Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:25 PM
Connect Directly

ShadowBrokers Release More Alleged Equation Group Data

Data purports to show configuration details of servers that NSA allegedly hacked and used to host exploits

For the second time in the last three months, a group that calls itself ShadowBrokers has publicly released data allegedly purloined from the Equation Group, an outfit that many consider to be the cyber hacking arm of the National Security Agency (NSA).

In August, ShadowBrokers rattled many in the security industry when they leaked details on highly classified hacking tools and exploits that they claimed the NSA had developed and used over the years for breaking into systems belonging to US adversaries.

The 300 MB data dump included details on some 50 NSA attack tools for exploiting zero-day vulnerabilities in network firewalls and appliances from major security vendors, including Cisco, Juniper, and Fortinet.  

Security firms, including Kaspersky Lab, which analyzed the leak at that time, had noted that the leaked code was identical to that created by the Equation Group.

In releasing the data, ShadowBrokers claimed they had a lot more of it on hand, which the hacking collective offered for auction at a starting price of around $550 million.

This week the group released configuration data on a toolkit that might have been used by the Equation Group to break into Sun Solaris servers that were then used to stage the exploits and carry out covert cyber operations between 2000 and 2010.

The data, contained in a document named “trickortreat,” included a list of 352 IP addresses and 306 domain names in 49 countries which appear to have been used for hosting the alleged NSA exploit tools, UK-based penetration testing firm Hacker House said, based on an analysis of the data dump.

The leaked document shows that the countries with the highest number of infected hosts were China, Japan, and Korea. Fifty-six of the infected hosts listed in the document were in China while Japan and Korea had 41 each. Other countries with a relatively high number of attacked hosts included Spain, Germany, India, and Taiwan.

An analysis of the impacted countries shows clearly that a majority of the targeted hosts were within the Asia/Pacific region and were likely chosen to make it harder to attribute the covert operations to anyone, Hacker House said. The infected hosts included at least 32 .edu domains and nine .gov domains, Hacker House said.

Though the leaked data appears to refer to old exploits “a brief Shodan scan of these hosts indicate that some of the affected hosts are still active and running the identified software,” the security firm cautioned.

The latest data as released by the ShadowBrokers, is not exactly useful to cybercriminals. It differs from the hacking collective’s previous data dump in that it does not contain any source code for tools, says Matthew Hickey, security researcher and co-founder of Hacker House.

“Instead, it contains snippets of information that can be used to determine the existence of a UNIX toolkit alongside information on computers which have been compromised,” he says in comments to Dark Reading.

The toolkit, with exploits named DEWDROP, INCISION, JACKLADDER, ORANGUTAN, PATCHICILLIN, RETICULUM, SIDETRACK, STOICSURGEON, PITCHIMPAIR and INTONATION, is focused heavily on Solaris and other UNIX platforms, he says.

ShadowBrokers released this snippet with the password "payus" essentially to show that the remaining files in their possession may very well include the toolkit for breaking into Solaris servers. "Their motive appears to be to profit from the tools,” Hickey said. “[What] this leak shows [is] that there may very well be more tools and exploits yet to surface from Shadow Brokers.”

Vitali Kremez, senior intelligence analyst at Flashpoint, which also has analyzed the latest data dump, says there’s no indication at this time that the ShadowBrokers have attempted to sell the data allegedly in their possession in the cyber underground. "We have seen only a 'free' portion of the data that is being offered by the hacking collective. It is not exactly useful for any cybercriminals in the state that it was shared, by the group,” he says.

The ShadowBrokers, whom some believe are Russian hackers, are apparently financially motivated, but have been vocal critics of US policies and what they have described as US hypocrisy on cybersecurity matters.

A manifesto released along with the configuration data this week, continues in that vein, Kremez says. For instance, the statement, which is riddled with grammatical errors and made to almost deliberately appear like a non-native English speaker wrote it, makes fun of CIA attempts to retaliate against Russia for recent hacking incidents. It mocks the US election process and accuses the US of playing political games rather than addressing internal problems, Kremez said.

Related stories:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
PUBLISHED: 2019-07-19
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.
PUBLISHED: 2019-07-19
** DISPUTED ** An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A at least to 7.20A.252.062. The (1) management SSH and (2) management TELNET features allow remote attackers to cause a denial of service (connection slot e...
PUBLISHED: 2019-07-19
Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters.
PUBLISHED: 2019-07-19
A security vulnerability in HPE IceWall SSO Agent Option and IceWall MFA (Agent module ) could be exploited remotely to cause a denial of service. The versions and platforms of Agent Option modules that are impacted are as follows: 10.0 for Apache 2.2 on RHEL 5 and 6, 10.0 for Apache 2.4 on RHEL 7, ...