ShadowBrokers Release More Alleged Equation Group Data

Data purports to show configuration details of servers that NSA allegedly hacked and used to host exploits

For the second time in the last three months, a group that calls itself ShadowBrokers has publicly released data allegedly purloined from the Equation Group, an outfit that many consider to be the cyber hacking arm of the National Security Agency (NSA).

In August, ShadowBrokers rattled many in the security industry when they leaked details on highly classified hacking tools and exploits that they claimed the NSA had developed and used over the years for breaking into systems belonging to US adversaries.

The 300 MB data dump included details on some 50 NSA attack tools for exploiting zero-day vulnerabilities in network firewalls and appliances from major security vendors, including Cisco, Juniper, and Fortinet.  

Security firms, including Kaspersky Lab, which analyzed the leak at that time, had noted that the leaked code was identical to that created by the Equation Group.

In releasing the data, ShadowBrokers claimed they had a lot more of it on hand, which the hacking collective offered for auction at a starting price of around $550 million.

This week the group released configuration data on a toolkit that might have been used by the Equation Group to break into Sun Solaris servers that were then used to stage the exploits and carry out covert cyber operations between 2000 and 2010.

The data, contained in a document named “trickortreat,” included a list of 352 IP addresses and 306 domain names in 49 countries which appear to have been used for hosting the alleged NSA exploit tools, UK-based penetration testing firm Hacker House said, based on an analysis of the data dump.

The leaked document shows that the countries with the highest number of infected hosts were China, Japan, and Korea. Fifty-six of the infected hosts listed in the document were in China while Japan and Korea had 41 each. Other countries with a relatively high number of attacked hosts included Spain, Germany, India, and Taiwan.

An analysis of the impacted countries shows clearly that a majority of the targeted hosts were within the Asia/Pacific region and were likely chosen to make it harder to attribute the covert operations to anyone, Hacker House said. The infected hosts included at least 32 .edu domains and nine .gov domains, Hacker House said.

Though the leaked data appears to refer to old exploits “a brief Shodan scan of these hosts indicate that some of the affected hosts are still active and running the identified software,” the security firm cautioned.

The latest data as released by the ShadowBrokers, is not exactly useful to cybercriminals. It differs from the hacking collective’s previous data dump in that it does not contain any source code for tools, says Matthew Hickey, security researcher and co-founder of Hacker House.

“Instead, it contains snippets of information that can be used to determine the existence of a UNIX toolkit alongside information on computers which have been compromised,” he says in comments to Dark Reading.

The toolkit, with exploits named DEWDROP, INCISION, JACKLADDER, ORANGUTAN, PATCHICILLIN, RETICULUM, SIDETRACK, STOICSURGEON, PITCHIMPAIR and INTONATION, is focused heavily on Solaris and other UNIX platforms, he says.

ShadowBrokers released this snippet with the password “payus” essentially to show that the remaining files in their possession may very well include the toolkit for breaking into Solaris servers. “Their motive appears to be to profit from the tools,” Hickey said. “[What] this leak shows [is] that there may very well be more tools and exploits yet to surface from Shadow Brokers.”

Vitali Kremez, senior intelligence analyst at Flashpoint, which also has analyzed the latest data dump, says there’s no indication at this time that the ShadowBrokers have attempted to sell the data allegedly in their possession in the cyber underground. “We have seen only a ‘free’ portion of the data that is being offered by the hacking collective. It is not exactly useful for any cybercriminals in the state that it was shared, by the group,” he says.

The ShadowBrokers, whom some believe are Russian hackers, are apparently financially motivated, but have been vocal critics of US policies and what they have described as US hypocrisy on cybersecurity matters.

A manifesto released along with the configuration data this week, continues in that vein, Kremez says. For instance, the statement, which is riddled with grammatical errors and made to almost deliberately appear like a non-native English speaker wrote it, makes fun of CIA attempts to retaliate against Russia for recent hacking incidents. It mocks the US election process and accuses the US of playing political games rather than addressing internal problems, Kremez said.

Related stories:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

More Insights