Whistleblower Edward Snowden has suggested that the auction of Equation Group tools by a hitherto unknown hacking group is a coded warning from Russian intelligence to the US.
Equation Group is strongly linked with the National Security Agency (NSA). The tools were offered for sale in an iffy-looking auction that kicked off yesterday with an improbable one million bitcoin reserve price.
However, Snowden said in a series of tweets that the auction isn't intended to raise millions of dollars for the hackers behind the Shadow Brokers group, but to send a coded warning from Russian intelligence to the US government and the NSA.
The gist, according to Snowden, is that the US should stop pointing the finger of blame at Russia for the attacks on the US Democratic Party's organising group, the Democratic National Committee (DNC).
It has been strongly suggested, not least by the Democratic Party itself, keen to link motor-mouthed Republican Party presidential candidate Donald Trump with Russia, that Russian intelligence was behind the DNC attacks and subsequent leaks of embarrassing emails and other materials from the Democratic Party.
Snowden believes that the claims of the group are genuine, and that it does have NSA-linked tools used by the organisation. However, Snowden added that the auction is not intended to raise pots of cash, but simply to tell the NSA to back off, and that the NSA probably already got the message, loud and clear.
Snowden described in a series of tweets how online espionage and counter-espionage by intelligence services works.
"The hack of an NSA malware staging server is not unprecedented, but the publication of the take is," he tweeted.
"The NSA traces and targets malware C2 servers in a practice called Counter Computer Network Exploitation, or CCNE. So do our rivals. NSA is often lurking undetected for years on the C2 and ORBs (proxy hops) of state hackers. This is how we follow their operations.
"This is how we steal their rivals' hacking tools and reverse-engineer them to create 'fingerprints' to help us detect them in the future.
"Here's where it gets interesting: the NSA is not made of magic. Our rivals do the same thing to us - and occasionally succeed. Knowing this, NSA's hackers (TAO) are told not to leave their hack tools ('binaries') on the server after an op. But people get lazy.
"What's new? NSA malware staging servers getting hacked by a rival is not new. A rival publicly demonstrating they have done so is. Why did they do it? No-one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack."
Snowden suggested that the security services of his current host, Russia, are behind it.
"Circumstantial evidence and conventional wisdom indicates Russian responsibility. Here's why that is significant: this leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server," he said.
"That could have significant foreign policy consequences. Particularly if any of those operations targeted US allies [and] particularly if any of those operations targeted elections. Accordingly, this may be an effort to influence the calculus of decision-makers wondering how sharply to respond to the DNC hacks.
"TL;DR: This leak looks like somebody sending a message that an escalation in the attribution game could get messy fast.
"Bonus: when I came forward, NSA would have migrated offensive operations to new servers as a precaution - it's cheap and easy. So? So the undetected hacker squatting on this NSA server lost access in June 2013. Rare public data point on the positive results of the leak."
He signed off on the series of tweets: "You're welcome, @NSAGov. Lots of love."
Linux hits the DeX
The Net' is closing in
Firm was quick to CClean up after the attack
Sorry (not Siri)