The Russian intelligence agency team calls itself The Shadow Brokers and has evidently hacked NSA's Equation Group staging servers and stolen some exploits and espionage tools in 2013. Now they want attention.

Background

Authenticity of the leaks:

2 months back, The Shadow Brokers claimed to have hacked the Equation Group and set up an auction for the stolen package for about a million dollars in bitcoins (this was misreported everywhere as 1 million bitcoins). They posted in a now deleted tumblr page (retrieved from archive.org, note the PGP keys) and twitter releasing a few files for free to confirm the authenticity, and they've been confirmed as authentic.

On Monday, a hacking group calling itself the “ShadowBrokers” announced an auction for what it claimed were “cyber weapons” made by the NSA. Based on never-before-published documents provided by the whistleblower Edward Snowden, The Intercept can confirm that the arsenal contains authentic NSA software, part of a powerful constellation of tools used to covertly infect computers worldwide.

The evidence that ties the ShadowBrokers dump to the NSA comes in an agency manual for implanting malware, classified top secret, provided by Snowden, and not previously available to the public. The draft manual instructs NSA operators to track their use of one malware program using a specific 16-character string, “ace02468bdf13579.” That exact same string appears throughout the ShadowBrokers leak in code associated with the same program, SECONDDATE.

SECONDDATE is a tool designed to intercept web requests and redirect browsers on target computers to an NSA web server. That server, in turn, is designed to infect them with malware.

SECONDDATE plays a specialized role inside a complex global system built by the U.S. government to infect and monitor what one document estimated to be millions of computers around the world. Its release by ShadowBrokers, alongside dozens of other malicious tools, marks the first time any full copies of the NSA’s offensive software have been available to the public, providing a glimpse at how an elaborate system outlined in the Snowden documents looks when deployed in the real world, as well as concrete evidence that NSA hackers don’t always have the last word when it comes to computer exploitation.

Links to a Russian intelligence agency:

The only source for the links is Snowden and he makes a compelling claim. Shortly after the initial leaks were confirmed to be authentic, Snowden tweeted out the links between The Shadow Brokers and Russian intelligenceand was reported extensively elsewhere.

"Why did they do it?" Snowden asked. "No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack."

The hackers could be advertising that they have the ability to identify actions the NSA took on the compromised server, Snowden suggests — a warning of sorts.

Snowden also noted that the released files end in 2013. "When I came forward, NSA would have migrated offensive operations to new servers as a precaution," he suggested — a move that would have cut off the hackers' access to the server.

As for who is responsible for acquiring and leaking the code on the Shadow Brokers' site, Snowden says "circumstantial evidence and conventional wisdom" suggest Russia.

King's College London cybersecurity expert Thomas Rid tells NPR's Mary Louise Kelly the same thing. There's no hard proof, he says, but the capabilities required and the timing of the release suggest Russia. That's all circumstantial, but "more than speculation," as he puts it.

Reddit activity

2 months ago, about the time the initial leaks started, someone registered the Reddit account /u/theshadowbrokers and have been trying to get the word out about the leaks on reddit. I'll get this out of the way now, there's absolutely no proof that this is a troll account. Everything they've posted is about them trying to get attention to the fact that they've hacked the NSA and that they have the state-sponsored-level espionage tools that has been verified by reliable sources and people in the know. The timings of the leaks match with the posting times so far for the purpose of this post.

The language they use is off in many ways and is explainable by people in the know using deliberately misleading language to obfuscate and shield themselves against advanced natural language processing and stylometry tools that state sponsored intelligence agencies use to identify people based on their writing style.

The account posted on r/databreaches, r/hacking and r/bitcoin linking to imgur, a now deleted pastebin (retrieved from archive.org) and a github link with the leaked free sample files ( retrieved from archive.org).

About a month ago, in their Message #3, The Shadow Brokers posted a self-AMA of sorts clarifying misunderstandings and what they really want. Among them was the explanation for the ridiculous misrepresentation of their demand of a million dollars in bitcoins to a million bitcoins, among others. The users seemed more receptive this time and asked for more proof, demos and escrow for the bitcoin demands.

Between leaks and 19 days ago, they posted the "Bill Clinton / Lorretta Lynch Airplane Conversation leaks", which is a "sexually explicit fanfic of Bill Clinton and US Attorney General Loretta Lynch" in /r/darknetmarkets. It is worth a read tbh.

Now, for halloween, they've released more files to spook the NSA. The latest leaks were posted on r/darknetmarkets like before, but with only 3 replies, by possible RC and oxycodone addicts looking for darknet deals to score their next fix, to something that has huge implications for the US intelligence community. This post didn't go unnoticed however, it was picked up by mainstream sites -- Hacker collective The Shadow Brokers strike again with more NSA leaks.