Throwback: NSA Hacking Tools - What You Need To Know

Last updated: July 5, 2023 Reading time: 5 minutes
Disclosure
Share
NSA agency

Announcing the auction of NSA agency made “cyber weapons” by a hacking group, “Shadow Brokers” confirms the cache of documents released by the whistleblower Edward Snowden. It affirms indeed that this NSA authentic software is used secretly to infect computers worldwide. Over the debate on how this software leaked, one thing is beyond certainty this malware originates from the NSA agency.

16 Character string tying Shadow Broker leak and malware

The evidence of the Shadow Broker data dumps connecting to the classified NSA internal agency manual is provided by Edward Snowden, never-before-published to the public. The draft manual guides NSA operators to track their use of malware programs by a 16-character string, “ace02468bdf13579.” The Shadow Broker leak shows this string throughout the data associating the code with a program SECONDDATE.

What others had to say and the NSA’s silence

Faking this information would be monumentally difficult, there is just such a sheer volume of meaningful stuff,” Nicholas Weaver, a computer security researcher at the University of California at Berkeley, said in an interview with WashingtonPost. “Much of this code should never leave the NSA.”

The files posted appeared to be true, according to former personnel who worked in the NSA agency’s hacking division, known as Tailored Access Operations (TAO).

Without a doubt, they’re the keys to the kingdom,” said one former TAO employee, who spoke with Washington Post on the condition of anonymity to discuss sensitive internal operations. “The stuff you’re talking about would undermine the security of a lot of major government and corporate networks both here and abroad.”

Said a second former TAO hacker who saw the file: “From what I saw, there was no doubt in my mind that it was legitimate.

What’s clear is that these are highly sophisticated and authentic hacking tools,” said Oren Falkowitz, chief executive of Area 1 Security and another former TAO employee.

Faking this information would be monumentally difficult, there is just such a sheer volume of meaningful stuff,” Nicholas Weaver, a computer security researcher at the University of California at Berkeley, said in an interview with WashingtonPost. “Much of this code should never leave the NSA.

Tweeted Snowden: “Circumstantial evidence and conventional wisdom indicate Russian responsibility.” He said that the disclosure “is likely a warning that someone can prove U.S. responsibility for any attacks that originated from this” redirector or malware server by linking it to the NSA agency.

Talking to The Intercept, Johns Hopkins University cryptographer Matthew Green said:

“The danger of these exploits is that they can be used to target anyone who is using a vulnerable router. This is the equivalent of leaving lock picking tools lying around a high school cafeteria. It’s worse, in fact, because many of these exploits are not available through any other means, so they’re just now coming to the attention of the firewall and router manufacturers that need to fix them, as well as the customers that are vulnerable.”

So the risk is twofold: first, that the person or persons who stole this information might have used them against us. If this is indeed Russia, then one assumes that they probably have their own exploits, but there’s no need to give them any more. And now that the exploits have been released, we run the risk that ordinary criminals will use them against corporate targets.”

Security Researcher Mustafa Al-Bassam posted his detailed examination and works on the leaked tools on his personal web page.

On the other hand, the NSA agency did not respond to questions concerning Shadow Brokers, the Snowden documents, or its malware.

The dilemma of SECONDDATE

While the other offensive malware tools code-named such as POLARSNEEZE and ELIGIBLE BOMBSHELL are still being in assessment for their true purpose. SECONDDATE is the main focus because of its connectivity to the code-named TURBINE, the exploitation effort in 2014, and BADDECISION.

The leaked SECONDDATE, along with other malware tools, is a specialized malware program of NSA agency that aims to hijack and monitor the activities of millions of computers across the globe. Marking the history with the release of these full copies of NSA’s offensive malware tools shows the reality of systems outlined in the documents which Edward Snowden leaked.

SECONDDATE is a malicious tool to intercept web requests and redirects browsers to an NSA web server. That server then infects that computer with malware. That web server, referred to as FOXACID is previously mentioned in previously leaked documents of Snowden.

A section in a classified manual titled “FOXACID SOP for Operational Management,” a 31-page document draft mark, points out to that same string and describes tools for tracking the victims forwarded to FOXACID web server, including a tag system used to catalog servers along with different identifiers:

That same MSGID appeared in 14 different files of the ShadowBroker leak, including a filename titled “SecondDate-3021.exe”.

SECONDDATE and BADDECISION

The SECONDDATE existence fits in with the previously unpublished leaks of Edward Snowden that connect SECONDDATE with BADDECISION, which is a broader tool for infiltration.

In 2010 leaked documents was a PowerPoint presentation named “Introduction to BADDECISION,” in which a slide described that this tool is designed to send users of a wireless network, sometimes referred to as an 802.11 network, to FOXACID malware servers.

Further in these leaked files, an April 2013 presentation document cases boasting the application of SECONDDATE overseas: breaching “Pakistan’s National Telecommunications Corporation’s (NTC) VIP Division,” containing documents pertaining to “the backbone of Pakistan’s Green Line communications network” used by “civilian and military leadership.” and in Lebanon for infecting a Lebanese ISP to extract “100+ MB of Hizballah Unit 1800 data,” a special subset of the terrorist group dedicated to aiding Palestinian militants.

SECONDDATE is just one of the methods the NSA agency uses to get its target’s browser transferred to a FOXACID server. Other methods include sending spam to infect with bugs or web-based email links that lead to FOXACID server.

What Edward Snowden had to say?

While many think that the NSA agency is being hacked. But in the series of tweets he pointed out that the computers NSA agency headquarters uses to attack were compromised due to someone failing to clean up the system, leading to a hacker group seizing the opportunity.

Photo: Associated Press

Share this article

About the Author

Peter Buttler an Infosec Journalist and Tech Reporter, Member of IDG Network. In 2011, he completed Masters in Cybersecurity and technology. He worked for leading security and tech giants as Staff Writer. Currently, he contributes to a number of online publications, including The Next Web, CSO Online, Infosecurity Mag, SC Magazine, Tripwire, GlobalSign CSO Australia, etc. His favorite areas Online Privacy, AI, IoT, VR, Blockchain, Big Data, ML, Fintech, etc. You can follow him on twitter.

More from Peter Buttler

Related Posts