Evidence of theft of NSA code mounts

WASHINGTON – Analysis of the cyber weapons that hackers say they extracted from the top secret National Security Agency has left a key team of outside experts increasingly certain that the files came from the NSA.

The Russia-based Kaspersky Lab, which has been at the forefront into research of NSA techniques, said it found 347 instances of encryption algorithms in the leaked files that have been seen previously only in NSA-linked computer programming.

A successful hack of the NSA — if that's what happened — would mark a major defeat for one of the crown jewels of the U.S. government's defense establishment. The NSA's hacking unit has been credited with sophisticated cyber weapons, including the code that is credited with crippling the Iranian nuclear program.

A mysterious group calling itself the Shadow Brokers announced last weekend that it had penetrated the NSA, stolen sophisticated cyber weapons and digital tools, and opened a global auction for the sale of the still-secret most valuable ones.

The group released 300 megabytes of files to the public for free, and cyber security companies and hackers rushed to examine the coding on the files, which included malware that would allow a controller to get past the most secure of firewalls.

Dave Aitel, a former NSA computer scientist who is chief executive of Immunity Inc., a penetration testing company in Miami Beach, said he found Kaspersky Lab's assessment credible.

"They are very Russian, but when it comes to outing an American tool kit, they are reliable," said Aitel.

In a blog post Tuesday, Kaspersky's team said the group "cannot surmise the attacker's identity or motivation nor where or how this pilfered trove came to be."

But the team said it had taken a look at the "functional capabilities" of the files released by Shadow Brokers and determined that "several hundred tools from the leak share a strong connection" with previous tools linked to the NSA's elite hacking unit, Tailored Access Operations, which Kaspersky calls the Equation Group.

That unit came to light in 2013 when Edward Snowden, the former CIA employee and NSA contractor, leaked thousands of documents revealing that the U.S. government spied on dozens of foreign leaders, tapped into fiber optic cables and cracked encryption codes. The NSA hacker team designs the algorithms and malware to monitor digital traffic, penetrate computers and activate anything connected to the internet.

The Kaspersky blog said that the leaked cyber tools use two encryption algorithms, called RC5 and RC6, that employ specific setup routines, and in some variants have "only been seen before with Equation Group malware."

"Comparing the older, known Equation RC6 code and the code used in most of the binaries from the new leak, we observe that they are functionally identical and share rare specific traits," the blog said, adding that it has "a high degree of confidence" that the leaked malware comes from the NSA.