Group called Shadow Brokers says it infiltrated NSAs upper-class Equation Group and teasings files including some named in documents leaked by Edward Snowden

A mysterious online group called the Shadow Brokers claims to have infiltrated an upper-class hacking unit linked to the National Security Agency and stolen country cyber weapons, and is now auctioning them off to the highest bidder.

The stolen malware is said to belong to Equation Group, a sophisticated hacking squad believed to be operated by the NSA. So far, the Shadow Brokers have just been released a few taster files and images of the cache, but security researchers said they appear to be legitimate.

The leak, announced in violated English by the group in a series of posts on Twitter, Tumblr, Pastebin and Github, was accompanied by claims that the group was in possession of state-sponsored cyber weapons.

We auction best files to highest bidder. Auction files better than Stuxnet, said the group, referring to the sophisticated digital weapon, believed to be funded by the US and Israel, that sabotaged Irans nuclear programme. The hackers are asking for a whopping 1m bitcoins, which is around $580 m, to release the best files.

The files and pictures of the cache that were offered for free as proof include filenames correspond to those mentioned in documents leaked by whistleblower Edward Snowden, including BANANAGLEE, JETPLOW and EPICBANANA. There are also a number of hacking tools used for penetrating network gear including routers and firewalls created by major companies like Cisco and Juniper spy tools which it is already known the NSA uses.

Evidence of the NSA hack, as released by mysterious group the Shadow Brokers. Photo: The Shadow Brokers

These files are not fully fake for sure, said security researcher Bencsth Boldizsr, who is credited with discovering the state-sponsored Flame malware, in an interview with Ars Technica.

Most likely they are part of the NSA toolset, judging just by the volume and peeps into the samples. At first glance it is sound that these are important attack-related files, and yes, the first guess would be Equation Group.

Kaspersky Lab, the security company that first exposed Equation Groups cyber-espionage in 2015, has published a detailed blogpost depicting a strong connection between the files found in the leak and their earlier findings about Equation Group. Kaspersky has received encryption algorithm among more than 300 files in the Shadow Brokers cache used in a way that has only been watched before in Equation Group malware.

The chances of all these being faked or engineered is highly unlikely, says the security company.

Although this sounds like a nightmare for the NSA on the face of it, a number of researchers have pointed out that this doesnt necessarily entail the NSA has been hacked directly. The leaked datum is more likely to come from a compromised system outside the NSAs networks that was hosting NSA malware. If the Shadow Brokers actually did have access to the NSAs network, they wouldnt blow their cover with a leak.

Stefan Rothenbuehler (@ creative8 3) August 16, 2016

Access to #NSA would be too valuable to spoiling in a leak. Don't believe in an actual hack. #ShadowBrokers

At this stage, its not clear who Shadow Brokers are, but some security researchers are theorizing that in the wake of the Democratic National Committee hacker, which has been publicly attributed to Russian intelligence agencies by Hillary Clinton, this could be retaliation.

Given the timeframe( Post-DNC hack ), this could possibly be orchestrated by the Russian government so America will be stuck with Donald Trump as a President, said Matt Suiche in a Medium post.

In a series of tweets, Snowden has outlined his own theory about what happened. He suggests that it is a Russian-originated attack designed to expose evidence of NSA cyber warfare activities.

Why did they do it? No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack, he posted.

This leak is likely a warning that someone can prove US responsibility for any assaults that originated from this malware server. That could have significant foreign policy consequences. Particularly if any of those operations targeted US allies.

This leak looks like a someone sending a message that an escalation in the attribution game could get messy fast, he said.

Read more: