Mocking the Underworld Auctioneers of NSA’s Digital Spying Tools

Aug 26th, 2016 12:00pm by David Cassel

The internet always gets the last word — even when it comes to government-sponsored cyber espionage.

Two weeks ago, a mysterious online group called “The Shadow Brokers” announced they had copies of the NSA’s hacking tools, and would auction them off to the highest bidder. Their warnings were both clunky and sloppy, but this real-world episode of spy-vs-spy continued playing out online across various social media sites. Pieces of that conversation — and sometimes what appeared to be actual NSA hacking tools — were all floating around on the web, right out in plain sight.

And it all happened while the auctioneers were being heckled by a chorus of civilian wise guys — proving that even in the midst of a potentially major national security breach, there’s still going to be a few smart-alecks who can’t resist making a few jokes.

Initially, The Shadow Brokers contacted the media with pointers to some details about what they claimed were hacking tools which they said came from the NSA-affiliated Equation Group.

“Shadows Brokers just released another #NSA Equation Group code name,” joked one security analyst on Twitter. “RAMPANTSPECULATION.”

On August 13th the official Twitter feed for The Shadow Brokers had posted exactly five words and a hashtag: Equation Group – Cyber Weapons Auction #EQGRP_AUCTION. But there was also a URL leading to some images on Imgur.com showing a screenshot of a folder, listing the names of the files contained in the cache they were auctioning, along with their byte sizes.

Enter the internet wise guys. That tweet was “liked” 24 times, and retweeted 30, and also drew two replies. One person replied by suggesting, “trade for ultra rare hologram metal slammer pogs aye?”

Over on Imgur, their screenshot drew 23 comments from random web surfers.

“Posting in this thread so the NSA adds me to a watch list.”

“Just commenting to get a NSA Goodybag. I Have T-Shirt Size M and it would be cool if there was a Coffeemug also included.”

Unfazed, The Shadow Brokers continued posting on Twitter, sharing the link to a page on PasteBin. Today that site now says that page has “either expired, been removed by its creator, or removed by one of the Pastebin staff.” But the group’s Wikipedia page, however, still helpfully continued providing the URL for a copy hosted at archive.org so that two weeks later, curious web surfers can still gawk at their ominous message.

!!! Attention government sponsors of cyber warfare and those who profit from it !!!! How much you pay for enemies cyber weapons…? We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group…

We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files.

Their message also included a link to a Tumblr page — which now leads to the cheeky text of Tumbler’s standard “page not found” message. Tumblr’s wacky background image changes every time you reload the page, providing an odd moment of comedy in the middle of this high-stakes international incident…

Shadow Brokers site becomes another Tumblr error page

The significance of the group’s warning was only revealed when an analysis team at Kaspersky issued its assessment of more than 300 megabytes of “firewall exploits, tools, and scripts,” with most of the files time-stamped over three months in 2013. They concluded with a “high degree of confidence” that the files were related to the tools from the NSA’s group. But they also couldn’t resist also offering their assessment of the circumstances of the leak, calling the whole episode “truly bizarre.”

Soon an Illinois computer science professor had weighed in, mocking the authors of the NSA’s hacking tools for their “sloppy and buggy code,” and saying the cryptography it implemented was “bad. Very bad.”

But Cisco and Fortinet confirmed their firewalls were affected by the exploits, and quickly issued patches, according to an article in SC Magazine, which also noted that other firewall companies, such as Juniper and Ixia, were still scrambling to plug the hole.

“We auction best files to highest bidder,” continued The Shadow Brokers’ proposal. “Auction files better than free files we already give you.” They provided a bitcoin address, noting whoever sent the most bitcoins to the address “is winner, we tell how to decrypt.”

In an interesting wrinkle, they’re keeping all the bitcoins sent in by the losing bidders, but are promising as a consolation prize that more files will be released — free and unencrypted — if the total bitcoins sent in exceeds one million — an amount roughly equivalent to $576 million, or roughly 1/15 of all the bitcoins currently in existence.

On Twitter, someone pointed out that the group’s Bitcoin auction was already being targeted for pranks. “Someone rickrolled the #ShadowBrokers #EQGRP_Auction bitcoin address,” tweeted another user named AnonOps, showing an image in which appears to document that each subsequent entry in the bitcoin address contains a word from title of Rick Astley’s infamous song — “never”, “gonna”, “give”, “you”, and “up.”

Initially, the auction did not generate a lot of serious interest, leading the group to post some additional snippets. According to a FAQ, the group posted, the auction has no set end. “Keep bidding until we announce winner.”

NSA whistle-blower Edward Snowden suggested that this may not be the first time that someone’s hacked one of the servers used by an NSA group, adding that the most interesting part is that they’d publicly acknowledge the breach. In fact, this whole hoo-haw about an international bitcoin auction may really just be an elaborate puppet show to send a message to America’s national security apparatus, he suggested.

“This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server [that the hacked files originated on],” Snowden commented on Twitter. “That could have significant foreign policy consequences. Particularly if any of those operations targeted US allies.”

In one final bit of irony, Snowden called the perpetrator an “undetected hacker squatting on this NSA server,” and pointed out that they apparently lost their access in 2013 — right around the time of Snowden’s original leaks. “When I came forward, NSA would have migrated offensive operations to new servers as a precaution,” Snowden points out in a series of tweets — noting that ironically, his leaking of information may have prompted the NSA’s move to a more secure server.

He concluded his remarks by sharing a humorous remark of his own.

You're welcome, @NSAGov. Lots of love.

— Edward Snowden (@Snowden) August 16, 2016