How the NSA Leaks Happened

For the past week, rumors have been flying about an alleged cyberattack against servers containing information closely associated with the US National Security Agency. A group calling itself “ShadowBrokers” announced on Monday that it would be auctioning off “cyber weapons” claimed to be created by the NSA, and since then security experts and public officials have been struggling to get a grasp on the details behind this unexpected turn of events.

The ShadowBrokers group offered chunks of code as a way of verifying their possession of real NSA malware, leading many cybersecurity experts and former NSA employees to believe that the hackers truly possess coveted US government secrets. That said, the matter remains unconfirmed by US political higher ups, as do allegations regarding who is responsible for the attack (some say Russian state-sponsored hackers are behind this, others maintain that only a rogue NSA insider could have leaked the malicious software).

snowdenNew, never-before-published documents provided by exiled American whistleblower and ex-NSA employee Edward Snowden seem to back up the hackers’ claims to auctioning real NSA malware. According to Snowden’s most recent leak, NSA operators were instructed in their employee manuals to track their use of a particular malware program , SECONDDATE, using the 16-character string “ace02468bdf13579.” That particular string repeats numerous times throughout the sample code of SECONDDATE provided by the ShadowBrokers.

Not only is the successful hack embarrassing, but the US state-sponsored snooping that the malware reveals is despicable. SECONDDATE plays a role in a larger global system of cyber spying built by the United States government that is thought to have already infected and be monitoring millions of computers all around the world. The release of the coding behind SECONDDATE constitutes the first time ever that full copies of the NSA’s spying software have been made available to the public eye.

And as John Hopkins University cryptographer Matthew Green explains, this malicious software’s existence should be seen as threatening not only to global governments but to American citizens themselves:

“The danger of these exploits is that they can be used to target anyone who is using a vulnerable router. This is the equivalent of leaving lockpicking tools lying around a high school cafeteria. It’s worse, in fact, because many of these exploits are not available through any other means, so they’re just not coming to the attention of the firewall and router manufacturers that need to fix them, as well as the customers that are vulnerable,” he stated.

nsa“So the risk is twofold: first, that the person or persons who stole this information might have used them against us. If this is indeed Russia, then one assumes that they probably have their own exploits, but there’s no need to give them any more,” he continued. “And now that the exploits have been released, we run the risk that ordinary criminals will use them against corporate targets.”

So how does SECONDDATE actually work? According to experts, SECONDDATE was designed with the intention of making it possible for web requests and redirect browsers on target computers to be intercepted and logged on an NSA web server. That server then infects the targeted computers with more malware, enabling for further snooping.

Media outlets have known about SECONDDATE since it was leaked back in 2014; at the time it was widely believed that the software was part of a more global computer exploitation initiative code-named TURBINE. Another malware server called FOXACID was associated with TURBINE and described in the Snowden documents.

The NSA has yet to release a statement regarding ShadowBrokers, the Snowden documents that cement the existence of the hack, or the malware that was stolen.