When the Shadow Brokers dumped on Friday another batch of data allegedly stolen from the Equation Group, which has been linked to the NSA, security researchers dove right in.
Their first disclosed findings were of Window exploits taking advantage of bugs that were believed to be still unpatched, and apparent evidence that the NSA has hacked into Dubai-based EastNets, a firm that oversees payments in the global SWIFT transaction system for a considerable number of banks and firms.
As days passed, other discoveries were made, and the latest one is yet another that links the Equation Group to the NSA: the dump contains a script (effectively a tool) that has been used to deploy the Stuxnet worm.
The Stuxnet link
Stuxnet is considered to be the world’s first digital weapon, and is widely believed to have been developed jointly by US and Israeli government agencies.
Symantec researcher Liam O’Murchu told Motherboard that a script found in the Shadow Broker data dump is nearly identical with that discovered in Stuxnet.
The script is used to create Managed Object Format (MOF) Windows files, and has, after its discovery, been reverse-engineered and added to the Metasploit framework, a popular open source tool for developing and executing exploit code against remote targets.
But the MOF file creation tool in the dump has been compiled shortly before the same code was added to Metasploit. As evidence goes, it’s definitively not conclusive, but can be added to the existing pile of circumstantial evidence pointing towards the NSA as Stuxnet’s creator.
This is the reality we live in: there may never be any hard evidence tying this dump to the Equation Group, the Equation Group to the NSA, and the NSA to Stuxnet.
Plausible deniability is, I suspect, the thing that the nations heavily engaged in cyber espionage and sabotage love most about these new weapons.