In a statement over the weekend, Shadow Brokers also released a list of servers it said the tools had infected.
One document appeared to show that NSA spyware had been placed on servers in South Korea, Russia, Japan, China, Mexico, Taiwan, Spain, Venezuela and Thailand, among other countries. The release included details of how the NSA purportedly accessed Pakistan’s main mobile network.
The release is one of a steady stream of disclosures of purported hacking tools developed by the NSA and the CIA. Shadow Brokers made a similar release in August, and in March the anti-secrecy group WikiLeaks released several batches of files that purported to show how the CIA spies on its targets.
Cybersecurity experts differed in their assessment of the leaked material but several agreed that it would give global enemies crucial information about American hacking abilities and plans.
In its statement, Shadow Brokers said the latest leak “is our form of protest” to goad President Donald Trump into staying loyal to his followers and promoting anti-globalism. The statement included profanity, some white supremacist commentary and a password to the cache of tools.
The specific spyware was less dramatic, experts said.
“The dump appears to contain only Linux and Unix tools and exploits, so organizations running only Windows don’t need to react to tools in this release,” an Augusta, Ga., Rendition Infosec, said in a blog post.
The NSA, headquartered at Fort Meade, Md., did not respond to a request for comment.
Rendition Infosec said there was little doubt that Russia and the Shadow Brokers group were connected and that foreign hacking groups, some sponsored by governments, had entered an era of dribbling out leaks to influence global affairs.
“In the future, we believe that other groups are highly likely to attack organizations, steal their data and release it at timed intervals in an attempt to control the news cycle. This is classic information warfare, updated for digital espionage,” the post said.
In its statement, Shadow Brokers denied, in broken English, that the group is linked to the Russian government.
Those who have worked in the U.S. intelligence community voiced dismay at the constant leaks of alleged NSA and CIA techniques and tools.
“What is devastating is not just the loss of one exploit, but the loss of your entire tool chain, particular targets you’re residing on, your methodologies, your research thrusts,” said Dave Aitel, a former computer scientist at the NSA who now is chief executive at Immunity Inc., a cybersecurity firm in Miami.
Aitel, who spoke on the sidelines of the Infiltrate 2017 conference in Miami Beach late last week, before the Shadow Brokers release, said the effect of leaks of cyberespionage tools “can be real hard to estimate or contain.”
He said such leaks could open a window on research trends that could derail entire units within the intelligence community.
“Every group has a particular set of specialties that they are good at researching. If you start exposing those capabilities, you also expose your future capabilities,” Aitel said. “It can spread across a lot of pieces of your organization. … That’s when you start seeing entire networks get destroyed based on leaks.”
In August, the Shadow Brokers claimed to possess stolen NSA cyberweapons and surveillance tools intended to bypass firewalls and embed in network equipment or software made by Cisco Systems, Fortinet, Juniper Networks and TopSec, a Chinese security vendor.
The group demanded an astronomical sum — 1 million bitcoins, or $1.2 trillion — for the release of additional NSA tools. When the group found no takers, it canceled the auction in October. In January, the group said it was “going dark,” only to reappear over the weekend.