Hackers calling themselves Shadow Brokers are auctioning off what they claim is the source code to a vaunted, likely state-sponsored hacking group many believe is affiliated with the National Security Agency.
There is no definitive proof the auction is genuine, but files released to prove authenticity appear valid enough to have piqued the interest of many in the security community.
The cybersecurity firm Kaspersky Labs raised eyebrows last year with a report on a hacking operation it was calling the Equation Group, which had managed to operate without being noticed for 14 years.
That is an uncommonly long time for a state group to stay under the radar given the resources they are normally up against.
Kaspersky noted similarities from Equation to attack methods discussed in leaked NSA documents and other suspected U.S. intelligence malware. The computer code used jargon common to the NSA and time codes in the Equation Group’s wares appeared to match a North or South American workday.
The Shadow Brokers are auctioning source code purportedly from the Equation Group.
“Attention government sponsors of cyber warfare and those who profit from it,” writes the Shadow Brokers in an auction notice, which journalist Brian Krebs said "reads like a script."
“How much you pay for enemies cyber weapons? Not malware you find in networks… We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons.”
The notice goes on to describe an unusual auction method. Rather than traditional bidding, all interested parties will send their max offer in bitcoin. The group will keep all the funds, and says it will send the highest bidder the code.
In a question-and-answer section in the auction notice, Shadow Brokers addresses concerns they can't be trusted.
“Q: Why I trust you? A: No trust, risk. You like reward, you take risk, maybe win, maybe not, no guarantees. There could be hack, steal, jail, dead, or war tomorrow. You worry more, protect self from other bidders, trolls, and haters.”
The auction notice ends with a prolonged diatribe against “wealthy elites,” warning them against the danger they might face if government-built spyware ends up in the wrong hands.
“We know what is wealthy but what is Elites? Elites is making laws protect self and friends, lie and [screw] other peoples. Elites is breaking laws, regular peoples go to jail, life ruin, family ruin, but not Elites. Elites is breaking laws, many peoples know Elites guilty, Elites call top friends at law enforcement and government agencies, offer bribes… Reporters (not call journalist) make living say write only nice things about Elites, convince dumb cattle, is just politics, everything is awesome, check out our ads and our prostitutes. Then Elites runs for president,” the note reads.
While it can't be ruled out that the auction is a scam, some security experts see evidence the files might be authentic.
“The code in the dump seems legitimate, especially the Cisco exploits (Most of the dump contains Firewall exploits), and those exploits were not public before,” said Matt Suiche, via electronic chat. Suiche is the founder of United Arab Emirates-based cybersecurity start-up Comae Technologies and has been actively analyzing the source code portions released as proof.
Particularly interesting, said Suiche, are references to code names listed in the NSA Advanced Network Technology Catalogue, a listing of the agencies cyber warfare capabilities.
If the action raises 1 million bitcoin — about half a billion dollars — Shadow Brokers promises to put even more files out for sale.
The files were initially posted to the code sharing site GitHub, which has since disabled access.