NSA-Linked Group Hacked?

But that might not be the truth. There has been many security news out on the message has NSA hacking group been hacked? It is hard to say for sure if that is true or not, but what seems to be true is that some of the hacking tools NSA has used (and Snowden has revealed) are now out on the wild.

So, Uh, Did The NSA Get Hacked?  article tells that a group of hackers say they’ve breached a hacking group known as the Equation Group, which is widely speculated to be an offshoot of the National Security Agency.The Equation Group, according to Kaspersky Lab, targeted the same victims as the group behind Stuxnet, which is widely believed to have been a joint US-Israeli operation targeting Iran’s nuclear program, and also used two of the same zero-day exploits.

NSA Hacked? ‘Shadow Brokers’ Crew Claims Compromise Of Surveillance Op article asks has the NSA just been hacked? Security experts speaking with FORBES think it’s possible, after a group published malware and attack code allegedly belonging to the Equation Group, a crew linked to the US intelligence agency. But while many believe the leak looks legitimate, the hackers could have pulled off a very clever ruse.

NSA Hacked? ‘Shadow Brokers’ Crew Claims Compromise Of Surveillance Op article also tells that  in 2015, researchers at Russian security company Kaspersky Lab revealed a highly-advanced arsenal of hacking tools used by the Equation campaign. They were believed to have been the work of the NSA as the code was linked with previous, allegedly US-sponsored hacks, including the infamous Regin and Stuxnet attacks (never definitively proven). The group’s connections to other high profile hacks and the use of similar codenames that were included in documents leaked by NSA whistleblower Edward Snowden raise serious suspicions.

What is released?

The hackers have provided some files including what could be parts of the agency’s surveillance tools The hackers have released files they claimed to have taken from the Equation Group. NSA Hacked? ‘Shadow Brokers’ Crew Claims Compromise Of Surveillance Op article tells that Two days ago, on August 13, a group calling themselves The Shadow Brokers released files on Github (now that account is disabled), claiming they came from the Equation Group. The files mostly contained installation scripts, configurations for command-and-control (C&C) servers, and exploits allegedly designed to target routers. The files included code allegedly designed to exploit firewalls from manufacturers Cisco, Juniper, Fortinet and Topsec. There are also some files posted to MEGA. Researchers who downloaded the sample posted by the group say it does include intriguing data, such as 300 megabytes of code that match up with actual exploits used by the NSA.

Matt Tait, another security researcher and former British intelligence officer, tweeted that the data could come from “an old counter-hack.”

“The proof files look pretty legit, and they are exactly the sorts of exploits you would expect a group that targets communications infrastructure“

Here’s part of a message the hackers, going by the name “The Shadow Brokers” posted: “How much you pay for enemies cyber weapons? Not malware you find in networks. Both sides, RAT + LP, full state sponsor tool set?”

The hackers have provided some files including what could be parts of the agency’s surveillance tools, but are demanding millions of dollars in bitcoins for the rest. The hackers say they’ve only released 40% of the breach, and will release the remaining 60% to the highest bidders. The Shadow Brokers said they would release the remaining data to the highest bidder in a Bitcoin auction if they received an extraordinary 1,000,000 Bitcoins, worth roughly $560 million, they would release all the files.

This project could be a way for some hackers to make a lot of money or some form of hoax or decoy. Hackers Say They Hacked NSA-Linked Group, Want 1 Million Bitcoins to Share More article notes: “If this is a hoax, the perpetrators put a huge amount of effort in,” the security researcher known as The Grugq told Motherboard. “The proof files look pretty legit, and they are exactly the sorts of exploits you would expect a group that targets communications infrastructure to deploy and use.” On the other hand one Kaspersky Lab researcher noted on Twitter that there is “nothing” in the dumped files that links them to the Equation Group, but some of their names are from the ANT Catalog, an NSA hacking toolset published by Der Spiegel in late 2013.

Good thing on this: More flaws on the different routers are revealed to public, and manufacturers can star making their products safer.

If the hack was real and as big as claimed, there is probably going to be a big manhunt to catch whoever did this. If this was not real, it will spark at least some security discussions.

