Edward Snowden: the Hack of NSA, “Here’s what you need to know”

The National Security Agency (NSA) has been hacked. A group called “The Shadow Brokers” posted a page at social media site Tumblr.com announcing the hack of and providing enough information for many experts in cybersecurity to believe the hackers were authentic. The specific area hacked was “The Equation Group.” The Tumblr page was saved at this archive before it was removed from the actual site.

The Shadow Brokers said it would “auction” off the entire leak and requested one million Bitcoin — the equivalent at today’s price of over half a billion dollars.

Now, Edward Snowden sent out a series of 15 Tweets claiming that the public exposure of this hack may be a “warning that someone can prove US responsibility for any attacks that originated from this malware server.” In the last Tweet, Edward Snowden summarized the situation.

TL;DR: This leak looks like a somebody sending a message that an escalation in the attribution game could get messy fast.

Edward Snowden is famous for releasing millions of documents from the CIA and creating a political storm as he slipped away to Russia to avoid prosecution.


The Equation Group was discovered and exposed by Kaspersky Lab in Moscow in February of 2015. From the press release:

According to Kaspersky Lab researchers the group is unique almost in every aspect of their activities: they use tools that are very complicated and expensive to develop, in order to infect victims, retrieve data and hide activity in an outstandingly professional way, and utilize classic spying techniques to deliver malicious payloads to the victims.

The Equation Group quickly became known as the most advanced cyber-espionage and cyber-attack group discovered.

The full Kaspersky report [PDF] described the group as the master over Stuxnet and other notorious attack programs. It is possible that the Equation Group was used to deliver the Stuxnet virus. The Kaspersky report did not directly state that The Equation Group was part of the NSA, but it was strongly implied.

Nearly a year before the Kaspersky report was released, The Intercept published an article describing leaks from Edward Snowden. The article mentioned that “GROK is used to log keystrokes” by the NSA. The word “GROK” also appeared in the Kaspersky report.

Cyber-security experts generally believe that The Equation Group is a function of the NSA. If this is true, then The Shadow Brokers hack would be the first major hack directly into the NSA.

After the Shadow Group leak, Wikileaks announced, “We had already obtained the archive of NSA cyber weapons released earlier today and will release our own pristine copy in due course.”


The hack of an NSA malware staging server is not unprecedented, but the publication of the take is. Here’s what you need to know:

  1. NSA traces and targets malware C2 servers in a practice called Counter Computer Network Exploitation, or CCNE. So do our rivals.
  2. NSA is often lurking undetected for years on the C2 and ORBs (proxy hops) of state hackers. This is how we follow their operations.
  3. This is how we steal their rivals’ hacking tools and reverse-engineer them to create “fingerprints” to help us detect them in the future.
  4. Here’s where it gets interesting: the NSA is not made of magic. Our rivals do the same thing to us — and occasionally succeed.
  5. Knowing this, NSA’s hackers (TAO) are told to leave their hack tools (“binaries”) on the server after an op. But people get lazy.
  6. What’s new? NSA malware staging servers getting hacked by a rival is not new. A rival publicly demonstrating they have done so is.
  7. Why did they do it? No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack.
  8. Circumstantial evidence and conventional wisdom indicates Russian responsibility. Here’s why that is significant:
  9. This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server.
  10. That could have significant foreign policy consequences. Particularly if any of those operations targeted US allies
  11. Particularly if any of those operations targeted elections.
  12. Accordingly, this may be an effort to influence the calculus of decision-makers wondering how sharply to respond to the DNC hacks.
  13. TL;DR: This leak looks like a somebody sending a message that an escalation in the attribution game could get messy fast.
    Bonus: When I came forward, NSA would have migrated offensive operations to new servers as a precaution – it’s cheap and. So? So…
    You’re welcome, @NSAGov. Lots of love.