Hackers say leaked NSA tools came from contractor

On Friday, messages posted to Pastebin and Tumblr allege the recently leaked NSA files came from a contractor working a red team engagement for RedSeal, a company that offers a security analytics platform that can assess a given network’s resiliency to attack. In addition, the hackers claim the intention was to disclose the tools this year during DEF CON.

Salted Hash reached out to the press team at DEF CON, as well as RedSeal.

In a statement, RedSeal would only confirm they are an In-Q-Tel portfolio company. The company also denied any knowledge of red team assessments against their products by In-Q-Tel or contractors working with In-Q-Tel. Sources close to DEF CON also say the claims in the published letter aren’t real.

At this point, it’s best to take the claims posted to Pastebin and Tumblr with a grain of salt.

The note and subsequent blog post from “Brother Spartacus” and “13 Johns” says that an individual known as “Dark Lord” – reported to be a skilled hardware engineer – was working an In-Q-Tel contract to assess the security of RedSeal products.

This red team engagement used a C&C server as a staging point for the leaked NSA tools. When “Dark Lord” walked off the job, they did so with a copy of the tools that were placed on the C&C server.

Given how RedSeal products work, attacking routers and other network devices with the leaked NSA code makes sense if you’re wanted to prove the RedSeal will detect such incidents. The company has even used the Shadow Broker incident as a means to promote themselves this week.

However, there is a split between the claims on the blog and the Pastebin note. The blog claims the test was to harden RedSeal software, while the note says the test was aimed at RedSeal products. It isn’t clear how the leaked tools could be used to assess the RedSeal platform directly.

Moreover, the Pastebin post claims to be from DEF CON, and says the annual hacker gathering was approached in July with details surrounding the Shadow Brokers leak. The note says that “Brother Spartacus” approached DEF CON with details about the code theft, with the intention to disclose the incident during this year’s show.

“The individual self reported they had walked off an In-Q-Tel contract with RedSeal. They had took the Malware pack from a CNC server that was set-up to test RedSeal products. The individual was not well versed in software and could not point out any zero day threats. We decided to not push the person forward to public Defcon leaders. (sic)”

As mentioned, sources close to DEF CON deny this letter is legitimate. This was suspected early on due to the tone of the message, the description of “Brother Spartacus,” as well as the fact that DEF CON is misspelled. (Normal communications from DEF CON use the proper branding.)

At this point, it’s clear the Pastebin and Tumblr posts are some sort of hoax. However, there has been a lot of coverage of the Shadow Brokers leak this week, so this is just one more log on the fire.

Recap:

On Wednesday, Motherboard published a story citing former NSA staffers who feel the leak didn’t happen because of a hack. Instead, they feel the incident is the work of a single individual with insider access. Those thoughts somewhat align with the claims posted on Friday, as a contractor would be considered an insider.

In addition, security researcher Mustafa Al-Bassam posted a solid examination of the leaked tools and what they do.

CSO Online has covered the incident extensively, an overview of the coverage is below:

Suspected spycraft, not hacktivism, swirls around alleged NSA hack

• Not even the National Security Agency is immune to carelessness, according to noted leaker Edward Snowden. The agency’s operatives can get lazy, and sometimes they leave behind files inside the servers they’ve hacked.

Cisco, Fortinet issue patches against NSA malware

• Both companies have issued fixes to address exploits that were posted online and after they found the exploits represent real threats to some of their products, including versions of Cisco’s popular PIX and ASA firewalls and versions of Fortinet’s signature Fortigate firewalls.

Alleged NSA data dump contain hacking tools rarely seen

• A stolen cache of files that may belong to the National Security Agency contains genuine hacking tools that not only work, but show a level of sophistication rarely seen, according to security researchers.

Shared code in Snowden leaks and NSA breach support hackers’ claims

• Documents leaked by former National Security Agency contractor Edward Snowden share a malware tracking code with several files released this week by hacking group Shadow Brokers, according to a news report.

The NSA’s hoard of cyber weapons makes some experts nervous

• The disclosure this week of a cache of files supposedly stolen from the National Security Agency has put a spotlight on secret cyber weapons the NSA has been holding — and whether they should be disclosed.

This story was updated after sources close to DEF CON denied the letter claiming to come from them was legitimate. Clarifications were made to make the point that the claims on Pastebin and Tumblr are false, and no longer just suspected as such.