ShadowBrokers Dump Came from Internal Code Repository, Insider

Researchers at Flashpoint said their analysis of the latest ShadowBrokers dump of NSA tools leads them to believe an insider with access to a code repository stole the data.

Update An analysis of the latest ShadowBrokers dump of alleged NSA spy tools points to an insider with access to a code repository belonging to the intelligence agency, experts said.

Researchers at security company Flashpoint said today that its investigation of the leaked data points away from an attack against NSA infrastructure, or other theories that operators mistakenly left classified data on staging servers, for example.

Instead, clues in code made available last week point toward an NSA employee or contractor.

“Looking at the dump and how the data is structured, we’re fairly certain it’s from internal code repository and likely an employee or contractor who had access to it,” said Ronnie Tokazowski, senior malware analyst with Flashpoint.

The code includes implants from an eight-year timeframe from 2005 to 2013, and as with previous dumps, the ShadowBrokers provided a free file for download and analysis as proof of what they possess. Tokazowski said while some of the file data had been manipulated, likely in an attempt to distract analysts, there was enough conclusive evidence that it came from a code repository, starting with the fact that it was written in Markdown, a markup language. (Flashpoint has since retracted its its description of the code as being written in Markdown. The data are documentation scripts, not shell scripts. The documentation also includes how-to tips for network exploits and instructions that can be copied-and-pasted.)

“Code repositories use this language so that it’s written in a certain format and simplifies how it’s parsed,” Tokazowski said. “It could have been a contractor or employee who (had) access to that. A lot of these tools are Linux and UNIX implants. If you think about the structure of the NSA and how things like this are segmented internally, this person could have been a contractor running Linux and UNIX-based implants. I didn’t see any Windows-based malware in there.

“This code may have been available to just one of the teams. The data wasn’t from an admin with wide access, but from someone who may have been there for a little bit of time and copied information off and tried to sell it.”

The latest data dump was announced last week in an unheralded post to Medium written by someone called Boceffus Cleetus who posted links to the code, which were hosted on the ZeroNet peer-to-peer network.

The rhetoric in the post frames the government’s allegations of Russian involvement in manipulating the U.S. presidential election as a cover-up or distraction away from a “deep state civil war” between the CIA and NSA.

“What if the Russian’s ain’t hacking nothin? What if the shadow brokers ain’t Russian? Whatcha got as the next best theory?” the post reads. “What if its a deep state civil war tween CIA and ole NSA? A deep state civil war to see who really runs things.”

The post suggests a division between the two intelligence agencies and pins the blame on the NSA for leaking emails to WikiLeaks throughout the campaign, and that the CIA are the ShadowBrokers, and their leaks of NSA exploits and implants is retaliation for the email leaks.

A security researcher known as the Grugq posted his own three-part analysis that says these tools exist only on classified NSA networks, and that the latest drop was a message that Russia’s FSB has (or had) access to these networks.

“That is massive,” the Grugq said. “No intelligence agency drops that sort of information unless they are buying something more valuable with it.”

As for the Cleetus posts, the Grugq refutes most of what was written on the surface, and instead paints the picture of a complex Russian operation that includes the creation of the Cleetus caricature, conspiracy theories about internal strife between IC agencies, and media manipulation.

“The major cost of this ShadowBrokers message was the information exposed by the drop. It reveals what the ShadowBrokers knew, which is precious information to an intelligence service,” the Grugq said. “This particular dump reveals a lot, the most important of which is that ShadowBrokers had access to tools, implants and exploits that would only exist on the high side (inside the NSA’s classified networks).”

The bright side is that it’s likely many of these tools may be outdated by now given the age of the dump.

“For the NSA this is definitely a gut punch. There is a lot of operational detail and lessons that are exposed in this (and the earlier Shadow Brokers dump). The upshot is that a lot of it looks pretty old. So this might be ‘of historic interest only,'” the Grugq said. “I would expect that a lot of the tools and exploits here are no longer the state of the art for NSA, and so their ability to do their mission will not be negatively impacted by this release. Still, damn, that’s gotta hurt.”

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.