Sources:

Hackers Claim to Auction Data They Stole From NSA-Linked Spies

So, Uh, Did The NSA Get Hacked? 

NSA Hacked? ‘Shadow Brokers’ Crew Claims Compromise Of Surveillance Op

Hackers Say They Hacked NSA-Linked Group, Want 1 Million Bitcoins to Share More

NSA’s Hacking Group Hacked! Bunch of Private Hacking Tools Leaked Online

‘Shadow Brokers’ Claim to be Selling NSA Malware, in What Could Be Historic Hack

Mysterious Group Hacks The NSA

 

69 Comments

  1. Tomi Engdahl says:

    “Shadow Brokers” Put NSA Exploits Up for Direct Sale
    http://www.securityweek.com/shadow-brokers-put-nsa-exploits-direct-sale

    After a failed attempt to sell stolen exploits from the National Security Agency at an auction just months ago, the hacker group calling itself Shadow Brokers has decided to sell them directly via a new website.

    In August, the group leaked 300 Mb of firewall exploits, implants and other tools allegedly stolen from the NSA-linked Equation Group, and decided to cash in on a second batch of files, which supposedly include exploits, vulnerabilities, RATs, persistence mechanisms and data collection tools. They launched an all-pay auction that raised less than two Bitcoin, so they switched to crowdfunding in October.

    The goal was to raise 10,000 Bitcoins (roughly $7.8 million) through crowdfunding, but the hacker group apparently decided to attempt a new approach: selling the stolen exploits directly for only 1,000 Bitcoins (~$780,000). This new attempt comes weeks after the group released a batch of files at the end of October, saying that the IPs mentioned in the files correspond to machines used by the Equation Group.

    A possible connection between the Equation Group and the NSA was made in Feb. 2015, and the Shadow Brokers leak appeared to consolidate that assumption. The leaked files appeared to come from the NSA-linked actor and were said to target a large number of devices from popular brands such as Fortinet, TOPSEC, Cisco, Juniper Networks, WatchGuard, and others.

    Now, the Shadow Brokers apparently took it to ZeroNet, a platform for hosting websites using blockchain and BitTorrent technology, to come up with a site on which to sell the stolen exploits.

    Reply
  2. Tomi Engdahl says:

    “Shadow Brokers” Data Obtained From Insider: Flashpoint
    http://www.securityweek.com/shadow-brokers-data-obtained-insider-flashpoint

    New evidence uncovered by researchers after the group calling itself “Shadow Brokers” made available some new files reinforces the theory that the exploits and tools were obtained from a rogue insider and not by hacking NSA systems.

    In mid-August, The Shadow Brokers leaked 300 Mb of firewall exploits, implants and tools, claiming that the files had been obtained from the NSA-linked Equation Group. The threat actor launched an all-pay auction in hopes of making a serious profit for a second batch of files that included exploits, vulnerabilities, RATs and data collection tools.

    The extensive use of Markdown, a lightweight markup language commonly used in code repositories, has led researchers to believe that the files have been copied from an internal system or a code repository, not obtained through remote access or from an external staging server.

    Flashpoint has assessed with “medium confidence” that the information was likely obtained from a rogue insider.

    Reply
  3. Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    After failing to get 10K bitcoins for stolen NSA exploits, Shadow Brokers post farewell message, dump a cache of Windows hacking tools online

    NSA-leaking Shadow Brokers lob Molotov cocktail before exiting world stage
    With 8 days before inauguration of Donald Trump, leak is sure to inflame US officials.
    http://arstechnica.com/security/2017/01/nsa-leaking-shadow-brokers-lob-molotov-cocktail-before-exiting-world-stage/

    Shadow Brokers, the mysterious group that gained international renown when it published hundreds of advanced hacking tools belonging to the National Security Agency, says it’s going dark. But before it does, it’s lobbing a Molotov cocktail that’s sure to further inflame the US intelligence community.

    In a farewell message posted Thursday morning, group members said they were deleting their accounts and making an exit after their offers to release their entire cache of NSA hacking tools in exchange for a whopping 10,000 bitcoins (currently valued at more than $8.2 million) were rebuffed. While they said they would still make good on the offer should the sum be transferred into their electronic wallet, they said there would be no more communications.

