It begins with a clandestine online group known as The Shadow Brokers. There is no evidence that it existed before last Saturday, when a Twitter account in its name tweeted at a handful of leading global news organisations with an unusual announcement: it was conducting a $500m auction of cyber weapons.
In a show of faith, the group put a selection of its wares — a 4,000-file, 250MB trove — on public display. Security analysts have been racing to go through the list but it is already clear that at least some of what has been revealed so far is real.
What is most remarkable, though, is the likely former owner of the Shadow Brokers’ cyber bounty: an outfit known as the Equation Group. Equation is an elite hacking unit of the US National Security Agency. The Shadow Brokers claim that the stolen goods are sophisticated cyber weapons used by the NSA.
The Shadow Brokers’ motivations are not entirely clear. “If this was someone who was financially motivated, this is not what you would do,” says Orla Cox, director of security response at Symantec, a leading cyber security company. Cyber weapons are typically sold over the dark web, notes Ms Cox, or they are used by hackers who want to remain anonymous. They certainly are not advertised to news outlets. And even the best are not priced in $500m bundles.
“It’s a false flag. This isn’t about money. It’s a PR exercise,” she says.
According to three cyber security companies that declined to be identified, the Shadow Brokers is mostly likely run by Russian intelligence. “There is no digital smoking gun,” said one analyst.
But the circumstantial evidence is compelling, analysts say. And the list of other potential nation-state actors with the capability, wherewithal and motive is short.
“The fact that the Shadow Brokers did not exist before, appeared at this time and are using intelligence that has been saved up until now suggests this is all part of some deliberate, targeted operation, put together for a particular purpose,” says Ewan Lawson, a former cyber warfare officer in the UK’s Joint Forces Command and now senior research fellow at RUSI, the think-tank.
“That purpose looks like it is to highlight perceived US hypocrisy.” Russia, he says, is the obvious perpetrator.
Two senior western intelligence officials say their assessment was evolving but similar: the Shadow Brokers’ stunt grew out of Russia’s desire to strike back at the US following accusations that Russian intelligence was behind the hack into the Democratic National Committee’s servers. That intrusion, and the subsequent leak of embarrassing emails, has been interpreted by some as an attempt by Russia to interfere with the US presidential election.
The US has yet to respond officially to that hack, even though they know it to be Russia, according to this narrative.
Now, with a piece of Le Carré-esque public signalling between spymasters, Russia’s Shadow Brokers gambit has made any such response greatly more complex, the officials suggest.
The US and its allies, of course, are hardly innocent of hacking. Regin, a piece of malware used to crack into telecoms networks, hotels and businesses from Belgium to Saudi Arabia — though mainly Russia — is a tool used by the US and the UK, while the Equation Group is among the most virulent and sophisticated hacking operations around.
If the warning to Washington was not being telegraphed clearly enough by Moscow, Edward Snowden, the NSA contractor-turned-whistleblower now living in Russia, spelt it out.
“Circumstantial evidence and conventional wisdom indicates Russian responsibility,” he wrote in a tweet to his 2.3m followers. “This leak looks like somebody sending a message that an escalation in the attribution game could get messy fast,” he said in another.
In the US intelligence community the assumption is that, at the very least, Mr Snowden is an unwitting agent of Russian intelligence, if not a tool of it. “It’s all part of the signalling,” says one intelligence official.
“The Russians have had the initiative in this whole thing starting from even before the DNC break-in,” says Jim Lewis, director of strategic technologies at the CSIS think-tank and a former US state department official. “They have the place of honour when it comes to threats to the US in cyber space right now. They’ve accelerated — they’re much less risk averse and they’re much more aggressive.”
“Attributing” cyber attacks — or identifying their source — is a thorny issue.
For cyber super powers, insiders say, it is rarely technical limitations that prevent governments from castigating attackers. The problem, an age-old one for spycraft, is that in disclosing what they know, officials may give away how they got it.
For agencies like the NSA and UK’s GCHQ there is a deeply ingrained culture of secrecy surrounding their cyber surveillance work that stretches back to the origins of signals intelligence during the second world war. US intelligence knew very quickly that the Chinese were behind the hack of the Office of Personnel Management, announced in June last year, which targeted the records of millions of Americans. But it took time to decide what the appropriate response should be and what kind of effect they wanted from it.
Outside the inner circles of the spy world, there is a growing sense that more public attribution is needed to try and put the brakes on a cyber cold war that is spiralling out of control.
“Up to now there has been a degree of approaching cyber defence one day at a time,” says RUSI’s Mr Lawson. “But now it’s reached a momentum where people are starting to say we need to start calling people out, making more of an issue about these attacks, because otherwise, how are we ever going to establish any sort of global norms about it,”
Publicly identifying attackers can be powerful. Chinese activity against US companies decreased markedly after US authorities publicly indicted five senior Chinese military officials last year, proving to Beijing that they knew exactly what its hackers were up to — and would respond even more harshly if they continued. But the power of attribution also depends on the adversary. Unlike China, Russia does not depend economically on the US.
The Kremlin’s hackers are also far stealthier. A particular trend in Russia’s hacking operations in the past 18 months, says a senior British cyber security official, has been towards such “false flagging”, where attacks are hidden behind proxies. The official points to an attack on the French broadcaster TV5Monde in April last year. The website was defaced with pro-Isis imagery, but it was the Russians who were responsible, he says.
Russia has become much more aggressive in blurring other boundaries too: their cyber operations do not just exfiltrate information, they also sometimes weaponise it. Outright acts of destruction are on the table, too, as was the case when Russia took down the Ukrainian power grid in January.
If the tools are new, the techniques may not be. Philip Agee, a former CIA agent, sprang to prominence in the 1970s for publishing a series of salacious books and pamphlets claiming to expose the activities and agents of his former paymasters. He said he was a whistleblower and became a feted figure of the left in the west.
But in reality he was carefully directed by the KGB, the Soviet spy agency. Under the Russians’ guidance, his output blended genuine US intelligence leaks with outright disinformation concocted by Moscow to suit its own ends. Hundreds of CIA agents were exposed by his activities.
The KGB’s use of Agee was both an act of disruption and one of manipulation. It boxed in the CIA and affected their decision-making. Moscow ensured genuine agents’ names were publicised at times to suit their ends.
The Shadow Brokers may be the same trick adapted to the 21st century.
Both are textbook examples of what Soviet strategists called reflexive control — a concept that has become resurgent in Russian military planning today. Reflexive control is the practice of shaping an adversary’s perceptions. A state might convince an opponent not to retaliate for interfering in an election, for example, by raising the possibility of releasing information about its own
“These are old tactics,” says CSIS’ Mr Lewis. “The Russians have always been better at this kind of thing than us. But now, they’re just able to wield them so much more effectively. They have taken tremendous advantage of the internet. Information is a weapon.”