A close look at the exploits leaked after the Equation Group hack

Pierluigi Paganini August 18, 2016

The NSA-linked unit The Equation Group has been hacked and a data dump containing exploits and tools has been leaked online. Is it legitimate?

It is the topic of the moment, the group The Shadow Brokers has hacked the NSA-linked unit the Equation Group and leaked online exploits and hacking tools.

The hackers had dumped online the precious material, probably to launch a clear message to the US Intelligence.

Are the tools really the same used by the Equation Group?

The experts who have analyzed the hacking tools have no doubts, the exploits belong to the alleged nation-state group known as the Equation Group.

Experts from Kaspersky Lab published a detailed analysis of the hacking material leaked by The Shadow Brokers suggesting that the material belongs to the arsenal of the dreaded NSA cyber unit.

The ShadowBrokers provided the links to two distinct PGP-encrypted archives, the first one offered for free as a proof of the hack (its passphrase was ‘auctioned’), for the second one the group requested 1 million BTC .

The first archive contains roughly 300MBs of data, including firewall exploits, hacking tools, and scripts with cryptonyms like BANANAUSURPER, BLATSTING, and BUZZDIRECTION.

The security researchers Mustafa Al-Bassam has published an interesting post that lists all the exploits, implants, and tools for hacking firewalls (“Firewall Operations”) included in the dump.

The Equation Group ‘s hackers targeted products made by Cisco, Fortigate, Juniper, TOPSEC, and Watchguard.

The majority of files are at least three years old, meanwhile, the newest timestamp dating to October 2013.

The researchers started their analysis from the newly released files trying to figure out any connections with hacking Equation Group toolsets documented in previous analysis. The experts analyzed hacking tools such as EQUATIONDRUG, DOUBLEFANTASY, GRAYFISH, and FANNY.

“While we cannot surmise the attacker’s identity or motivation nor where or how this pilfered trove came to be, we can state that several hundred tools from the leak share a strong connection with our previous findings from the Equation group.” reported the analysis published by Kaspersky.

The experts have found more than 300 files found in the archive leaked by the Shadow Brokers that share a common implementation of RC5 and RC6 encryption algorithms, this implementation is the same used by the Equation Group.

“There are more than 300 files in the Shadow Brokers’ archive which implement this specific variation of RC6 in 24 other forms,” reported Kaspersky. “The chances of all these being fakes or engineered is highly unlikely.”
“The code similarity makes us believe with a high degree of confidence that the tools from the Shadow Brokers’ leak are related to the malware from the Equation group.”
In the following table, it reported the comparison of the older Equation RC6 code and the code found in the archive leaked by the ShadowBrokers. It is evident that the two stubs use the same function and constraint, and share rare specific traits in their implementation:
nsa hack equation group Comparison

Other elements emerged in the last hours lead the experts into believing that the leaked archive really includes hacking tools belonging to the Equation Group Arsenal.

The Washington Post, citing two former-NSA TAO hackers, also speculated that the tools are the same used by the dreaded cyber unit.

“Without a doubt, they’re the keys to the kingdom,” explained one the former TAO employee, who spoke on the condition of anonymity. “The stuff you’re talking about would undermine the security of a lot of major government and corporate networks both here and abroad.”

“From what I saw, there was no doubt in my mind that it was legitimate.” said a second former TAO hacker.

The NSA TAO, aka Tailored Access Operations, is the hacking division inside the NSA Agency, in December 2013 the Der Spiegel revealed that the NSA TAO unit planted backdoors to access computers, hard drives, routers, and other devices from principal vendors.

The vast majority of the tools present in the leaked archive is coded in Python, they were developed to target firewalls and network equipment widely used by a wide range of targets, including IT giants and government agencies.

The researcher Mustafa Al-Bassam highlighted that some of the Firewall hacking tools in the leaked data dump allow remote code execution attack. Hackers could use them to remotely bypass a firewall, access the target network, install an implant and spy on it.

The archive also includes a set of tools that allows the Equation Group hackers to send malicious files to the target systems, files that attackers could use to perform further malicious actions.

Searching online for some experts that already tested the exploit, I have found the security researcher XORcat has tested the EXTRABACON exploit. The researcher confirmed that it works and allows an attacker to access a CISCO firewall without providing valid credentials.

Joseph Cox from Motherboard reported that the security researcher Kevin Beaumont has successfully tested an exploit for Fortinet firewalls.

Both Cisco and Fortinet have issued warnings and fixes for vulnerabilities exploited by the hacking tools exposed by the Shadow Brokers.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  The Equation Group, ATP)

[adrotate banner=”5″]

[adrotate banner=”9″]

you might also like

leave a comment