Experts say American likely key in cyberattack

WASHINGTON — Cybersecurity experts believe the hacker who leaked the potent software tool that powered last week’s global ransomware attacks is an American — perhaps a disgruntled insider in the U.S. intelligence community.

Such a finding would raise the stakes for halting The Shadow Brokers group, which has bedeviled the National Security Agency with releases of its hacked weaponized cyber exploits for months.

One of those leaked NSA tools allowed extortionists to spark havoc Friday by encrypting the hard drives of more than 200,000 computers in 150 countries, the largest such cyberattack ever to hit the globe. The attackers demanded $300 or more to unlock each computer.

The NSA did not respond to a request for comment.

The Shadow Brokers group first surfaced in August, claiming to have breached the NSA and stolen sophisticated cyber tools. It sought to auction off the NSA exploits but failed to find many buyers, releasing some for free. It periodically has resurfaced with statements.

The latest statement came at 2:16 a.m. Tuesday, a long, rambling screed that used broken syntax to make it seem as if it were written by a foreigner with poor English. But the message was filled with U.S. cultural references that experts said were likely to have come only from someone with a native’s familiarity.

“I think they are Americans, and I think they are inside somewhere,” said Dave Aitel, chief executive at Immunity, a Miami cybersecurity company, who formerly was a chief scientist at the NSA. “Some of the idioms they use are straight-up native. You have to be a native to use them.”

Domestic cultural and political references fill the 1,100-word statement.

In addition to references to James Comey, the ousted FBI director, and the WannaCry ransomware that the extortionists deployed Friday, the statement made liberal use of idioms like “BFF” — or “best friends forever” — and a vulgar expression that “Late Show” host Stephen Colbert employed May 1 in talking about President Donald Trump.

“I always thought there had to be an insider somewhere on the chain for The Shadow Brokers,” said John Bambenek, a threat intelligence manager at Fidelis Cybersecurity, a company in Bethesda, Md.

Bambenek said he had been struck by the language in the statement.

“The homophobic slurs kind of thing is common in American hacker culture,” he said.

If The Shadow Brokers group is simply a one-person show by an insider, or an American in a larger group, he or she would join a long list of insiders who’ve divulged some of the U.S. government’s most classified secrets in recent years, Bambenek said.

“How much s–t is walking out the front door of our frigging intelligence agencies? And why is nobody getting fired for it?” he asked. “There have been a lot of large bulk leaks.”

A widely known French hacker who founded Comae Technologies in the United Arab Emirates, Matthieu Suiche, also tweeted his belief that The Shadow Brokers may be an insider.

“Did the NSAGOV have a disagreement with a contractor?” he asked.

In its online statement, The Shadow Brokers said it had many more stolen NSA tools to reveal, including ones that would allow hacking of cellphones and newer Microsoft Windows software. It said it intended to create a “dump of the month” club that would allow subscribers to hack computers and cellular phones and to taint late-model browser software with malicious code, including Microsoft’s Windows 10.

It assailed Microsoft, the Redmond software giant, accusing it and other U.S. high-tech companies of taking money from the NSA in order to leave vulnerabilities its hacking team had discovered unresolved so that U.S. government hackers could continue to operate.