    Reply
  4. Tomi Engdahl says:

    Shadow Brokers “Retire” Awaiting Offer of 10,000 Bitcoins for Cache of Exploits
    http://www.securityweek.com/shadow-brokers-retire-awaiting-offer-10000-bitcoins-cache-exploits

    The mysterious hacking group calling themselves “The Shadow Brokers” has apparently decided to put an end to their failed attempts to sell exploits and hacking tools they claimed to have stolen from the NSA-linked Equation Group.

    Reply
  5. Tomi Engdahl says:

    Alleged NSA hack group Shadow Brokers releases new trove of exploits
    https://techcrunch.com/2017/04/08/shadow-brokers-be-back/?sr_share=facebook

    Shadow Brokers, the group behind last year’s release of hacking exploits allegedly used by the National Security Agency, has dropped another trove of files. In a Medium post today, the hacker group offered up a password giving free access to files it had previously tried to auction off.

    Reply
  6. Tomi Engdahl says:

    The Shadow Brokers are back with exploits for Windows and global banking systems
    https://techcrunch.com/2017/04/14/the-shadow-brokers-april-exploits-swift-windows/?ncid=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&sr_share=facebook

    The group, which last year dumped malware it had allegedly stolen from The Equation Group, a hacking team associated with the NSA, posted new files over the weekend and followed up today with a dump of Windows exploits.

    The latest files contain tools apparently designed to access Windows machines, as well as slideshows documenting the targeting of banking systems.

    “Is being too bad nobody deciding to be paying theshadowbrokers for just to shutup and going away. TheShadowBrokers rather being getting drunk with McAfee on desert island with hot babes,” the group wrote in a post announcing the file release.

    Reply
  7. Tomi Engdahl says:

    Microsoft: Latest ‘Shadow Brokers’ Exploits Already Patched
    http://www.securityweek.com/microsoft-latest-shadow-brokers-exploits-already-patched

    The hacker group calling itself “Shadow Brokers” has made public another batch of files allegedly obtained from the NSA-linked threat actor tracked as the Equation Group. Microsoft has assured customers that these new exploits don’t affect up-to-date systems.

    The Shadow Brokers recently published a password to a previously leaked file and many believed it would represent the group’s last dump. However, the hackers released another round of files on Friday, including exploits for Windows and IBM’s Lotus Domino platform. The leaked files also appear to show that the Equation Group breached the SWIFT banking network and monitored a number of Middle Eastern banks.

    Microsoft has analyzed the latest dump and identified a dozen exploits targeting its Windows operating system. According to the company, some of the vulnerabilities leveraged by these exploits were patched back in 2008, 2009, 2010 and 2014.

    Reply
  8. Tomi Engdahl says:

    Hacked Files Suggest NSA Penetrated SWIFT, Mideast Banks
    http://www.securityweek.com/hacked-files-suggest-nsa-penetrated-swift-mideast-banks

    Files released by the mysterious hacker Shadow Brokers suggested Friday the US National Security Agency had penetrated the SWIFT banking network and monitored a number of Middle East banks.

    The files, according to computer security analysts, also showed the NSA had found and exploited numerous vulnerabilities in a range of Microsoft Windows products widely used on computers around the world.

    Analysts generally accepted the files, which show someone exploiting so-called “zero-day” or hitherto unknown vulnerabilities in common software and hardware, came from the NSA.

    They are believed stolen from a hyper-secret hacking unit dubbed the “Equation Group” at the key US signals intelligence agency.

    Reply
  9. Tomi Engdahl says:

    Microsoft: Latest ‘Shadow Brokers’ Exploits Already Patched
    http://www.securityweek.com/microsoft-latest-shadow-brokers-exploits-already-patched

    The hacker group calling itself “Shadow Brokers” has made public another batch of files allegedly obtained from the NSA-linked threat actor tracked as the Equation Group. Microsoft has assured customers that these new exploits don’t affect up-to-date systems.

    The Shadow Brokers recently published a password to a previously leaked file and many believed it would represent the group’s last dump. However, the hackers released another round of files on Friday, including exploits for Windows and IBM’s Lotus Domino platform. The leaked files also appear to show that the Equation Group breached the SWIFT banking network and monitored a number of Middle Eastern banks.

