Second Shadow Brokers dump released

News by Roi Perez

The hacking group named The Shadow Brokers has released more NSA-related files, these are said to show IP addresses linked to the Equation Group, a hacking group believed to be an NSA contractor.

The hacking group which goes by the name of The Shadow Brokers, who had previously released NSA hacking tools, has today released more. The announcement has been published on Medium, and signed by the same PGP key used for other announcements by the group.

The Shadow Brokers claim the files leaked show IP addresses linked to the Equation Group, a hacking group believed to be an NSA contractor. The group claims that, “[these are the] equation group[‘s] pitchimpair (redirector) keys, many missions into your network is/was coming from these IP addresses.”

Security researcher known as Hacker Fantastic posted an analysis claiming the dump contains 306 domains and 352 IP addresses relating to 49 countries including addresses from Russia, China, India, Sweden, and many others.

If the files are verified to contain correct information, it may be possible to verify if the Equation Group potentially targeted specific persons. Security researcher Mustafa Al-Bassam pointed out on Twitter that the IP addresses may relate to servers the NSA has compromised and then used to deliver exploits. “So even the NSA hacks machines from compromised servers in China and Russia. This is why attribution is hard,”  said Al-Bassam on Twitter.

The release comes as NSA contractor Hal Martin who, according to The Washington Post, is a prime suspect in The Shadow Brokers case is detained for allegedly stealing large amounts of classified documents from the NSA.

The Shadow Brokers first emerged in August, when they released a smorgasbord of NSA exploits and hacking tools. Many of the tools targeted hardware firewalls from brands such as Cisco, Huawei and Fortinet.

Alan Woodward, professor of cyber-security at Surrey University told “The data itself doesn't contain that much: a list of systems with IP addresses, some data on the OS used (notably a lot if Solaris) and some ancillary info such as whether the kernel has been enabled to store keys. The systems are not typically publicly accessible so if the data is true it suggests someone was inside these networks. The systems are located all over the world and include a variety of organisations - nothing stands out. It might be that these systems were not the holders of valuable data but were compromised to act as platforms for launching further attacks. The data seems to be quite old: several years.

Nothing in what we see here sheds any light on who might have been behind compromising these systems, assuming they were actually compromised. There is no way of telling of the systems listed were actually compromised as most will have been updated, security fixes applied and so on.

Many commentators start from the position that this was the NSA. I find nothing in this new data to confirm that. It could equally have been another country's intelligence agencies. The whole purpose behind using compromised systems to mount attacks is to plant false flags. It's standard tradecraft and is precisely why attribution is difficult. 

In short, I don't see that this has moved anything on in terms of who was behind these comprises, or even if the compromises are real.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews