The New Shadow Brokers Leak Connects the NSA to the Stuxnet Cyber Weapon Used on Iran

Lorenzo Franceschi-Bicchierai
Motherboard

Researchers have found a hidden gem inside the treasure trove of the new alleged NSA hacking tools dumped by the Shadow Brokers.

The mysterious hacking group known as Shadow Brokers came back on Friday to drop its most explosive—and damaging—dump yet, a collection of alleged hacking tools for Microsoft Windows computers.

Buried among this new treasure trove, there are several mentions of previously disclosed NSA top secret programs and software such as “STRAITBIZARRE,” used to control implants remotely, and “JEEPFLEA,” a project to hack the money transferring system SWIFT. These provide yet another hint that these are indeed tools stolen from the NSA’s elite hacking team.

Perhaps more surprisingly, the dump also included one tool that was used in the famous Stuxnet worm, arguably the world’s first digital weapon, used to hit an Iranian nuclear power facility and damage its centrifuges to slow down the country’s nuclear weapons program.

The tool that appears to link the new dump and the famous digital weapon is an exploit for Windows’ MOF files, which appears to be “almost the exact same script” used in Stuxnet, according to Liam O’Murchu, a researcher at Symantec who’s thoroughly analyzed the worm.

“There is a strong connection between Stuxnet and the Shadow Brokers dump,” O’Murchu told Motherboard in an email. “But not enough to definitively prove a connection.”

O’Murchu explained that the connection is strong, but not definitive, because the common script, originally discovered in Stuxnet, was later reverse engineered and added by researchers to Metasploit, a popular open source hacking toolkit. This means anyone using Metasploit can create a MOF file that looks exactly like the one Stuxnet used. But, O’Murchu added, the MOF file creation tool dumped by the Shadow Brokers on Friday was last compiled on September 9, 2010, three months after Stuxnet was first detected, and “shortly before the code was added to Metasploit,” according to O’Murchu.

Here’s a portion of the script from Stuxnet.

And here’s a portion of the script dumped by The Shadow Brokers on Friday.

Other researchers also noticed some apparent links to Stuxnet, both the MOF exploit, as well as a less obvious reference such as a ASCII art inside a dumped tool with a “WON THE GOLD MEDAL” writing. The top secret codename for Stuxnet’s operation was reportedlyOlympic Games.”

Also, strangely, other exploits dropped by the Shadow Brokers on Friday get detected as Stuxnet by the antivirus program Avast, according to Virus Total, an online malware repository.

While this could be a false positive, according to Joxean Koret, a security researcher with experience analyzing antivirus software, “it’s too curious of a false positive.”

The US government has never officially acknowledged that Stuxnet was created and launched by the NSA, allegedly with help from Israeli government hackers, as reports have suggested. But that’s almost an open secret at this point. The Shadow Brokers have long claimed that the tools they release are from the “Equation Group,” the name of a government hacking group outed by Kaspersky Lab in 2015, which is widely believed to be the NSA.

Therefore, the Stuxnet MOF file creation tool that the Shadow Brokers dropped on Friday is possibly the earliest technical evidence that NSA hackers and developers coded Stuxnet, as many suspect.

Of course, it’s also possible that whatever group The Shadow Brokers have exposed simply gained access to the Stuxnet tools secondhand, and reused them.

But given that the Equation Group was already widely believed to be the NSA, and the NSA was already previously reported to be involved in the development and deployment of Stuxnet, this is yet another breadcrumb, perhaps the first one found in code, pointing toward NSA hackers as having developed Stuxnet.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s