Speculation about the hackers who allegedly got their hands on a digital arsenal of the so-called Equation Group, a cyberespionage unit with ties to the United States National Security Agency, abounds online.
One commenter who stands out among the pack is Edward Snowden, a man with experience leaking top secret intelligence files himself. The NSA contractor turned whistleblower took to Twitter (TWTR) to air his theory.
“The hack of an NSA malware staging server is not unprecedented, but the publication of the take is,” the man in exile in Moscow began his series of Tweets, drawing attention to the leak aspect as the hack’s differentiator (similar to what others have said about the Democratic National Committee hack).
Snowden went on to describe “counter computer network exploitation,” a cyberespionage technique that is a standard practice for many nation state intelligence agencies. Spies will set up camp on a relay or proxy computer that adversaries are using to launch or further attacks, so as to surveil their activity.
“This is how we steal their rivals’ hacking tools and reverse-engineer them to create ‘fingerprints’ to help us detect them in the future,” Snowden explained, noting that this is the bread and butter of digital spies everywhere.
As for how the so-called “shadow brokers”—the hackers behind this weekend’s “cyber weapons” auction—gained access to so much NSA operational tactics, “people get lazy,” Snowden said. It’s possible that NSA operatives accidentally left the leaked software tools on a machine, he wagered.
Get Data Sheet, Fortune’s technology newsletter.
On the hackers’ motives for leaking the cache, Snowden said that while though no one can say for sure, “I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack.” He continued: “Circumstantial evidence and conventional wisdom indicates Russian responsibility,” echoing what earlier experts have cautiously hypothesized.
For more on cyberespionage, watch:
This is where Snowden’s conjecture becomes most interesting. The whistleblower devised a scenario that would explain the timing and tactics of the hackers—if they are indeed Russian operatives.
“This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server,” Snowden surmised. “That could have significant foreign policy consequences. Particularly if any of those operations targeted US allies. Particularly if any of those operations targeted elections.”
In other words, the hackers are sending a veiled message to the U.S. government, currently debating whether to publicly attribute the DNC hack to Russia: Check yourself before you wreck yourself.
13) TL;DR: This leak looks like a somebody sending a message that an escalation in the attribution game could get messy fast.
— Edward Snowden (@Snowden) August 16, 2016
Snowden’s words should be given extra consideration given his position, but also be taken with a grain of salt. Thomas Rid, a professor in the department of war studies at King’s College London, noted that given Snowden’s present situation (in exile in Moscow), he is likely in contact with the Russian intelligence community “willingly or not,” and therefore:
https://twitter.com/RidT/status/765520089470922753
Signing off, Snowden said, “You’re welcome, @NSAGov. Lots of love.”
Meanwhile, the NSA’s website has been offline since Monday, serving up only a cached homepage and some news pages. The NSA has not responded to Fortune’s request for comment.
