REUTERS/Mark Blinch
The key to confirming the leaked files - which was uploaded to various file-sharing sites earlier this week by a group called "Shadow Brokers" - came in a top-secret agency manual published Friday by Sam Biddle of The Intercept that instructed NSA hackers on how to track their malicious software by using a 16-character string buried in the code.
The tracking string in the manual, "ace02468bdf13579," also appears inside code for a software implant called "Second Date," which was leaked as part of the archive posted earlier this week.
That's not the only piece of evidence that shows the leak was, in essence, a software 'toolbox' for NSA hackers to target adversaries. Among other files in the archive are implants code-named Banana Glee, Jet Plow, and Zesty Leak, which were all documented in a top-secret 50-page catalog of NSA tools that was published in late 2013.
"One of the interesting things about the exploits is they are very professional and they clean up after themselves," Dave Aitel, an ex-NSA research scientist who now leads penetration-testing firm Immunity, told Business Insider. "Not only do they turn things off, but they turn things back on. When you're looking at stuff that's written by a lot of hackers it will backdoor something but it won't 'un-backdoor' something."
Put simply: Your average hacker will build tools that break in, but a sophisticated hacker - such as those employed by the US or some other nation - will build tools that break in, hide all their tracks, and turn everything off once they get what they need.
"These are the type of tools that are really exclusive to governments," a source who worked for NSA's elite hacker unit, Tailored Access Operations, told Business Insider on condition of anonymity in order to discuss sensitive matters.
Reuters
Now that the NSA toolkit has been confirmed as legitimate, the remaining mystery is how they came into public view. There are now two prevailing theories as to how "Shadow Brokers" obtained the files: Either they hacked a server used by NSA hackers to stage attacks that had the files mistakenly left there by an operator, or an agency insider downloaded the data and later leaked it online.
Both scenarios are plausible, though neither has been confirmed, and the NSA isn't likely to say anything.
The previously-unknown Shadow Brokers created a number of social-media accounts earlier this month on Reddit, Github, Twitter, and Imgur, before announcing on August 13 that its "cyber weapon auction," which promised bidders a "full state sponsor tool set" from a hacking unit believed to be within the NSA known only as "The Equation Group."
It released a 234-megabyte archive on various file-sharing sites with half being free to view and use - which numerous experts say is legitimate - while the other half was encrypted. The winner of the auction, the group said, would get the decryption key.
But an auction for hacking tools and exploits is not something that ever happens, experts say. Instead, exploits are bought and sold on the black market for hundreds of thousands and sometimes millions of dollars in private.
The NSA did not immediately respond to a request for comment.