This story is over 5 years old.


Former NSA Staffers: Rogue Insider Could Be Behind NSA Data Dump

Who’s really behind one of the most shocking data dumps ever? Another theory emerges.
Image: Adam Berry/Getty Images

There are a lot of unanswered questions surrounding the shocking dump of a slew of hacking tools used by an NSA-linked group earlier this week. But perhaps the biggest one is: who's behind the leak? Who is behind the mysterious moniker "The Shadow Brokers"?

So far, there's no clear evidence pointing in any direction, but given the timing of the leak, and the simple fact that very few would have the capabilities and the motives to hack and shame the NSA publicly, some posited The Shadow Brokers could be Russian.


But there's another possibility. An insider could have stolen them directly from the NSA, in a similar fashion to how former NSA contractor Edward Snowden stole an untold number of the spy agency's top secret documents. And this theory is being pushed by someone who claims to be, himself, a former NSA insider.

"My colleagues and I are fairly certain that this was no hack, or group for that matter," the former NSA employee told Motherboard. "This 'Shadow Brokers' character is one guy, an insider employee."

"This 'Shadow Brokers' character is one guy, an insider employee."

The source, who asked to remain anonymous, said that it'd be much easier for an insider to obtain the data that The Shadow Brokers put online rather than someone else, even Russia, remotely stealing it. He argued that "naming convention of the file directories, as well as some of the scripts in the dump are only accessible internally," and that "there is no reason" for those files to be on a server someone could hack. He claimed that these sorts of files are on a physically separated network that doesn't touch the internet; an air-gap. (Motherboard was not able to independently verify this claim, and it's worth bearing in mind that an air-gap is not an insurmountable obstacle in the world of hacking).

Of course, as Matt Suiche, the CEO of Dubai-based cybersecurity company Comae, noted in a post analyzing the insider theory, a leading theory is that a member of NSA's elite hacking team, Tailored Access Operation, or TAO, made a "mistake" and left the hacking tools exposed on a server.


"We are 99.9 percent sure that Russia has nothing to do with this and even though all this speculation is more sensational in the media, the insider theory should not be dismissed," the source added. "We think it is the most plausible."

The source said that while he was "a little nervous about this whole thing," he was coming forward precisely to warn people against accusing Russia.

"Now seeing what's being paraded in the media like the wildly speculative attribution to Russia, I feel a personal responsibility to propose the more plausible theory on behalf of me and the rest of the guys like me," he said. "I think it's dangerous to point fingers when they shouldn't be. That could have real implications that affect real people."

The source provided a military award as proof of his past employment, and multiple former intelligence sources who reviewed the award for Motherboard said it looks legitimate. That award describes the source's role as a "Cyber Intrusion Analyst," and although he was not a member of TAO himself, he said he was able to work with TAO operators and access and analyze the data retrieved.

A redacted copy of a military award received by the source, shared with Matt Suiche and Motherboard.

Another former NSA source, who was contacted independently and spoke on condition of anonymity, said that "it's plausible" that the leakers are actually a disgruntled insider, claiming that it's easier to walk out of the NSA with a USB drive or a CD than hack its servers.

Michael Adams, an information security expert who served more than two decades in the US Special Operations Command, agreed that it's a viable theory.

"I feel a personal responsibility to propose the more plausible theory on behalf of me and the rest of the guys like me."

"It's Snowden junior," Adams told Motherboard. "Except he doesn't want to end up in virtual prison in Russia. He's smart enough to rip off shit, but also smart enough to be unidentifiable."

It's important to note that there's no evidence pointing the finger at an insider, just like there's no evidence pointing toward Russia. It's all speculation, but these two theories, at this point, seem the most plausible.