NSA Hackers The Shadow Brokers leaked another dump with NSA targets

The ShadowBrokers hacker group leaked a fresh dump containing a list of servers that were hacked by the NSA-linked group known as Equation Group.

The notorious Shadow Brokers hacker group has posted a fresh dump containing a list of servers that were hacked by the NSA-linked group known as Equation Group.

The hackers disclosed the list containing historic targets of the Equation Group, it includes Mail providers, Chinese targets, and universities.

The Equation group compromised the targets using the hacking tools codenamed as INTONATION and PITCHIMPAIR.

The latest dump leaked by the Shadow Brokers was signed using the same key used to sign the first dump of Equation Group exploits.

The ShadowBrokers provided the links to two distinct PGP-encrypted archives, the first one offered for free as a proof of the hack (its passphrase was ‘auctioned’), for the second one the group requested 1 million BTC .

The first archive contains roughly 300MBs of data, including firewall exploits, hacking tools, and scripts with cryptonyms like BANANAUSURPER, BLATSTING, and BUZZDIRECTION.

The security researchers Mustafa Al-Bassam has published an interesting post that lists all the exploits, implants, and tools for hacking firewalls (“Firewall Operations”) included in the dump.

The Equation Group ‘s hackers targeted products made by Cisco, Fortigate, Juniper, TOPSEC, and Watchguard.

The majority of files are at least three years old, meanwhile, the newest timestamp dating to October 2013.

Early October, TheShadowBrokers complained that no one seems to be bidding on their precious archive, an alleged member of the hacker group expressed his dissent on the lack of interest in ponying up bitcoins to release the full NSA data dump.

A couple of weeks ago the group announced the launch of a crowdfunding campaign for the stolen arsenal because its auction received offers for less than two bitcoins.

Back to the present day, the ShadowBrokers hackers published message accompanying the latest dump.

“TheShadowBrokers is having special trick or treat for Amerikanskis tonight.” “Why is DirtyGrandpa threating CIA cyberwar with Russia? Why not threating with NSA or CyberCommand? CIA is cyber B-Team, yes? Where is cyber A-Team? Maybe threating is not being for external propaganda? Maybe is being for internal propaganda? Oldest control trick in book, yes? Waving flag, blaming problems on external sources, not taking responsibility for failures. But neverminding, hacking DNC is way way most important than EquationGroup losing capabilities. Amerikanskis is not knowing USSA cyber capabilities is being screwed? Where is being “free press”? Is ABC, NBC, CBS, FOX negligent in duties of informing Amerikanskis? Guessing “Free Press” is not being “Free as in free beer” or “Free as in free of government influence?” reads the message.

According to security experts, the list is very old, it is available at the following links

https://mega.nz/#F!D1Q2EQpD!Lb09shM5XMZsQ_5_E1l4eQ
https://yadi.sk/d/NCEyJQsBxrQxz

Password = payus

A close look at the dump revealed that it contains some 300 folders of files. Each file corresponds to a different domain and IP address.

The notorious expert Hacker Fantastic analyzed the dump and confirmed that it contains 306 domains and 352 IP addresses relating to 49 countries in total.

The dump revealed targets in Russia, China, India, Sweden, and many other countries. The Top 10 countries include also Japan and Italy.

The colleague Carola Frediani reported the presence of Italian targets that includes systems in some university, such as the Università dell’Aquila (sipralab.univaq.it; matematica.univaq.it; ns.univaq.it) and the ‘Università degli Studi Mediterranea di Reggio Calabria (ns.ing.unirc.it).

Below a graph from by a preliminary study conducted by the researcher Quequero ‏@quequero on addresses published by the ShadowBrokers and allegedly used by the NSA as staging servers/C&C.

The machines compromised by the US Intelligence may have been used to target systems worldwide and deliver exploits.

Stay Tuned!

Pierluigi Paganini

(Security Affairs – The Equation Group, ShadowBrokers)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.