Hoax or not, some of the files in the Shadow Brokers data dump appear to be genuine malware, said researchers.
"There are actual exploits in the dump, with a 2013 timestamp on files," wrote Matt Suiche, a well-known French security researcher, in a Medium post Monday (Aug. 15). "We do not know if they are working as nobody has tried them, but they are actual exploits and not only references."
"Equation Group's ELIGIBLECANDIDATE exploits an RCE [remote code execution] vulnerability in HTTP cookies in a TOPSEC firewall CGI script," tweeted Mustafa Al-Bassam, a British researcher who was once a member of the Lulzsec hacking crew. (TOPSEC is a Chinese cloud-security provider.) "ESCALATEPLOWMAN is actually a privilege escalation exploit against WatchGuard firewalls."
In more (deliberately?) broken English, the Shadow Brokers missive instructed interested parties to bid for the files using Bitcoin. The document didn't say how many files in total Shadow Brokers had.
RELATED: 7 Craziest Intelligence Leaks in US History
"If you like free files (proof), you send bitcoin," says the message. "If you want know your networks hacked, you send bitcoin. If you want hack networks as like equation group, you send bitcoin. If you want reverse, write many words, make big name for self, get many customers, you send bitcoin. If want to know what we take, you send bitcoin."
If the documents really are from the NSA, how did Shadow Brokers get their hands on them? Who's crafty enough to hack the NSA? The Grugq, a pseudonymous South African bug broker - i.e., he sells newly found "zero-day" software exploits to intelligence agencies such as the NSA - put forward a theory on Twitter earlier Monday.
"This dump does not support the assertion that NSA was hacked. That sort of access is too valuable to waste for (almost) any reason," the Grugq tweeted. "I would guess: the dump is the take from a counter hack against a pivot/C2 [malware command-and-control server] that was mistakenly loaded with too much data. [Stuff] happens."
RELATED: Bean Spillers, Why Do They Leak?
UPDATE: Edward Snowden himself Tuesday (Aug. 16) piped in on Twitter about the purported NSA files, agreeing with the Grugq that they came from a malware command-and-control server. Snowden blamed Russian state-sponsored hackers trying to do damage control in the wake of the theft, and subsequent release, of embarrassing documents from the Democratic National Committee's email servers.
"NSA malware staging servers getting hacked by a rival is not new. A rival publicly demonstrating they have done so is," Snowden wrote. "I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack.
"Circumstantial evidence and conventional wisdom indicates Russian responsibility," he continued. "Here's why that is significant: This leak is likely a warning that someone can prove U.S. responsibility for any attacks that originated from this malware server."
RELATED: NSA Cracks Web Encrytion, Betrays Internet
"That could have significant foreign policy consequences. Particularly if any of those operations targeted U.S. allies. Particularly if any of those operations targeted elections," Snowden wrote. "Accordingly, this may be an effort to influence the calculus of decision-makers wondering how sharply to respond to the DNC hacks."
UPDATE: Mustafa Al-Bassam has posted a list of the purported Equation Group tools and exploits referenced in the "free" documents released by Shadow Brokers. Our favorite is EPICBANANA, which Al-Bassam describes as "a privilege escalation exploit against Cisco Adaptive Security Appliance (ASA) and Cisco Private Internet eXchange (PIX) devices."
Get more from Toms Guides
Copyright 2016 Toms Guides, a Purch company. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.