The leaks were by a group that calls itself the Shadow Brokers. The company that provided the "evidence", InGuardians, used the website Krebs on Security, run by former Washington Post employee Brian Krebs, as its conduit.
Krebs used the material provided by InGuardians to write a speculative piece about the identity of the person who leaked the data to the Shadow Brokers. Curiously, he buried the fact that the data came from InGuardians in the 30th paragraph of his story.
A little history here: the first person to leak material recently from the NSA was Edward Snowden in 2013. Following that, three others have been known to leak: one, Harold Martin, was arrested last year after having taken a massive trove of NSA data home.
Another, an unnamed software developer, who has been said to be a Vietnamese American, was taken into custody in 2015 after taking hacking tools home and reportedly having them leak from his PC to hackers in Russia. And a third, a woman named Reality Winner, was arrested after leaking a single NSA document to The Intercept this year.
Exploits for sale, exploits for sale, peoples is not wanting Shadow Brokers' exploits that are for sale.
Krebs makes a major error in his article with regard to the three people who are under investigation: he cites an article from The New York Times as stating that one is "a still publicly unidentified software developer secretly arrested after taking hacking tools home in 2015, only to have Russian hackers lift them from his home computer".
The NYT, however, plainly states that this individual was also a member of the NSA's Tailored Access Operations group, the elite unit that actually crafts such exploits and carried out operations against foreign enemies of the US.
Its article states: "The agency has active investigations into at least three former NSA employees or contractors. Two had worked for TAO: a still publicly unidentified software developer secretly arrested after taking hacking tools home in 2015, only to have Russian hackers lift them from his home computer; and Harold Martin, a contractor arrested last year when FBI agents found his home, garden shed and car stuffed with sensitive agency documents and storage devices he had taken over many years when a work-at-home habit got out of control, his lawyers say."
But then, if Krebs had admitted that the unidentified software developer was a member of TAO, he would not have been able to bring in the name of someone else and posit that that person was the source for the leaks to the Shadow Brokers.
The NSA tools are claimed to have leaked to the Russians through the unnamed developer's use of Kaspersky anti-virus software; like any A-V solution, the software uploads suspicious files to a server for later analysis and when it encountered the NSA files on this man's machine, it did the same. How the Russians obtained these exploits has never been made clear with the obvious implication being that after they reached Kaspersky's Moscow offices, they were handed over to government hackers. Kaspersky has denied handing over any files. Ah, the power of insinuation!
Krebs' conclusion that Sidelnikov was the most likely source from whom the Shadow Brokers obtained the exploits was based on circumstantial evidence. One was that since Sidelnikov had a Russian name, he was the most likely of the three people cited by InGuardians to be using Kaspersky software.
Then Sidelnikov was found to have obtained a degree from an university in Moldova, a former part of the old Soviet Union. His interests, listed on a LinkedIn profile, included Microsoft and the NSA. Based on the skills listed on this profile, Krebs concluded, based on hints from InGuardians, that he was a database administrator, and not a senior consultant as the man himself claimed. Therefore, Krebs concluded, based again on conclusions from InGuardians, the presence of his name on any document connected to the leak was an aberration as he was not a member of the TAO.
Sidelnikov had listed himself as being affiliated with a company named Independent Software. Krebs claims to have called and emailed this organisation but received no reply. Of course, if Sidelnikov had been arrested — as the headline on Krebs' article claims — it is not surprising that Krebs' queries went unanswered.
The good folk at InGuardians had more "proof" for Krebs. One was that Sidelnikov, who was now assumed to be a database programmer, would not normally have access to exploits of the kind that were leaked. The two others whose names were found in the metadata of the leaked files were claimed to be employees of the TAO.
Whoever the Shadow Brokers are, it is clear that they have detailed access to information about former TAO staff. This was made abundantly clear when they leaked details about Jake Williams, a former TAO member, after he wrote an article about them in April this year.
So, it looks like, once again, based on considerable speculation, much of it unfounded, a Russian has been claimed to be the link to the mysterious leak of NSA exploits. Exactly what Krebs' agenda is remains unknown; Wheeler hinted that he had one: "There’s more I won’t say publicly about Krebs’ project, what he really seems to be up to."
She ended her analysis with this: "..the reason I went through the trouble of pointing out the errors (in Krebs' article) is precisely because Krebs went so far out of his way to find a Russian to blame for … something.
"We’ve been seeing Russian metadata in documents for 17 months. Every time such Russian metadata is found, everyone says, Aha! Russians! That, in spite of the fact that the Iron Felix metadata was obviously placed there intentionally, and further analysis showed that some of the other Russian metadata was put there intentionally, too.
"At some point, we might begin to wonder why we’re finding so much metadata screaming 'Russia'?"
This, one would think, should be a point that strikes a journalist right between the eyes. Strangely, it does not seem to have occurred to Krebs.
Update, 4 December: Following the arrest of a Vietnamese American over taking NSA documents home, Krebs has now issued the following statement: "This author published a story earlier in the week that examined information in the metadata of Microsoft Office documents stolen from the NSA by The Shadow Brokers and leaked online.
"That story identified several individuals whose names were in the metadata from those documents. After the guilty plea entered this week and described above, KrebsOnSecurity has unpublished that earlier story."
The statement is published at the end of another post and is given nothing like the prominence that the original post (archived version here) was. There is no admission that the story could have been wrong.
Krebs has disallowed comments on the article where his faux pas is mentioned, presumably so that nobody can point out his error.