The leak of intrusion and surveillance tools purportedly stolen from a hacking group linked to the US NSA contains identical code to that used in the group's malware, according to Kaspersky.
The security firm today said its analysis had shown that "several hundred tools" from the leak share a "strong connection" with its previous findings about the Equation Group.
Kaspersky first linked the Equation Group to the National Security Agency in February last year. At the time it labelled the group the most advanced hacking collective it had come across.
Hackers going by the name 'Shadow Brokers" yesterday claimed to have stolen tools from Equation Group. They posted 300MB worth of sample code for half of the files they claim to have, asking for 1 million Bitcoin in exchange for the release of the rest of the documents.
Security experts questioned the significance of the files, which the group claimed contained never-before-seen exploits and "dangerous cyber weapons". The files published so far contain mostly firewall exploits, tools, and scripts.
Today Kaspersky said an implementation of the RC5 and RC6 encryption algorithms found in the data published by Shadow Brokers is identical to RC5 and RC6 code in Equation Group malware.
It said this specific implementation has only ever been seen before with Equation Group malware.
"Comparing the older, known Equation RC6 code and the code used in most of the binaries from the new leak we observe that they are functionally identical and share rare specific traits in their implementation," Kaspersky researchers wrote.
"There are more than 300 files in the ShadowBrokers’ archive which implement this specific variation of RC6 in 24 different forms. The chances of all these being faked or engineered is highly unlikely."
Despite asking for 1 million Bitcoin to release the remainder of the files, so far the group has only made a much more modest A$1231, or 1.629 Bitcoin.
