Last week, Cisco and Fortinet confirmed that the exploits leaked by the Shadow Brokers and aimed at compromising their networking devices work as intended, but the origin of the leaked data remained a mystery.
On Friday, The Intercept’s Sam Biddle revealed that the leaked data contains things that definitely point to the NSA as the creator of the hacking tools.
“The evidence that ties the ShadowBrokers dump to the NSA comes in an agency manual for implanting malware, classified top secret, provided by Snowden, and not previously available to the public. The draft manual instructs NSA operators to track their use of one malware program using a specific 16-character string, ‘ace02468bdf13579.’ That exact same string appears throughout the ShadowBrokers leak in code associated with the same program, SECONDDATE,” Biddle reported, the went on to explain what SECONDDATE does, and how it fits in with other NSA tools.
“(…) while it remains unclear how the software leaked, one thing is now beyond speculation: The malware is covered with the NSA’s virtual fingerprints and clearly originates from the agency,” he pointed out.
On the same day, Cisco announced that it will be analyzing a leaked exploit (“BENIGNCERTAIN”) that targeted a line of their unsupported legacy firewalls, and allowed the NSA to eavesdrop on VPN traffic passing through them by extracting decryption keys from the device.
As the revelations continue, the Shadow Brokers are keeping the auction for the rest of the stolen data open, but have yet to get a significant offer.
A security researcher that goes by the handle Krypt3ia says that some of these offers came in the form of Bitcoins from accounts seized after the Silk Road takedown, and implied that a US law enforcement agency might be behind it.
So far, they have amassed a little over 1.7 BTC (around $1,000).