Computerworld

Shared code in Snowden leaks and NSA breach support hackers' claims

Shadow Brokers' sample files include a 16-character tracking string identified in a Snowden document

Documents leaked by former National Security Agency contractor Edward Snowden share a malware tracking code with several files released this week by hacking group Shadow Brokers, according to a news report.

Shadow Brokers claimed they had hacked a cyberespionage team linked to the U.S. spy agency when they released a group of sample files earlier this week. Similarities between the Shadow Broker files and information in documents leaked by Snowden give credence to the claims by the anonymous hacking group.

Fourteen files in the Shadow Brokers leak contain a 16-character string, "ace02468bdf13579," that NSA operatives used to track their use of one malware program, The Intercept reported Friday. That tracking string was described in an NSA manual for implanting malware originally leaked by Snowden, The Intercept reported.

That tracking string was tied to malware called Seconddate, allegedly designed to intercept web requests and redirect browsers to an NSA server, according to the story. Snowden's leaks provided information on Seconddate, and the Shadow Broker files also include information on the malware, including a file titled SecondDate-3021.exe, The Intercept said.

The Shadow Brokers have offered to sell the trove of supposed NSA files.

One security expert suggested the NSA may have arranged the leak. "You’re talking about the world’s top intelligence agency here," John Gunn, vice president of communications at VASCO Data Security, said by email. "I think it is much more likely that the tools were intentionally leaked and were being used -- just as marked money is used -- to trace criminal and state-sponsored hacking activity."

The leak confirms some information about the NSA that many security experts already knew, added Jonathan Sander, vice president at Lieberman Software, another security vendor.

"We knew from Stuxnet and Snowden’s documents that they were engaging in cyberwarfare, and we knew that means they were developing malware to do it," he said by email. "We knew that the NSA is a department of humans using technology, which means they are vulnerable to mistakes and attacks like all other humans using technology."

The leaks also show the NSA is doing good work, he added. "If anything, the universal agreement on the quality of the tradecraft which was stolen and its clear value on a black market should tell us that our tax dollars are getting quality results," he said.