The leak over the weekend of advanced hacking tools contains digital signatures that are almost identical to those in software used by the state-sponsored Equation Group, according to a just-published report from security firm Kaspersky Lab.
“While we cannot surmise the attacker’s identity or motivation nor where or how this pilfered trove came to be, we can state that several hundred tools from the leak share a strong connection with our previous findings from the Equation group,” Kaspersky researchers wrote in a blog post published Tuesday afternoon.
The finding is significant because it lends credibility to claims made by a mysterious group calling itself ShadowBrokers. When members of the previously unknown group claimed in a blog post that they hacked Equation Group and obtained never-before-seen exploits and implants it used, outsiders were understandably skeptical. The publication of state-sponsored hacking tools is an extremely rare if not unprecedented event that is sure to catch the attention of leaders all over the world.
The connection linking more than 300 computer files in the ShadowBrokers archive to Equation Group is found in a common implementation of the RC5 and RC6 encryption algorithms. Among other things, the leaked ShadowBroker files use the negative constant -0x61C88647 instead of the more standard 0x61C88647 to speed up subtraction operations. Kaspersky researchers scoured 20 different compiled versions of RC5/6 code in Equation Group malware and found functionally identical code, leaving little doubt that there was a clear connection between the two.
In Tuesday’s blog post, Kaspersky researchers wrote:
Comparing the older, known Equation …