A group known as the Shadow Brokers chose Good Friday to publish a sweeping set of confidential hacking tools used by the NSA to exploit software vulnerabilities in Microsoft Windows software.
The leak is the latest and, according to security experts, the most damaging set of stolen documents published by the Shadow Brokers, which is widely believed to be tied to the Russian government.
Experts say the document dump—which is mostly lines of computer code—amounts to an emergency for Microsoft because the hacks consist of a variety of “zero-day exploits” that can serve to infiltrate Windows machines for purposes of espionage, vandalism, or document theft.
The Good Friday timing is especially bad because, as the LawFare blog points out, all sorts of juvenile hackers (known as “script kiddies”) will be active over the holiday weekend, while many defenders will be away.
“I’m only being somewhat glib in suggesting that the best security measure for a Windows computer might be to just turn it off for a few days,” notes the blog.
Meanwhile, a security executive who runs the Twitter account @HackerFantastic called the development a “Microsoft apocalypse.”
Other well-known figures in the security community also underscored the severity of the event for Microsoft. According to Cris Thomas (a.k.a. Space Rogue), a strategist and Tenable Network Security, the vulnerabilities affect a wide variety of products.
“There appears to be at least several dozen exploits, including zero-day vulnerabilities in this release. Some of the exploits even offer a potential ‘God Mode’ on select Windows systems. A few of the products targeted include Lotus Notes, Lotus Domino, IIS, SMB, Windows XP, Windows 8, Windows Server 2003, and Windows Server 2012,” said Thomas.
In response to a question about how the company is addressing, the issue a Microsoft spokesperson said, “We are reviewing the report and will take the necessary actions to protect our customers.”
Meanwhile, in its data dump, the Shadow Brokers also published another set of documents that indicate the NSA penetrated the SWIFT banking network in the Middle East. This reportedly gave the U.S. spy service a window into the financial activities of a range of organizations, including Palestinian banks.
Shadow Brokers did not provide a coherent explanation of why they chose to publish the Microsoft and SWIFT vulnerabilities. Instead, the group used its customary odd syntax—a form of affected Borat-style English—in an apparent attempt to troll the U.S. government.
“Is being too bad nobody deciding to be paying theshadowbrokers for just to shutup and going away. TheShadowBrokers rather being getting drunk with McAfee on desert island with hot babes,” said the group’s brief blog post.
The Shadow Brokers have been taunting the U.S. government for some time, warning they would publish a variety of the NSA’s secret hacking tools. Doing so both undercuts the agency’s ability to collect covert intelligence, and can also be damaging from a public relations standpoint.
Until today, though, the Shadow Brokers have not published anything critical, but instead released information apparently related to the theft of documents by former NSA contractor Edward Snowden.
In its Good Friday blog post, though, the Shadow Brokers appear to allude to current global tensions, writing “Maybe if all suviving WWIII theshadowbrokers be seeing you next week.” This suggests the document dump could be a retaliation by Russia (if the Shadow Brokers are indeed a front for Russia) to recent U.S. military actions.