Shadow Brokers’ Another Leak Lists NSA Victims

The Group Shadow Brokers has leaked more files which include a servers list allegedly used by the Equation Group – one of the contractors of the NSA – in its attacks.

In mid-august, Shadow Brokers emerged with proofs of their hack, when it leaked roughly 300 MB of firewall exploits and tools taken from Equation Group servers. While the sample exploits were old, it helped firewall vendors to discover unknown vulnerabilities in their products. Some of the popular firewall vendors affected include Cisco, Juniper, Fortigate, Watchguard, and TopSec.

The group initially auctioned the rest of the files it had, but when the plan failed, it announced to make it publicly available once they raise 10,000 bitcoins in crowdfunding. With the current situation of 2 bitcoins raised so far, it is unlikely that this plan will continue to work.

However, the Shadow Brokers group released a new batch of files on Monday. They explained that the domain and IPs mentioned in the archives correspond to servers used by the Equation Group to breach networks.

After the release of archives, the leak has been analyzed by various security researchers. One of the researchers Mustafa Al-Bassam said that the files contain a list of compromised servers to act as staging actors in the Equation group attacks. The researchers confirmed that the archives are old and date back between 2000 and 2010 and the affected servers have most likely be cleaned up or replaced.

However, the detailed analysis of the dump by Hacker House suggests that some of the affected host servers are still active and infected with the previously undisclosed tools that are mentioned in the latest leak.

Researchers at Hackers House says, “These hosts may still contain forensic artifacts of the Equation Group APT group and should be subject to incident response handling procedures.”

The tools referenced in the archives includes INCISION, DEWDROP, JACKLADDER, PATCHICILLIN, ORANGUTAN, SIDETRACK, RETICULUM, and STOICSURGEON. Other notable tools referenced in the files are PITCHIMPAIR and INTONATION – Shadow Brokers suggests that these two exploits are a sort of redirector tools. It is worth noticing that these names align with the same naming convention as in NSA’s famous ANT catalog.

The experts analyzed and have confirmed 352 IPs and 306 domain names including 9 .gov domains, and 32 .edu domains, spread across 49 countries, mostly Asia Pacific region. The countries affected include China, Korea, Japan, Germany, Spain, India, Mexico, Taiwan, Italy, and Russia.

The Hacker House also pointed out that the Equation Group seemed to be using Sendmail exploit.

In their latest statement, Shadow Brokers talked about upcoming elections in the US. They urged people to disrupt the elections, either by hacking or physical actions, such as protests or destroying voting equipment.

The aim of Shadow Brokers still, is to make money from Equation Group archives, but the experts say the files are not valuable as the hacker group believes it to be.

It’s still not clear that who’s behind this Shadow Broker group. Popular theories include an NSA insider, the Russian government, or the opportunist hackers who breached the data on the NSA’s server.

The linguistic experts Taia Global’s analysis suggests that the people behind Shadow Brokers are native English speaker who is trying to appear as non-native. The latest statements published by the hacker group supports this theory.

Leave a Comment