Was an insider behind the NSA hack?

Linguistic analysis casts doubt on "Russian hacker" claims

The perpetrator of the Shadow Brokers breach at the NSA may in fact by an English-speaking insider at the American agency, rather than a Russian hacker collective, as first presumed.

Earlier this month, attackers revealed they had managed to gain access to cyber weapons from the Equation Group, widely thought to be the NSA's own state hacking collective. They circulated 300 files online detailing zero-day exploits - several of which have been confirmed as genuine - and auctioned off a second, encrypted cache to the highest bidder.

Advertisement - Article continues below

It was initially theorised that the hackers were foreign operatives with the most popular theory being that they were Russian. This was spurred on by the fact that the Pastebin post from the perpetrators was in broken English.

However, linguistic analysis by Shlomo Aragon, professor of Computer Science and director of the Linguistic Cognition Laboratory at the Illinois Institute of Technology (IIT) suggested that the author of the post is actually a native English-speaker trying to disguise the fact they are anglophone.

"The texts contain a variety of different grammatical errors that are not usual in the English of US native speakers," writes Aragon in a post on Taia Global. These include the omission of definite and indefinite articles ("a" and "the"), the omission of infinitive "to" (e.g., "I want get" instead of "I want to get") and confusion of tenses.

Advertisement
Advertisement - Article continues below

However, he points out that, while there are grammatical errors, there are no spelling errors, irrespective of how complex the word is. Additionally, the grammatical errors are inconsistent and the author uses plenty of idioms, even though they do contain mistakes in grammar. This has let Aragon to the conclusion that "the author is most likely a native speaker of US English who is attempting to sound like a non-native speaker by inserting a variety of random grammatical errors".

Advertisement - Article continues below

Separately, others have come to the conclusion that the perpetrator is an NSA insider.

Cyber security professional and white hat hacker Matt Suiche said in a post on Medium that a former NSA analyst had come to him with this theory, speaking on the condition of anonymity.

After discussions with this source, several points were put forward suggesting the "hackers" were in fact a single person working from within the NSA. These include the fact that the name ShadowBrokers originally comes from the computer game Mass Effect, and that the NSA Tailored Access Operations (TAO) group, where the cyber weapons stolen are thought to come from, apparently has a "big gaming culture"

Also, the depository containing the NSA TAO toolkit is reportedly stored on a separate network that is not connected to the internet at all (which would impede someone trying to hack from the outside).

The "TAO Team had severe concerns about how easy it was to just walk out with the data on a USB drive" and a native English-speaker could easily fake broken English to make themselves sound Russian (although Suiche does not go into as much detail as Aragon in terms of analysis).

However, Suiche does concede "this is only a possible scenario" and "the discussion is open".

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement

Recommended

Visit/security/phishing/355810/zloader-malware-returns-as-a-coronavirus-phishing-scam
phishing

ZLoader malware returns as a coronavirus phishing scam

27 May 2020
Visit/security/hacking/355806/anarchygrabber-hack-steals-discord-tokens-ids-and-passwords
hacking

AnarchyGrabber hack steals Discord tokens, IDs and passwords

27 May 2020
Visit/security/hacking/355801/scammers-using-coronavirus-contact-tracing-in-hacking-attempt
hacking

Scammers leverage contact-tracing in hacking attempt

27 May 2020
Visit/security/phishing/355793/gitlab-phishes-its-remote-employees-and-1-in-5-fell-for-it
phishing

GitLab phished its employees and 20% handed over credentials

26 May 2020

Most Popular

Visit/infrastructure/server-storage/355785/dell-emc-poweredge-r7525-review-an-epyc-core-density-to-make
Server & storage

Dell EMC PowerEdge R7525 review: An EPYC core density to make Intel weep

26 May 2020
Visit/infrastructure/network-internet/355792/intel-releases-wi-fi-and-bluetooth-driver-updates-for
Network & Internet

Intel releases Wi-Fi and Bluetooth driver updates for Windows 10

26 May 2020
Visit/operating-systems/microsoft-windows/355781/microsoft-confirms-further-issues-with-troublesome
Microsoft Windows

Microsoft's latest Windows 10 update is causing yet more issues

26 May 2020