The new shadow brokers leak connects the NSA to the stuxnet cyber weapon used on Iran

Researchers have found an hidden gem inside the treasure trove of the new alleged NSA hacking tools dumped by the Shadow Brokers.

(Article by Lorenzo Franceshi-Bicchierai from motherboard.vice.com)

The mysterious hacking group known as Shadow Brokers came back on Friday to drop its most explosive—and damaging—dump yet, a collection of alleged hacking tools for Microsoft Windows computers.

Buried among this new treasure trove, there are several mentions of previously disclosed NSA top secret programs and software such as “STRAITBIZARRE,” used to control implants remotely, and “JEEPFLEA,” a project to hack the money transferring system SWIFT. These provide yet another hint that these are indeed tools stolen from the NSA’s elite hacking team.

Perhaps more surprisingly, the dump also included one tool that was used in the famous Stuxnet worm, arguably the world’s first digital weapon, used to hit an Iranian nuclear power facility and damage its centrifuges to slow down the country’s nuclear weapons program.

The tool that appears to link the new dump and the famous digital weapon is an exploit for Windows’ MOF files, which appears to be “almost the exact same script” used in Stuxnet, according to Liam O’Murchu, a researcher at Symantec who’s thoroughly analyzed the worm.

“There is a strong connection between Stuxnet and the Shadow Brokers dump,” O’Murchu told Motherboard in an email. “But not enough to definitively prove a connection.”

O’Murchu explained that the connection is strong, but not definitive, because the common script, originally discovered in Stuxnet, was later reverse engineered and added by researchers to Metasploit, a popular open source hacking toolkit. This means anyone using Metasploit can create a MOF file that looks exactly like the one Stuxnet used. But, O’Murchu added, the MOF file creation tool dumped by the Shadow Brokers on Friday was last compiled on September 9, 2010, three months after Stuxnet was first detected, and “shortly before the code was added to Metasploit,” according to O’Murchu.

Read more at: motherboard.vice.com