Science

Snowden: Russia's Behind NSA Hack That Could Reveal U.S. Cyber Attacks

That's his story and he's sticking to it.

by Nathaniel Mott
Getty Images / Sean Gallup

Edward Snowden says his leak of confidential National Security Agency documents in 2013 might have made a hack of computer systems connected to the agency better than it could’ve been.

A group calling itself the Shadow Brokers announced Monday that it hacked the Equation Group — an “omnipotent” hacker group with NSA ties — to steal “cyber weapons” (e.g., malware like “Stuxnet” that can shut down industrial controls systems like power plants.)

The Shadow Brokers plan to auction off these cyber weapons to the highest bidder, which is terrifying news.

Security researchers who have taken a look at some of the data released by the group say it seems to be legit, and suspect that the hackers managed to break into a computer system used by the Equation Group rather than the group itself.

Snowden took to Twitter earlier this morning to discuss the apparent hack, writing:

The hack of an NSA malware staging server is not unprecedented, but the publication of the take is. Here’s what you need to know:
1) NSA traces and targets malware C2 servers in a practice called Counter Computer Network Exploitation, or CCNE. So do our rivals.
2) NSA is often lurking undetected for years on the C2 and ORBs (proxy hops) of state hackers. This is how we follow their operations.
3) This is how we steal their rivals’ hacking tools and reverse-engineer them to create “fingerprints” to help us detect them in the future.
4) Here’s where it gets interesting: the NSA is not made of magic. Our rivals do the same thing to us — and occasionally succeed.
5) Knowing this, NSA’s hackers (TAO) are told not to leave their hack tools (“binaries”) on the server after an op. But people get lazy.
6) What’s new? NSA malware staging servers getting hacked by a rival is not new. A rival publicly demonstrating they have done so is.
7) Why did they do it? No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack.
8) Circumstantial evidence and conventional wisdom indicates Russian responsibility. Here’s why that is significant:
9) This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server.
10) That could have significant foreign policy consequences. Particularly if any of those operations targeted US allies.
11) Particularly if any of those operations targeted elections.
12) Accordingly, this may be an effort to influence the calculus of decision-makers wondering how sharply to respond to the DNC hacks.
13) TL;DR: This leak looks like a somebody sending a message that an escalation in the attribution game could get messy fast.
Bonus: When I came forward, NSA would have migrated offensive operations to new servers as a precaution - it’s cheap and easy. So? So…
The undetected hacker squatting on this NSA server lost access in June 2013. Rare public data point on the positive results of the leak.
You’re welcome, @NSAGov. Lots of love.

You’ll see that Snowden attributes the hack to Russia and connects it to hacks on the Democratic Party from earlier this summer. And he says his whistleblowing helped mitigate this hack.

The tweetstorm is just one example of Snowden staying in the spotlight. He also helped design an iPhone case meant to help people maintain their privacy, and ever since he joined Twitter, he’s weighed in on some of the latest headlines.