    Microsoft has analyzed the latest dump and identified a dozen exploits targeting its Windows operating system. According to the company, some of the vulnerabilities leveraged by these exploits were patched back in 2008, 2009, 2010 and 2014.

    Four of the exploits, dubbed EternalBlue, EternalChampion, EternalRomance and EternalSynergy, were addressed by Microsoft with the March 2017 security updates — a majority with the MS17-010 patch. The tech giant also pointed out that the remaining exploits do not work on Windows 7 and later, or Exchange 2010 and later.

    Reply
  10. Tomi Engdahl says:

    >10,000 Windows computers may be infected by advanced NSA backdoor
    Did script kiddies use DoublePulsar code released by NSA-leaking Shadow Brokers?
    https://arstechnica.com/security/2017/04/10000-windows-computers-may-be-infected-by-advanced-nsa-backdoor/

    Security experts believe that tens of thousands of Windows computers may have been infected by a highly advanced National Security Agency backdoor. The NSA backdoor was included in last week’s leak by the mysterious group known as Shadow Brokers.

    DoublePulsar, as the NSA implant is code-named, was detected on more than 107,000 computers in one Internet scan.

    Reply
  11. Tomi Engdahl says:

    There’s now a tool to test for NSA spyware
    A script that detects a related code implant has shown as many as 100,000 systems worldwide may be infected
    http://www.pcworld.com/article/3191728/security/theres-now-a-tool-to-test-for-nsa-spyware.html

    A python2 script for processing a PCAP file to decrypt C2 traffic sent to DOUBLEPULSAR implant
    https://github.com/countercept/doublepulsar-c2-traffic-decryptor

    Reply
  12. Tomi Engdahl says:

    How leaked NSA spy tools created a hacking free-for-all
    http://money.cnn.com/2017/04/25/technology/nsa-doublepulsar-hacking-tool/

    Hackers have compromised thousands of computers around the world with a government-grade spy tool.

    A backdoor published in a trove of leaked NSA hacking tools is being loaded onto vulnerable Windows computers. The attacks demonstrate what happens when people fail to regularly update their machines.

    The hacks were leaked almost two weeks ago by the anonymous Shadow Brokers group and contain a backdoor called DOUBLEPULSAR. It can be remotely installed on Windows machines that have not been patched since March. This allows hackers to take over the computers and execute tasks as if they were the computer’s administrator.

    As of Monday, there are over 144,000 machines infected with this backdoor, according to research from Dan Tentler, founder and CEO of The Phobos Group security firm. Tentler built a tool to scan the internet for Windows machines vulnerable to the backdoor, and says the number is steadily climbing. He estimates between 200,000 and 300,000 could be infected by the end of the week.

    NSA’s powerful Windows hacking tools leaked online
    http://money.cnn.com/2017/04/14/technology/windows-exploits-shadow-brokers/index.html

    A hacking group has dumped a collection of spy tools allegedly used by the National Security Agency online. Experts say they are damaging.

    The exploits, published by the Shadow Brokers on Friday, contain vulnerabilities in Windows computers and servers. They may have been used to target a global banking system. One collection of 15 exploits contains at least four Windows hacks that researches have already been able to replicate.

    Reply
  13. Tomi Engdahl says:

    THE SHADOW BROKERS
    This Is How the NSA Infiltrated a Huge Banking Network in the Middle East
    https://motherboard.vice.com/en_us/article/nsa-eastnets-hack-banking-network-middle-east

    The NSA hacking tools dumped by The Shadow Brokers show how the spy agency broke into the major Dubai-based EastNets system.

    The firm vehemently denied any breach, despite the fact that the documents appeared undeniable.

    Reply
  14. Tomi Engdahl says:

    Ransomware based on leaked NSA tools spreads to dozens of countries
    https://techcrunch.com/2017/05/12/ransomware-based-on-leaked-nsa-tools-spreads-to-dozens-of-countries/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook

    A ransomware attack seemingly based on leaked NSA hacking tools is spreading like wildfire among unpatched Windows systems worldwide. Early reports suggested it was targeted at the UK’s National Health Service, but it’s clear now that the attack is a global one, with thousands of computers apparently affected in Russia alone.

