Shadow Brokers leaks list of NSA targets and compromised servers

The Shadow Brokers hacker group is back, releasing message 5 – trick or treat. This time, instead of releasing Equation Group exploit tools, the group dumped a list of servers allegedly compromised by the NSA-linked Equation Group.

As usual, the Shadow Brokers included a slaughtered-English rambling message that primarily focused on the upcoming elections. One portion reads:

TheShadowBrokers is having suggestion. On November 8th, instead of not voting, maybe be stopping the vote all together? Maybe being grinch who stopped election from coming? Maybe hacking election is being the best idea? #hackelection2016.

After reminding readers of Iran elections and Stuxnet, the group suggested, “Maybe is not Russia hacking election, maybe is being payback from Iran?”

This Shadow Brokers’ dump was signed by the same key as the first dump of NSA exploits. The leaked list indicates the Equation Group targets friends like the U.K. and so-called enemies like China to serve as staging platforms to launch attacks.

Security researcher Mustafa Al-Bassam, formerly a core member of LulzSec, said the servers were likely compromised between 2000 and 2010.

Al-Bassam added, “So even the NSA hacks machines from compromised servers in China and Russia. This is why attribution is hard.”

Al-Bassam wished GCHQ a Happy Halloween before pointing out:

Security researcher Kevin Beaumont explained that the NSA doesn’t hack the governments of other countries from NSA.gov; “you upload tools to third-party staging platforms.” Beaumont also tweeted that the list of compromised “servers is nine years old,” so most servers “likely no longer exist” or have been “reinstalled.”

The dump

Most of the servers were running Solaris, although some were running FreeBSD or Linux. The compromised servers were reportedly targets of INTONATION and PITCHIMPAIR; the leak also included a list of previously undisclosed Equation Group tools: Dewdrop, Incision, Jackladder, Orangutan, Patchicillin, Reticulum, Sidetrack and Stoicsurgeon.

Matt Swann organized the newest Shadow Brokers dump in an Excel spreadsheet with 109 lines, showing the domains, IP addresses, targeted OS, timestamp and previously undisclosed NSA-linked implants.

The Equation Group APT-affected UNIX host list on Pastebin shows 594 total lines; the first 291 are IP addresses, followed by 302 domain names.

Elsewhere, Hacker House analyzed the leak and then reported, “In total, 352 IP addresses are provided alongside 306 domain names which these tools may have been run on. These addresses include timestamps that begin on 22nd August 2000 at 13:50:45 and finish 18th August 2010 at 11:43:46.” A quick “Shodan scan of these hosts indicates that some of the hosts are still active and running the identified software.” Anyone on the list should make sure they are not still serving as a platforms for Equation Group cyber attacks.

Countries targeted as staging platforms for attacks

The hosts include 32 .edu domains and nine .gov associated domains. The geographic distribution of attacked hosts appears to be global impacting 49 countries. However, the top 10 impacted countries are China, Japan, Korea, Spain, Germany, India, Taiwan, Mexico, Italy and Russia. The top three, China, Japan and Korea, make up a substantial number of attacked hosts.

Furthermore, Hacker House created a graph of countries affected by the Equation Group APT Solaris attack.

Those countries, after switching their country codes to country names, include:

China, Japan, South Korea, Spain, Germany, India, Taiwan, Mexico, Italy, Russian Federation, U.K., Pakistan, Sweden, Bangladesh, Macau, Saudi Arabia, Poland, Thailand, U.S., Finland, Iran, Netherlands, Argentina, Belgium, Brazil, Chile, Algeria, Egypt, Greece, Turkey, Venezuela, United Arab Emirates, Austria, Bolivia, Botswana, Cyprus, Gabon, Bosnia and Herzegovina, Hungary, Jordan, Kenya, Sri Lanka, Namibia, Nicaragua, Norway, Philippines, Romania and the European Union.

Shadow Brokers still wants money

If the leak is to be believed, then the Shadow Brokers’ auction of Equation Group toolkits would likely have included a Solaris exploit. Shadow Brokers still wants money, closing message 5 with: “How bad do you want it to get? When you are ready to make the bleeding stop, payus, so we can move onto the next game. The game where you try to catch us cashing out! Swag us out!”

Early in October, The New York Times reported that NSA contractor Harold Martin III was arrested for allegedly stealing “many terabytes” of classified code; the FBI found “thousands of pages of documents and dozens of computers or other electronic devices at his home and in his car, a large amount of it classified.” The Times suggested that Martin, a Booz Allen Hamilton employee, may have been linked to Shadow Brokers, but not everyone believes that to be true.