Leaked hacking tools can be tied to NSA’s Equation Group

[Free CISSP Exam Study Guide] Get expert advice that will help you pass the CISSP exam: sample questions, summaries of all 8 CISSP domains and more!

The batch of data released by the Shadow Brokers, an entity that claims to have hacked the Equation Group, contains attack tools that can be tied to the group.

Equation Group

Equation Group is a threat actor that is believed to be linked with the National Security Agency (NSA), and is believed to have been involved in the creation of Stuxnet, Flame and Duqu.

The Shadow Brokers announced on Saturday that they will be auctioning off the stolen material, and offered the first batch as proof that the rest of the data is worth buying.

“The first archive contains close to 300MBs of firewall exploits, tools, and scripts under cryptonyms like BANANAUSURPER, BLATSTING, and BUZZDIRECTION. Most files are at least three years old,” Kaspersky Lab researchers have pointed out after analyzing the dump.

“While we cannot surmise the attacker’s identity or motivation nor where or how this pilfered trove came to be, we can state that several hundred tools from the leak share a strong connection with our previous findings from the Equation Group,” they added.

Nicholas Weaver, a senior staff researcher at the International Computer Science Institute in Berkeley, California, has also analyzed the leaked material, and confirmed the contents.

“The proof file is 134 MB of data compressed, expanding out to a 301 MB archive. This archive appears to contain a large fraction of the NSA’s implant framework for firewalls, including what appears to be several versions of different implants, server side utility scripts, and eight apparent exploits for a variety of targets,” he says.

“The exploits themselves appear to target Fortinet, Cisco, Shaanxi Networkcloud Information Technology (sxnc.com.cn) Firewalls, and similar network security systems. I will leave it to others to analyze the reliability, versions supported, and other details. But nothing I’ve found in either the exploits or elsewhere is newer than 2013.”

He pointed out that the leaked data doesn’t seem like it comes from the cache of data exfiltrated by Edward Snowden, and that the file timestamps seem to imply that the intrusion that resulted in the theft of this data has ended some time in October 2013, a few months after Snowden released his cache to selected journalists.

“This scenario would have the NSA, after the Snowden revelations, practicing some incredibly awful operational security,” he noted.

Snowden posited that the Shadow Brokers’ announcement was a statement.

“NSA malware staging servers getting hacked by a rival is not new. A rival publicly demonstrating they have done so is. Why did they do it? No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack,” he noted in a series of tweets.

“Circumstantial evidence and conventional wisdom indicates Russian responsibility. Here’s why that is significant: This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server. That could have significant foreign policy consequences. Particularly if any of those operations targeted US allies. Particularly if any of those operations targeted elections. Accordingly, this may be an effort to influence the calculus of decision-makers wondering how sharply to respond to the DNC hacks.”

Former NSA security scientist Dave Aitel is of the same mind regarding the nature of the group.

It’s, of course, impossible to say for sure who might be hiding behing the Shadow Brokers moniker. The text of the announcement is written in simplified English, which either indicates that the writer is not that proficient in the language, or that he doesn’t want anyone to make an educated guess on what his native language is.

The text seems to imply that the leak has nothing to do with politics, but with making sure that the “Wealthy Elite” recognizes the danger their wealth and control are in, and that they should bid on the auction.

So far, there have been few takers, and the auction has been deemed by many to be mostly a publicity stunt.

Only time will tell which of the expounded theories – or perhaps one that has yet to be put forward – is the most likely one. Unfortunately, we might never know for sure who the Shadow Brokers are.