Computer source code purportedly stolen from the National Security Agency’s hacking division and published online this week appears to be authentic, former members of the U.S. intelligence community said Tuesday.
Several former government employees have now vouched for the validity of the documents — more than 300 files said to have been stolen from an entity known as the Equation Group, a team of state-sponsored hackers widely believed to be an arm of the NSA.
“Without a doubt, they’re the keys to the kingdom,” a former employee of the NSA’s Tailored Access Operations division, the agency’s official hacking team, told The Washington Post on condition of anonymity Tuesday. “The stuff you’re talking about would undermine the security of a lot of major government and corporate networks both here and abroad.”
“From what I saw, there was no doubt in my mind that it was legitimate,” a second former NSA TAO employee told The Post.
Individuals calling themselves “Shadow Broker” published the cache of computer code online this week and said they’d provide access to additional files in exchange for millions of dollars in digital cryptocurrency.
“We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons,” Shadow Broker said in a statement accompanying the release.
But while skepticism concerning the documents’ origins surrounded news reports of its release earlier this week, security experts now say the file appear to be actual exploits from the NSA’s arsenal of cyber weapons.
Kaspersky Lab, a Moscow-based security firm that revealed the Equation Group’s existence in a 2015 report, said that the file circulated online this week are “functionally identical and share rare specific traits” with older source code associated with the group.
“While we cannot surmise the attacker’s identity or motivation nor where or how this pilfered trove came to be, we can state that several hundred tools from the leak share a strong connection with our previous findings from the Equation group,” Kaspersky researchers said in a blog post Tuesday.
“The chances of all these being faked or engineered is highly unlikely,” Kaspersky added. “This code similarity makes us believe with a high degree of confidence that the tools from the ShadowBrokers leak are related to the malware from the Equation Group. While the ShadowBrokers claimed the data was related to the Equation group, they did not provide any technical evidence of these claims. The highly specific crypto implementation above confirms these allegations.”
In its 2015 Equation Group report, Kaspersky said its researchers had uncovered “a threat actor that surpasses anything known in terms of complexity and sophistication of techniques.”
While the firm fell short of linking the group explicitly to the NSA, subsequent examination of the source code discussed in that report has led various leading security experts to conclude as much due to similarities shared between Equation Group’s available data and known NSA operations and attack methods.