Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:25 PM
Connect Directly

ShadowBrokers Release More Alleged Equation Group Data

Data purports to show configuration details of servers that NSA allegedly hacked and used to host exploits

For the second time in the last three months, a group that calls itself ShadowBrokers has publicly released data allegedly purloined from the Equation Group, an outfit that many consider to be the cyber hacking arm of the National Security Agency (NSA).

In August, ShadowBrokers rattled many in the security industry when they leaked details on highly classified hacking tools and exploits that they claimed the NSA had developed and used over the years for breaking into systems belonging to US adversaries.

The 300 MB data dump included details on some 50 NSA attack tools for exploiting zero-day vulnerabilities in network firewalls and appliances from major security vendors, including Cisco, Juniper, and Fortinet.  

Security firms, including Kaspersky Lab, which analyzed the leak at that time, had noted that the leaked code was identical to that created by the Equation Group.

In releasing the data, ShadowBrokers claimed they had a lot more of it on hand, which the hacking collective offered for auction at a starting price of around $550 million.

This week the group released configuration data on a toolkit that might have been used by the Equation Group to break into Sun Solaris servers that were then used to stage the exploits and carry out covert cyber operations between 2000 and 2010.

The data, contained in a document named “trickortreat,” included a list of 352 IP addresses and 306 domain names in 49 countries which appear to have been used for hosting the alleged NSA exploit tools, UK-based penetration testing firm Hacker House said, based on an analysis of the data dump.

The leaked document shows that the countries with the highest number of infected hosts were China, Japan, and Korea. Fifty-six of the infected hosts listed in the document were in China while Japan and Korea had 41 each. Other countries with a relatively high number of attacked hosts included Spain, Germany, India, and Taiwan.

An analysis of the impacted countries shows clearly that a majority of the targeted hosts were within the Asia/Pacific region and were likely chosen to make it harder to attribute the covert operations to anyone, Hacker House said. The infected hosts included at least 32 .edu domains and nine .gov domains, Hacker House said.

Though the leaked data appears to refer to old exploits “a brief Shodan scan of these hosts indicate that some of the affected hosts are still active and running the identified software,” the security firm cautioned.

The latest data as released by the ShadowBrokers, is not exactly useful to cybercriminals. It differs from the hacking collective’s previous data dump in that it does not contain any source code for tools, says Matthew Hickey, security researcher and co-founder of Hacker House.

“Instead, it contains snippets of information that can be used to determine the existence of a UNIX toolkit alongside information on computers which have been compromised,” he says in comments to Dark Reading.

The toolkit, with exploits named DEWDROP, INCISION, JACKLADDER, ORANGUTAN, PATCHICILLIN, RETICULUM, SIDETRACK, STOICSURGEON, PITCHIMPAIR and INTONATION, is focused heavily on Solaris and other UNIX platforms, he says.

ShadowBrokers released this snippet with the password "payus" essentially to show that the remaining files in their possession may very well include the toolkit for breaking into Solaris servers. "Their motive appears to be to profit from the tools,” Hickey said. “[What] this leak shows [is] that there may very well be more tools and exploits yet to surface from Shadow Brokers.”

Vitali Kremez, senior intelligence analyst at Flashpoint, which also has analyzed the latest data dump, says there’s no indication at this time that the ShadowBrokers have attempted to sell the data allegedly in their possession in the cyber underground. "We have seen only a 'free' portion of the data that is being offered by the hacking collective. It is not exactly useful for any cybercriminals in the state that it was shared, by the group,” he says.

The ShadowBrokers, whom some believe are Russian hackers, are apparently financially motivated, but have been vocal critics of US policies and what they have described as US hypocrisy on cybersecurity matters.

A manifesto released along with the configuration data this week, continues in that vein, Kremez says. For instance, the statement, which is riddled with grammatical errors and made to almost deliberately appear like a non-native English speaker wrote it, makes fun of CIA attempts to retaliate against Russia for recent hacking incidents. It mocks the US election process and accuses the US of playing political games rather than addressing internal problems, Kremez said.

Related stories:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Improper authorization in handler for custom URL scheme vulnerability in ????????? (asken diet) for Android versions from v.3.0.0 to v.4.2.x allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in Welcart e-Commerce versions prior to 2.2.4 allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in ETUNA EC-CUBE plugins (Delivery slip number plugin (3.0 series) 1.0.10 and earlier, Delivery slip number csv bulk registration plugin (3.0 series) 1.0.8 and earlier, and Delivery slip number mail plugin (3.0 series) 1.0.8 and earlier) allows remote attackers to ...
PUBLISHED: 2021-06-22
NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in the database via unspecified vectors.
PUBLISHED: 2021-06-22
Improper authentication vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to view the unauthorized pages without access privileges via unspecified vectors.