GB back in after his first train wreck? Idealistically i assumed people where made of smarter stuff. Im far more pragmatic now. Understanding now that elections have very little to do with any rational metric and way more to do with how many decent soundbites you can spew.

Say what you will about trump but hes proven hes got a specific subset of people well under his thumb at this point, the Bern fallout dividing the Democratic camp certainly doesn't help either.

I'm by no means even a remote supporter of anything the man does or says but at this point id be very surprised if in fact he did not win.

Utah might be an issue?

 

[dkediger]

vrDrew99[/url]":dcnw39u9]The one thing that I can't quite get away from is this:

The only people who've spoken publicly about this issue happen to be sitting in Moscow right now. Eugene Kaspersky - a trained former Russian intelligence agent. And Edward Snowden, a man who was given sanctuary in Putin's Russia after betraying his employer and his country.

I think the possibility that one or both of them aren't telling the whole truth about this has to be considered.

Quite what the long-term goal here is, I can only speculate.

But let's keep in mind that it was Kaspersky who revealed the existence of the alleged "Equation Group", and that conveniently all of the files and and codewords and clues he used to back up his claims had dates of 2013 and prior. Or the same time as Snowden fled to Russia.

Is it possible that this entire thing is an elaborate piece of misinformation? That Kaspersky used information he got from Snowden to essentially create the Equation Group out of thin air? Or from bits and pieces of legitimate (if thats the word) NSA code, combined with what Snowden's Russian debrief told him?

And then we need to ask why this is happening now?

And wasn't it Kaspersky who originally made their name back in the day by releasing an innocuous virus that only their product detected? Thinking late 90's, early 00's....

 

[BotCyborg]

Other comments touched upon this, nevertheless I'm repeating. I never understood why people take anything out of Kaspersky Labs at face value. They could well be a bunch of Putin's minions spreading FUD, for all we know. Many of the "evidence" that they have been presenting do not have any other corroborating source.