Shadow Brokers leak links NSA to alleged US-Israeli Stuxnet malware that targeted Iran
A tool found in Friday’s leak matched one used by the notorious Stuxnet malware.
First detected in 2010, Stuxnet is believed to be the joint work of the US and Israel; a claim that Edward Snowden backed up in a 2013 interview but which has never been acknowledged by either government.
Designed to target industrial control systems used in infrastructure facilities, Stuxnet modifies data on controller software affecting their automated processes.
Computer code found in last week’s leak from Shadow Brokers, alleged to have been stolen from the NSA, was also found to match that used in Stuxnet.
Officials, who spoke under anonymity to The Washington Post, said in 2012 that the worm, developed under George W.Bush’s administration and continued under Barack Obama’s, was designed to damage Iran’s nuclear capabilities.
When it infected Iran’s nuclear facility in Natanz, it reportedly destroyed a fifth of their centrifuges after causing them to spin out of control, all the while relaying readings back to technicians at the plant that operations were normal.
"There is a strong connection between Stuxnet and the Shadow Brokers dump," Symantec researcher Liam O'Murchu told Motherboard. "But not enough to definitively prove a connection."
A definite link will be almost impossible to prove as Stuxnet’s script was later copied and used in an open-source hacking toolkit, allowing it to be replicated numerous times online.
However, O'Murchu said the script found in Friday’s leak was last compiled on September 9, 2010 - three months after Stuxnet was first identified and shortly before it was added to the hacking toolkit.
Also contained in the leak was ASCII art of a medal with the words “Won the gold medal!!!” above it. Stuxnet was reportedly given the codename “Olympic Games.”
Security architect Kevin Beaumont tweeted the results of an antivirus program check on the Shadow Brokers’ exploits leaked on Friday, which returned that it had detected Stuxnet.
First submission, first detection - EasyPi exploit gets detected as Stuxnet by a vendor. pic.twitter.com/xcJX5QNkGG— Kevin Beaumont (@GossiTheDog) April 14, 2017
The latest evidence against the NSA was contained in Friday’s leak from Shadow Brokers, which also detailed hacks aimed at Windows PCs and the SWIFT network, used to process payment orders.