Hacker's claims met with flat denials and skepticism by most of the security industry
http://www.csoonline.com/article/3109936/security/hackers-say-leaked-nsa-tools-came-from-contractor-at-redseal.html
Steve Ragan — Senior Staff Writer, CSO
CSO | Aug 19, 2016 7:33 PM PT
On Friday, messages posted to Pastebin and Tumblr allege the recently leaked NSA files came from a contractor working a red team engagement for RedSeal, a company that offers a security analytics platform that can assess a given network's resiliency to attack. In addition, the hackers claim the intention was to disclose the tools this year during DEF CON. Salted Hash reached out to the press team at DEF CON, as well as RedSeal. In a statement, RedSeal would only confirm they are an In-Q-Tel portfolio company. The company also denied any knowledge of red team assessments against their products by In-Q-Tel or contractors working with In-Q-Tel. Sourcesclose to DEF CON also say the claims in the published letter aren't real.
At this point, it's best to take the claims posted to Pastebin and Tumblr with a grain of salt. The note and subsequent blog post from "Brother Spartacus" and "13 Johns" says that an individual known as "Dark Lord" – reported to be a skilled hardware engineer – was working an In-Q-Tel contract to assess the security of RedSeal products. This red team engagement used a C&C server as a staging point for the leaked NSA tools. When "Dark Lord" walked off the job, they did so with a copy of the tools that were placed on the C&C server. Given how RedSeal products work, attacking routers and other network devices with the leaked NSA code makes sense if you're wanted to prove the RedSeal will detect such incidents. The company has even used the Shadow Broker incident as a means to promote themselves this week. However, there is a split between the claims on the blog and the Pastebin note. The blog claims the test was to harden RedSeal software, while the note says the test was aimed at RedSeal products. It isn't clear how the leaked tools could be used to assess the RedSeal platform directly. Moreover, the Pastebin post claims to be from DEF CON, and says the annual hacker gathering was approached in July with details surrounding the Shadow Brokers leak. The note says that "Brother Spartacus" approached DEF CON with details about the code theft, with the intention to disclose the incident during this year's show. "The individual self reported they had walked off an In-Q-Tel contract with RedSeal. They had took the Malware pack from a CNC server that was set-up to test RedSeal products. The individual was not well versed in software and could not point out any zero day threats. We decided to not push the person forward to public Defcon leaders. (sic)" As mentioned, sources close to DEF CON deny this letter is legitimate. This was suspected early on due to the tone of the message, the description of "Brother Spartacus," as well as the fact that DEF CON is misspelled. (Normal communications from DEF CON use the proper branding.) At this point, it's clear the Pastebin and Tumblr posts are some sort of hoax. However, there has been a lot of coverage of the Shadow Brokers leak this week, so this is just one more log on the fire. Recap: On Wednesday, Motherboard published a story citing former NSA staffers who feel the leak didn't happen because of a hack. Instead, they feel the incident is the work of a single individual with insider access. Those thoughts somewhat align with the claims posted on Friday, as a contractor would be considered an insider. In addition, security researcher Mustafa Al-Bassam posted a solid examination of the leaked tools and what they do.