Experts: Exposed NSA cyber weapons posted for auction appear legit

Cyber weapons supposedly stolen from an elite team of NSA-affiliated hackers by a mysterious group calling themselves the Shadow Brokers appear both legitimate and functional, cybersecurity experts and affected technology vendors said.

Exploits supposedly stolen from an elite team of NSA-affiliated hackers appear both legitimate and functional, cybersecurity experts and affected technology vendors tell FedScoop.

A group calling themselves the Shadow Brokers posted a trove of what appears to be old exploits over the weekend, claiming they were stolen from the NSA-linked Equation Group.

A portion of this code was uploaded as a “free [and viewable] sample” to several websites, while the clandestine group also advertised yet another reservoir of “stolen” cyber weapons to the highest bidder. Several of the websites hosting this material have since removed it.

Security researchers subsequently analyzed the evidence, largely taking to twitter Monday when news broke, but opinions remain divided concerning the legitimacy of the data dump.


[Read More: Hackers claim to have stolen offensive cyber weapons from NSA]

Further independent analysis revealed on Tuesday is slowly lending greater credibility to the theory that these exploits were once used by American spies.

“While we cannot surmise the attacker’s identity or motivation nor where or how this pilfered trove came to be, we can state that several hundred tools from the leak share a strong connection with our previous findings from the Equation Group,” Kaspersky Lab researchers, many of whom originally helped identify Equation Group’s existence in 2015, wrote in a company blog post.

Several of the newly publicized exploits do not appear in popular software vulnerability databases and could be considered zero-day exploits, said Brian Martin, Director of Vulnerability Intelligence for Richmond, Va.-based security consultancy Risk Based Security.

“I know of at least two exploits here that look like zero-days,” Martin said during a phone interview. The term zero-day refers to a specific type of exploit that targets an unknown vulnerability that has never been patched by the vendor. Simply put, the ownership of multiple zero-day level exploits suggests the involvement of a well-funded nation state actor, experts say.


Cisco, one of the technology vendors whose products were the apparent target of a secret exploit shared by the Shadow Brokers, acknowledged the existence of the actual firewall exploit and said they are “investigating all aspects of [it]” in an email.

An independent security researcher, writing under the moniker Xorcat, also ran script of the Cisco Adaptive Security Appliances, or ASA, exploit — codenamed ExtraBacon in the original code log — in a controlled environment. The researcher allegedly found that the cyber weapon could penetrate an older version of the firm’s firewall without the need for scrapping valid login details.

“So far, we have not found any new vulnerabilities related to this incident, though our Cisco PSIRT team will continue a thorough investigation,” a Cisco spokesperson said.

It is possible, however, that the old Cisco exploit will work on newer systems, according to Martin.

“Unless Cisco specifically figured this out, it was reported to them by a different party, or they significantly changed the SNMP [simple network management protocol] functionality… it likely works on subsequent versions,” Martin said.


Some of the other exploits posted by Shadow Brokers also appear to target firewall software developed by network technology maker Juniper Networks and cybersecurity giant Fortinet.

A Fortinet spokesperson said in a statement: “Fortinet is currently investigating this exploit. If we identify any issues that could have impacted our customers, we will share it through our responsible disclosure policy.”

Independent cybersecurity researcher Kevin Beaumont shared on Twitter that the aforementioned Fortinet firewall exploit codenamed “EGREGIOUSBLUNDER,” which targets a program called Fortigate, still works.

Chris Bing

Written by Chris Bing

Christopher J. Bing is a cybersecurity reporter for CyberScoop. He has written about security, technology and policy for the American City Business Journals, DC Inno, International Policy Digest and The Daily Caller. Chris became interested in journalism as a result of growing up in Venezuela and watching the country shift from a democracy to a dictatorship between 1991 and 2009. Chris is an alumnus of St. Marys College of Maryland, a small liberal arts school based in Southern Maryland. He's a fan of Premier League football, authentic Laotian food and his dog, Sam.

Latest Podcasts