IE 11 is not supported. For an optimal experience visit our site on another browser.

Were Russians Involved in NSA Hack?

Some of the NSA's most powerful and top-secret hacking tools have been posted on-line in recent days, a sign the security agency was itself hacked.
Image: Edward Snowden speaks during an interview in Hong Kong
Edward Snowden speaks during an interview in Hong Kong. The Guardian via Getty Images

Some of the National Security Agency’s most powerful and top-secret hacking tools appear to have been posted online in recent days, raising alarms among American security experts that the supposedly impenetrable spy agency has itself been hacked and its potent cyberespionage capabilities made publicly available.

Security experts and former National Security Agency officials also believe that material posted online –- essentially a cyber version of a burglar’s bag of breaking and entering tools -- is somehow connected to an unprecedented and ongoing campaign by Russia to meddle in U.S. affairs, including the presidential election.

One of those experts is Edward Snowden, the former NSA contractor who has been hiding out in Russia after stealing a vast trove of his former employer’s most classified data and leaking it to journalists back in 2013.

“Circumstantial evidence and conventional wisdom indicates Russian responsibility,” Snowden said in a long statement posted online in a series of tweets.

Despite all the destructiveness caused by Snowden’s leaks, which revealed widespread spying by the NSA both internationally and domestically, no actual computer code was revealed publicly that could be used by hackers, cybersecurity experts told NBC News.

But last weekend, a hacker group calling itself the Shadow Brokers posted online a large cache of computer code that it claims to have stolen from the Equation Group, another mysterious hacker crew that many cybersecurity experts believe actually belongs to the NSA and its top-secret Tailored Access Operations program. Some cybersecurity experts say that like Snowden, they suspect the Shadow Brokers are working for Russia, in part due to the timing of the weekend posting, but that such links are usually impossible to prove because the groups cover their tracks well.

Image: American whistleblower Edward Snowden is seen on a screen as he delivers a speech during the Roskilde Festival in Roskilde
Edward Snowden is seen on a screen as he delivers a speech during the Roskilde Festival in Roskilde, Denmark, June 28 2016.Mathias Loevgreen Bojesen / Scanpix Denmark via Reuters

In clumsily worded English, the Shadow Brokers also boasted online that they were saving their best stolen material for a public auction, to be sold to the highest bidder.

Since then, many cybersecurity experts –- including some former NSA officials –- have come to believe the material posted by the Shadow Brokers is indeed “exploits” and other specially constructed pieces of malware created by the NSA to break into the computers and communications devices of governments like Iran and China, as well as companies and individuals, and to either steal or manipulate the data they contain.

Snowden, the self-described superhacker spy, took to Twitter on Tuesday to say he thinks the public posting of what he described as NSA cybertools may be part of a broader influence operation by Russia.

The U.S. intelligence community believes Russia is behind numerous hacks of entities and people associated with the Democratic Party over the past year, and federal authorities are investigating them and the subsequent release of information via WikiLeaks and other outlets. Many U.S. officials believe those hacks are part of an effort by Russian President Vladimir Putin to help his favored candidate, Republican Donald Trump, and hinder his Democratic rival, Hillary Clinton.

But so far, the Obama administration hasn’t formally accused Russia or taken steps to publicly confront it or issue sanctions. And Snowden speculated that Russia may be using the weekend disclosures to warn the White House against taking such actions.

In one tweet, Snowden noted that the “undetected hacker squatting on this NSA server lost access in June 2013,” suggesting the hackers have been sitting on the material for three years.

“Why did they do it? No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack,” Snowden tweeted. He also said the weekend postings “may be an effort to influence the calculus of decision-makers wondering how sharply to respond to the DNC hacks. … This leak looks like a somebody [sic] sending a message that an escalation in the attribution game could get messy fast.”

The NSA leaker also said any U..S. action against Russia could result in the public disclosure of embarrassing information about cyber-operations of its own: “Here's why that is significant,” Snowden said. “This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server.”

Such a disclosure could have huge foreign policy consequences, Snowden said, especially if it shows that NSA hackers were targeting U.S. allies. “Particularly if any of those operations targeted elections,” he said.

The NSA did not respond to requests for comment, but when asked if the agency had been hacked, one NSA official told NBC News that, “I don’t have anything for you on that.”

NSA expert James Bamford said the hack appeared to be significant, but he cautioned against pointing the finger at Russia, especially the government, given how many different groups of hackers routinely target NSA servers.

“There are so many unknowns here, and a lot of people in the hacking community don’t think this is the Russian government,” said Bamford, the author of three books about the NSA who has also visited Snowden in Russia and interviewed him there.

“I don’t know how Snowden would have any idea who did this, sitting there in an apartment in Moscow,” Bamford said. “Even the NSA probably doesn’t know who did this.”

In recent days, other security experts also have come to believe that the computer code comes from the NSA and that Russia is behind its theft and release.

Former NSA general counsel Stewart Baker told NBC News that “there is a lot of consensus among technical experts” that the cybertools were indeed stolen from the NSA, most likely from an external command and control server created to launch hacking operations that couldn’t be traced back to the U.S.

“The more disastrous and less likely scenario is that someone has hacked U.S. infrastructure and extracted large files,” said Baker, a prominent international cybersecurity lawyer.

Either way, the weekend postings are cause for dismay, Baker said, noting that “the assumption that it is Russian intelligence is a good first estimate, as it’s one of a half dozen leaks of information directly hostile to the U.S. government and U.S. institutions.”

“It shows how very sophisticated the spy-vs-spy game in cyberspace has become,” he said. “What we are now seeing is an example of one spy agency trying to compromise the infrastructure of another spy agency and how that it is happening at an almost unfathomably sophisticated level.”