Hackers known as the Shadow Brokers unleashed a new security scare this month by publishing exploits stolen from the NSA. The exploits came in the form of software code that was designed to do things like break into Cisco, Fortinent and other firewalls.
As companies scramble to patch their vulnerabilities, there is a debate over who is to blame. Most people think Russia is responsible, but one cyber-security figure points in a different direction: According to James Bamfield, who has written extensively about U.S. intelligence agencies, the latest leaks suggest someone inside the NSA — a second Edward Snowden in other words, albeit one with different motives.
Is this likely? To get a better idea, this FAQ explores what we know about the hacks and who might be behind them:
How did the hack come to light?
It’s a strange story. Last week, the so-called Shadow Brokers announced they had obtained code created by the NSA, and released a big batch of it via services like BitTorrent and Dropbox, where security researchers could download it. They also offered to sell off a related file for about $500 million in bitcoin at auction.
The weird part is that the stolen software appears to be genuine — experts say it looks exactly like hacking tools developed by the NSA — but the auction is not. Instead, the Shadow Broker hackers, who like to communicate using fake movie villain English, appear to have used the auction simply to draw attention to the stolen software.
Get Data Sheet, Fortune’s technology newsletter.
What exactly did the hackers steal from the NSA?
You can think of the stolen software as set of lock-picks and other burglary tools. The tools can be used to sneak into devices and networks of companies and governments in order to spy or wreck havoc.
The code, however, is not new and appears instead to date from 2013. One expert described it to the New York Times as “Snowden-era stuff, repackaged for resale now.” Even though reports of these exploits first emerged years ago (a German publication described the “NSA’s Secret Toolbox” in late 2013), no one has published the actual software to carry out the attacks until now.
Plus, there is a mysterious 120 MB file the hackers have yet to decrypt. Nicholas Weaver, a security researcher affiliated with UC Berkeley, describes it as a “blackmail file.” The hackers could decrypt the file at any minute by publishing the key — and they want the NSA to know that.
How is this a “second Snowden”?
Bamford, the long-time NSA reporter, raised this theory in an article for Reuters on Monday. He points out that the Shadow Broker code did not appear in Edward Snowden’s archives (others have also said this), and instead appears to have been obtained months after Snowden fled into exile. Bamford also casts doubt on the Russia thesis. Here is what he says (emphasis mine):
Rather than the NSA hacking tools being snatched as a result of a sophisticated cyber operation by Russia or some other nation, it seems more likely that an employee stole them. Experts who have analyzed the files suspect that they date to October 2013, five months after Edward Snowden left his contractor position with the NSA and fled to Hong Kong carrying flash drives containing hundreds of thousands of pages of NSA documents.
So, if Snowden could not have stolen the hacking tools, there are indications that after he departed in May 2013, someone else did, possibly someone assigned to the agency’s highly sensitive Tailored Access Operations.
Bamford supports his position by saying Russia would not have published the hacks — let alone try to sell them — because exposing them makes them worthless, as the affected companies (which also include HP and Dell) would quickly patch their vulnerabilities.
Here’s What Edward Snowden Has to Say About the Apple-FBI Battle
Does the “second Snowden” theory hold up?
So far, it’s at best a minority view. Weaver, the Berkeley researcher, is skeptical in part because he does not think the Shadow Brokers are behaving like Snowden or a traditional whistle-blower.
To call attention to U.S. surveillance of ordinary citizens, Snowden only released selective information. In contrast, the code revealed by the Shadow Brokers is what Weaver described as “stuff for hard targets” — tricks aimed at foreign governments — that most people would regard as a core part of the NSA’s job. This information’s release is unlikely to cause broad public concern or lead to surveillance reform.
Others on Twitter are also doubtful about Bamford’s claim:
Keep in mind the idea of a “second Snowden” is not a new one and, indeed, both Snowden himself (in the movie Citizen Four) and the FBI have referred to another individual who is leaking NSA documents. But that doesn’t seem to be what’s going on with the Shadow Broker leaks.
So what’s really going on?
I can’t say for sure, but I do find Weaver’s explanation more persuasive than Bamford’s. According to Weaver, the key to the whole affair is the still-encrypted file that was included with the Shadow Broker’s data dump. As noted above, he sees it as a “blackmail file.” So what sort of blackmail are we talking about?
Weaver suspects the encrypted file provides information about how the NSA gets inside networks, or controls systems once they’ve taken them over. In contrast, much of the code published by the Shadow Brokers describes how to launch an attack once a hacker (from the NSA or wherever) is inside.
If people found out about the NSA’s tactics for getting inside, it would be easier for its targets to build intrusion detection systems. For now, that information — if Weaver is correct — is still locked up. Unlike the other data released, the Shadow Brokers did not provide a key to decrypt it. But the hackers can now threaten to do just that, if the NSA does or does not do certain things.
So who are the hackers? Based on what Weaver says, it sounds like — contrary to what Bamfield says — Russians are the most plausible suspects. The tactics on display are consistent with the sort of psychological-intel war the country has directed at America and, especially, the Democratic party, in recent months. But that’s just a theory.