Shadow Brokers: The insider theory

While everybody seem to agree on the NSA ownership of the leaked materials by Shadow Brokers, there are still many different versions when it comes to the origin of it.

After published my previous blogpost, a source who claims to be a former NSA Analyst contacted me about his own theory which we discussed on the condition of anonymity.

Update: As a token of a proof of his accreditation, the informant initially provided me this picture, which he authorized me to publish, of his “Joint Service Achievement Medal2013 certificate.

Wikipedia: This award was considered a Department of Defense decoration senior to the service department Achievement Medals.


Identifying the origin of the leaked materials is gonna be difficult to know since as Joseph Cox (VICE) reported — Tutanota can’t provide additional data associated to the email I previously reported.

Initially, the main leading theory on Twitter was that the NSA didn’t get hacked and that those files got comprised because of a deployment mistake. And even yesterday Ed Snowden said the following:

After discussing with my source, the following points were highlighted:

  • Technically speaking, Edward Snowden is also just speculating and the only major leak we have heard of from the NSA was actually from him and he was an insider. And that media tend to take every “speculative statements” he makes as a “fact” (which is true, many of my friends complained about it) — especially since the NSA cannot confirm or deny any of those “facts” publicly.
  • Apparently, the NSA TAO group has a big gaming culture, and as I highlighted in my previous post — the name ShadowBrokers original comes a video game called Mass Effect
  • Making a mistake is not impossible
  • The repository containing the NSA TAO Toolkit is stored on a physically segregated network which does not touch the internet and has no reason to (remember it’s a toolkit repository). There is no reason for those files to have ever been on a staging server in the first place unless someone did it on purpose.
  • The file hierarchy and the unchanged file naming convention tends to say that the files were directly copied from it source. Some of the scripts are simply for setting up a workstation pre-op. Other filenames are changed pre-deployment. There are no reasons for them to be on a staging server, as they would not serve any purpose.
  • The TAO Team had severe concerns about how easy it was to just walk out with the data on a USB drive (or according to the urban legend a Rubik’s cube)
  • Another possibility, more unlikely because more risky, would be that the insider used the NSA infrastructure for anonymity so he would not have to move the data with a USB drive.
  • TAO operators are mostly military, even though there are civilian employees. It could be that the insider lost his TAO access because he left the unit or moved to another one in 2013.
  • The broken English could easily be faked, making himself sound like a group and maybe even timing the release to coincide with all of the Russia activity to further separate himself from his true identity.

This is only a possible scenario — the discussion is open.

Matt Suiche is the Founder of UAE based cyber security start up Comae Technologies