The Expert's View with Jeremy Kirk

Mystery Surrounds Breach of NSA-Like Spying Toolset

Code is Likely Legit, But a Bit Sloppy, Experts Say
Mystery Surrounds Breach of NSA-Like Spying Toolset
Photograph: Berlinale/EPA

An unparalleled mystery has piqued the security community's curiosity. A group calling itself the "Shadow Brokers" has claimed to have stolen code and exploits from the Equation Group, a nation-state spying group suspected to be linked to the U.S. National Security Agency.

See Also: 5 Requirements for Modern DLP

Security experts are cautiously saying that the sample code appears to be legitimate and isn't simply a repackaging of something else. The Shadow Brokers is auctioning the information, but said if it receives an absurd 1 million bitcoins - worth some $568 million - it will release all of the data publicly. As a teaser, the group released a 256MB batch of code and exploits. Tumblr and GitHub quickly removed the files, but it's now widely circulating among security experts.

"We hack Equation Group," the Shadow Brokers write on Pastebin. "We find many, many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof, no? You enjoy!!!"

The English is so poor it almost seems like it's a put-on. They also encouraged bidders for a nonsensical auction where losing bidders still lose their bitcoins. The winner of the auction gets the password to an encrypted file that comprises the rest of the data.

A screenshot, released by the Shadow Brokers, showing directories filled with dumped data.

But the code samples they've released are no joke. The dump contains offensive tools designed for someone who's aiming to do larger-scale, network-level monitoring. Some of the code specifically targets firewall products from Cisco, Fortinet, Juniper and the Chinese vendor TopSec (see Juniper Backdoor: How Are Vendors Responding?). Other code is aimed at modifying firmware, adding hidden user accounts or slipping backdoors into network equipment.

"This is definitely not for cybercriminals," says Andrew Komarov, chief intelligence officer with InfoArmor, who has been studying the dump. "It looks very, very comprehensive, but some samples of code don't make any sense."

The nature of some of the code and files suggests an intelligence agency or one of its partners left its virtual garage door open, allowing the Shadow Brokers to swipe some of its half-finished tools. Many of the files contain comments and test strings that suggest the Shadow Brokers maybe have breached a developer's repository, Komarov says.

Sloppy Code

The leaked code is also not terribly current. Some of the most recent files are from 2013, with others date back to 2010. The code isn't sexy, either.

"Most of the code appears to be batch scripts and poorly coded Python scripts," writes Matt Suiche, a security expert and founder of Comae Technologies, in a blog post. "Nonetheless, this appears to be legitimate code."

The NSA has a powerful collection of hacking tools and exploits, which were confirmed three years ago through the leaks from former contractor Edward Snowden. The once-in-a-lifetime leak gave deep insight into the methods and techniques the agency uses.

So does the Shadow Brokers' code belong to the NSA? It's hard to say, and experts are reluctant to tag anything on the spy agency given the difficulty of attribution. But the samples of the code - and their tongue-in-cheek code names - echo the NSA's Tailored Access Operations catalog revealed by the publication Der Spiegel in December 2013.

For example, some of the files and folders have names including EPIC BANANA, EXTRA BACON, ELIGIBLE BACHELOR and ELIGIBLE CONTESTANT. The naming conventions, of course, could just be part of be an elaborate ruse.

But some experts suspect otherwise. "It looks genuine," Nicholas Weaver, a researcher with the International Computer Science Institute - a nonprofit research center affiliated with the University of California, Berkeley - tells The Wall Street Journal. According to Weaver, the router-hacking tools, as well as tie-ins to software to which only the NSA would have had access, suggest that the dumped code is legitimate.

Broken Equation

The Equation Group first surfaced publicly in February 2015, when Russian security vendor Kaspersky Lab published a lengthy report calling it the "god of cyberespionage." The group had the ability to infect the firmware of hard drives from many manufacturers, an achievement that was unknown and required intimate knowledge of undocumented drive specifications.

Equation also engineered the worm Fanny, which was used against targets in Asia and the Middle East. Fanny used the same two zero-day exploits that were coded into Stuxnet. The United States and Israel are suspected of creating Stuxnet, which was aimed at bridging Iran's air-gapped networks in order to sabotage its uranium centrifuges, disrupting the country's nuclear program.

Kaspersky Lab officials couldn't immediately be reached for comment on the new data dump. The company has never said the Equation Group was part of the NSA, but the group's tactics and targets left little doubt that it was likely part of some Western intelligence operation.

It seems unlikely that the Equation Group would make a mistake that would allow some of its older tools to be stolen by hackers. But it's not unheard of for hackers and cybercriminals to make mistakes. The Equation Group may have just made its first big one.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.