• United States



Senior Staff Writer

Hackers say leaked NSA tools came from contractor

Aug 19, 20165 mins
CybercrimeData BreachSecurity

Hacker's claims met with flat denials and skepticism by most of the security industry

On Friday, messages posted to Pastebin and Tumblr allege the recently leaked NSA files came from a contractor working a red team engagement for RedSeal, a company that offers a security analytics platform that can assess a given network’s resiliency to attack. In addition, the hackers claim the intention was to disclose the tools this year during DEF CON.

Salted Hash reached out to the press team at DEF CON, as well as RedSeal.

In a statement, RedSeal would only confirm they are an In-Q-Tel portfolio company. The company also denied any knowledge of red team assessments against their products by In-Q-Tel or contractors working with In-Q-Tel. Sources close to DEF CON also say the claims in the published letter aren’t real.

At this point, it’s best to take the claims posted to Pastebin and Tumblr with a grain of salt.

The note and subsequent blog post from “Brother Spartacus” and “13 Johns” says that an individual known as “Dark Lord” – reported to be a skilled hardware engineer – was working an In-Q-Tel contract to assess the security of RedSeal products.

This red team engagement used a C&C server as a staging point for the leaked NSA tools. When “Dark Lord” walked off the job, they did so with a copy of the tools that were placed on the C&C server.

Given how RedSeal products work, attacking routers and other network devices with the leaked NSA code makes sense if you’re wanted to prove the RedSeal will detect such incidents. The company has even used the Shadow Broker incident as a means to promote themselves this week.

However, there is a split between the claims on the blog and the Pastebin note. The blog claims the test was to harden RedSeal software, while the note says the test was aimed at RedSeal products. It isn’t clear how the leaked tools could be used to assess the RedSeal platform directly.

Moreover, the Pastebin post claims to be from DEF CON, and says the annual hacker gathering was approached in July with details surrounding the Shadow Brokers leak. The note says that “Brother Spartacus” approached DEF CON with details about the code theft, with the intention to disclose the incident during this year’s show.

“The individual self reported they had walked off an In-Q-Tel contract with RedSeal. They had took the Malware pack from a CNC server that was set-up to test RedSeal products. The individual was not well versed in software and could not point out any zero day threats. We decided to not push the person forward to public Defcon leaders. (sic)”

As mentioned, sources close to DEF CON deny this letter is legitimate. This was suspected early on due to the tone of the message, the description of “Brother Spartacus,” as well as the fact that DEF CON is misspelled. (Normal communications from DEF CON use the proper branding.)

At this point, it’s clear the Pastebin and Tumblr posts are some sort of hoax. However, there has been a lot of coverage of the Shadow Brokers leak this week, so this is just one more log on the fire.


On Wednesday, Motherboard published a story citing former NSA staffers who feel the leak didn’t happen because of a hack. Instead, they feel the incident is the work of a single individual with insider access. Those thoughts somewhat align with the claims posted on Friday, as a contractor would be considered an insider.

In addition, security researcher Mustafa Al-Bassam posted a solid examination of the leaked tools and what they do.

CSO Online has covered the incident extensively, an overview of the coverage is below:

Suspected spycraft, not hacktivism, swirls around alleged NSA hack

Cisco, Fortinet issue patches against NSA malware

Alleged NSA data dump contain hacking tools rarely seen

Shared code in Snowden leaks and NSA breach support hackers’ claims

The NSA’s hoard of cyber weapons makes some experts nervous

This story was updated after sources close to DEF CON denied the letter claiming to come from them was legitimate. Clarifications were made to make the point that the claims on Pastebin and Tumblr are false, and no longer just suspected as such.