Snowden explains the Shadow Brokers/Equation Group/NSA hack

The news that a group of anonymous hackers claimed to have stolen some of the NSA's most secret, valuable weaponized vulnerabilities and were auctioning them off for bitcoin triggered an epic tweetstorm from Edward Snowden, who sets out his hypothesis for how the exploits were captured and what relation that has to the revelations he made when he blew the whistle on illegal NSA spying in 2013.

Techdirt has assembled Snowden's tweets in handy form:

The hack of an NSA malware staging server is not unprecedented, but the publication of the take is. Here's what you need to know:

NSA traces and targets malware C2 servers in a practice called Counter Computer Network Exploitation, or CCNE. So do our rivals. NSA is often lurking undetected for years on the C2 and ORBs (proxy hops) of state hackers. This is how we follow their operations. This is how we steal their rivals' hacking tools and reverse-engineer them to create "fingerprints" to help us detect them in the future.

Here's where it gets interesting: the NSA is not made of magic. Our rivals do the same thing to us -- and occasionally succeed. Knowing this, NSA's hackers (TAO) are told not to leave their hack tools ("binaries") on the server after an op. But people get lazy.

What's new? NSA malware staging servers getting hacked by a rival is not new. A rival publicly demonstrating they have done so is.

Why did they do it? No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack. Circumstantial evidence and conventional wisdom indicates Russian responsibility. Here's why that is significant: This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server. That could have significant foreign policy consequences. Particularly if any of those operations targeted US allies. Particularly if any of those operations targeted elections. Accordingly, this may be an effort to influence the calculus of decision-makers wondering how sharply to respond to the DNC hacks.

TL;DR: This leak looks like a somebody sending a message that an escalation in the attribution game could get messy fast.

Bonus: When I came forward, NSA would have migrated offensive operations to new servers as a precaution - it's cheap and easy. So? So... The undetected hacker squatting on this NSA server lost access in June 2013. Rare public data point on the positive results of the leak.

You're welcome, @NSAGov. Lots of love.

Ed Snowden Explains Why Hackers Published NSA's Hacking Tools [Techdirt]

Notable Replies

  1. In a new technology cutting-edge hacker-types are calling "paragraphs"

  2. This is why twitter is fucking worthless for anything other than snarky one liners, vapid social comments, and alerts something happened/is new.

    Why not have a blog where you can, you know, write a coherent explanation, and then twitter "Hey guys, I wrote a coherent explanation to this NSA hacker thing. Go here."

    Or wait, it would be more like, "Learn how the hackers got the NSA's most dangerous weapons with this one weird trick."

  3. If I had to guess, a blog may be less safe for Snowden to use than Twitter.

  4. Or breaking news. I typically see news reported on Twitter before any major news service.

    Or instant communication of ideas, like Snowden's posts. What he should've done is link to a blog post rather than use a series of tweets. But with one tweet he can reach millions of people almost instantly.

  5. Chaz1 says:

    The revolution will be typed in 140 characters.

Continue the discussion

12 more replies