    A Kaspersky lab analysis puts the number of infected computers at more than 45,000 as of early Friday afternoon, the vast majority of which are Russian (Ukraine, India, and Taiwan follow).

    Reply
  15. Tomi Engdahl says:

    A Group Linked to Leaking NSA Spying Tools Is Making Another Threat
    http://fortune.com/2017/05/16/ransomware-wannacry-nsa/

    A group that took credit for leaking NSA cyber spying tools—including ones used in the WannaCry global ransomware attack—has said it plans to sell code that can be used to hack into the world’s most used computers, software and phones.

    Using trademark garbled English, the Shadow Brokers group said in an online statement that, from June, it will begin releasing software to anyone willing to pay for access to some of the tech world’s biggest commercial secrets.

    It said it was set to sell access to previously undisclosed vulnerabilities, known as zero-days, that could be used to attack Microsoft’s latest software system, Windows 10 (msft, +0.98%). The post did not identify other products by name.

    It also threatened to dump data from banks using the SWIFT international money transfer network and from Russian, Chinese, Iranian, or North Korean nuclear and missile programs, without providing further details.

    “More details in June,” it promised.

    Shadow Brokers came to public attention last August when it mounted an unsuccessful attempt to auction off a set of older cyber-spying tools it said were stolen from the U.S. National Security Agency.

    The leaks, and the global WannaCry virus attack, have renewed debate over how and when intelligence agencies should disclose vulnerabilities used in cyber spying programs to so that businesses and consumers can better defend themselves against attacks.

    Reply
  16. Tomi Engdahl says:

    Lucian Constantin / PCWorld:
    Shadow Brokers group claims to have more exploits and plans to offer them via a subscription based service slated for June — The group plans to sell more Equation exploits and cyberespionage data through a subscription-based service — A group of hackers that previously leaked alleged …

    Shadow Brokers tease more Windows exploits and cyberespionage data
    http://www.pcworld.com/article/3197110/security/shadow-brokers-teases-more-windows-exploits-and-cyberespionage-data.html

    The group plans to sell more Equation exploits and cyberespionage data through a subscription-based service

    A group of hackers that previously leaked alleged U.S. National Security Agency exploits claims to have even more attack tools in its possession and plans to release them in a new subscription-based service.

    The group also has intelligence gathered by the NSA on foreign banks and ballistic missile programs, it said.

    The Shadow Brokers was responsible for leaking EternalBlue, the Windows SMB exploit that was used by attackers in recent days to infect hundreds of thousands of computers around the world with the WannaCry ransomware program.

    http://www.epanorama.net/newepa/2017/05/12/an-nsa-derived-ransomware-worm-is-shutting-down-computers-worldwide/

    Reply
  17. Tomi Engdahl says:

    Shadow Brokers Promise More Exploits for Monthly Fee
    http://www.securityweek.com/shadow-brokers-promise-more-exploits-monthly-fee

    The hacker group calling itself Shadow Brokers claims to possess even more exploits stolen from the NSA-linked Equation Group, and anyone can have them by paying a monthly “membership” fee.

    The Shadow Brokers have been in the news over the past days after unknown threat actors leveraged two of the exploits they leaked to deliver WannaCry ransomware to hundreds of thousands of systems worldwide.

    Reply
  18. Tomi Engdahl says:

    7 NSA hack tool wielding follow-up worm oozes onto scene: Hello, no need for any phish!
    Why can’t you be like a cheerful HHGTTG dolphin overlord?
    https://www.theregister.co.uk/2017/05/22/eternalrocks_worm/

    Miscreants have created a strain of malware that targets the same vulnerability as the infamous WannaCrypt worm.

    EternalRocks worm uses flaws in the SMB Server Message Block (SMB) shares networking protocol to infect unpatched Windows systems. Unlike WannaCrypt, EternalRocks doesn’t bundle a destructive malware payload, at least for now. The new nasty doesn’t feature a kill switch domain either.

    The new nasty bundles seven NSA created hacking tools compared to the two deployed to spread WannaCrypt, according to early analysis of the EternalRocks worm.

    Reply
  19. Tomi Engdahl says:

    Bruce Schneier / The Atlantic:
    Educated guesses on who the Shadow Brokers are and how they acquired their NSA exploits — In 2013, a mysterious group of hackers that calls itself the Shadow Brokers stole a few disks full of National Security Agency secrets. Since last summer, they’ve been dumping these secrets on the internet.

    Who Are the Shadow Brokers?
    https://www.theatlantic.com/technology/archive/2017/05/shadow-brokers/527778/

    What is—and isn’t—known about the mysterious hackers leaking National Security Agency secrets

    In 2013, a mysterious group of hackers that calls itself the Shadow Brokers stole a few disks full of National Security Agency secrets. Since last summer, they’ve been dumping these secrets on the internet. They have publicly embarrassed the NSA and damaged its intelligence-gathering capabilities, while at the same time have put sophisticated cyberweapons in the hands of anyone who wants them. They have exposed major vulnerabilities in Cisco routers, Microsoft Windows, and Linux mail servers, forcing those companies and their customers to scramble. And they gave the authors of the WannaCry ransomware the exploit they needed to infect hundreds of thousands of computer worldwide this month.

    After the WannaCry outbreak, the Shadow Brokers threatened to release more NSA secrets every month, giving cybercriminals and other governments worldwide even more exploits and hacking tools.

    Who are these guys? And how did they steal this information? The short answer is: We don’t know. But we can make some educated guesses based on the material they’ve published.

    In total, the group has published four sets of NSA material: a set of exploits and hacking tools against routers, the devices that direct data throughout computer networks; a similar collection against mail servers; another collection against Microsoft Windows; and a working directory of an NSA analyst breaking into the SWIFT banking network. Looking at the time stamps on the files and other material, they all come from around 2013. The Windows attack tools, published last month, might be a year or so older, based on which versions of Windows the tools support.

    The releases are so different that they’re almost certainly from multiple sources at the NSA.

    The Shadow Brokers have released all the material unredacted, without the care journalists took with the Snowden documents or even the care WikiLeaks has taken with the CIA secrets it’s publishing. They also posted anonymous messages in bad English but with American cultural references.

    Given all of this, I don’t think the agent responsible is a whistleblower.

    I also don’t think that it’s random hackers who stumbled on these tools and are just trying to harm the NSA or the U.S. Again, the three-year wait makes no sense.

    Additionally, the publication schedule doesn’t make sense for the leakers to be cybercriminals. Criminals would use the hacking tools for themselves, incorporating the exploits into worms and viruses, and generally profiting from the theft.

    That leaves a nation state. Whoever got this information years before and is leaking it now has to be both capable of hacking the NSA and willing to publish it all.

    the obvious list of countries who fit my two criteria is small: Russia, China, and—I’m out of ideas.

    But the problem with the Russia theory is, why? These leaked tools are much more valuable if kept secret. Russia could use the knowledge to detect NSA hacking in its own country and to attack other countries. By publishing the tools, the Shadow Brokers are signaling that they don’t care if the U.S. knows the tools were stolen.

    So, how did the Shadow Brokers do it? Did someone inside the NSA accidentally mount the wrong server on some external network? That’s possible, but seems very unlikely for the organization to make that kind of rookie mistake. Did someone hack the NSA itself? Could there be a mole inside the NSA?

    That points to two possibilities. The first is that the files came from Hal Martin. He’s the NSA contractor who was arrested in August for hoarding agency secrets in his house for two years. He can’t be the publisher, because the Shadow Brokers are in business even though he is in prison.

    If the source of the documents is Hal Martin, then we can speculate that a random hacker did in fact stumble on it—no need for nation-state cyberattack skills.

    The other option is a mysterious second NSA leaker of cyberattack tools. Could this be the person who stole the NSA documents and passed them on to someone else?

    It’s also not over. Last week, the Shadow Brokers were back, with a rambling and taunting message announcing a “Data Dump of the Month” service. They’re offering to sell unreleased NSA attack tools—something they also tried last August—with the threat to publish them if no one pays.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*