The ShadowBrokers hacker group leaked a fresh dump containing a list of servers that were hacked by the NSA-linked group known as Equation Group.

The notorious Shadow Brokers hacker group has posted a fresh dump containing a list of servers that were hacked by the NSA-linked group known as Equation Group.

The hackers disclosed the list containing historic targets of the Equation Group, it includes Mail providers, Chinese targets, and universities.

The Equation group compromised the targets using the hacking tools codenamed as INTONATION and PITCHIMPAIR.

The latest dump leaked by the Shadow Brokers was signed using the same key used to sign the first dump of Equation Group exploits.

The ShadowBrokers provided the links to two distinct PGP-encrypted archives, the first one offered for free as a proof of the hack (its passphrase was ‘auctioned’), for the second one the group requested 1 million BTC .

The first archive contains roughly 300MBs of data, including firewall exploits, hacking tools, and scripts with cryptonyms like BANANAUSURPER, BLATSTING, and BUZZDIRECTION.

The security researchers Mustafa Al-Bassam has published an interesting post that lists all the exploits, implants, and tools for hacking firewalls (“Firewall Operations”) included in the dump.

The Equation Group ‘s hackers targeted products made by Cisco, Fortigate, Juniper, TOPSEC, and Watchguard.

The majority of files are at least three years old, meanwhile, the newest timestamp dating to October 2013.

Early October, TheShadowBrokers complained that no one seems to be bidding on their precious archive, an alleged member of the hacker group expressed his dissent on the lack of interest in ponying up bitcoins to release the full NSA data dump.

A couple of weeks ago the group announced the launch of a crowdfunding campaign for the stolen arsenal because its auction received offers for less than two bitcoins.

Back to the present day, the ShadowBrokers hackers published message accompanying the latest dump.

“TheShadowBrokers is having special trick or treat for Amerikanskis tonight.” “Why is DirtyGrandpa threating CIA cyberwar with Russia? Why not threating with NSA or CyberCommand? CIA is cyber B-Team, yes? Where is cyber A-Team? Maybe threating is not being for external propaganda? Maybe is being for internal propaganda? Oldest control trick in book, yes? Waving flag, blaming problems on external sources, not taking responsibility for failures. But neverminding, hacking DNC is way way most important than EquationGroup losing capabilities. Amerikanskis is not knowing USSA cyber capabilities is being screwed? Where is being “free press”? Is ABC, NBC, CBS, FOX negligent in duties of informing Amerikanskis? Guessing “Free Press” is not being “Free as in free beer” or “Free as in free of government influence?” reads the message.

According to security experts, the list is very old, it is available at the following links

https://mega.nz/#F!D1Q2EQpD!Lb09shM5XMZsQ_5_E1l4eQ

https://yadi.sk/d/NCEyJQsBxrQxz

Password = payus

The Shadow Brokers continue to grapple for publicity and money. The list of servers is 9 years old, likely no longer exist or reinstalled. https://t.co/bEJGsvZItY — Kevin Beaumont (@GossiTheDog) 31 ottobre 2016

A close look at the dump revealed that it contains some 300 folders of files. Each file corresponds to a different domain and IP address.

The notorious expert Hacker Fantastic analyzed the dump and confirmed that it contains 306 domains and 352 IP addresses relating to 49 countries in total.

306 domain names, 352 ip addresses contained in @shadowbrokerss leak, mostly ASIAPAC region. descriptions here https://t.co/zNQgCiU0Ro — Hacker Fantastic (@hackerfantastic) 31 ottobre 2016

There are 49 countries impacted by the Solaris attack exposed by @shadowbrokerss – vast majority of those are in ASIAPAC region. pic.twitter.com/1KS7sjYhOW — Hacker Fantastic (@hackerfantastic) 31 ottobre 201

The dump revealed targets in Russia, China, India, Sweden, and many other countries. The Top 10 countries include also Japan and Italy.

The colleague Carola Frediani reported the presence of Italian targets that includes systems in some university, such as the Università dell’Aquila (sipralab.univaq.it; matematica.univaq.it; ns.univaq.it) and the ‘Università degli Studi Mediterranea di Reggio Calabria (ns.ing.unirc.it).

Below a graph from by a preliminary study conducted by the researcher ‏ @ quequero on addresses published by the ShadowBrokers and allegedly used by the NSA as staging servers/C&C.

The machines compromised by the US Intelligence may have been used to target systems worldwide and deliver exploits.

New Shadow Brokers dump contains list of servers compromised by the NSA to use as exploit staging servers. pic.twitter.com/rVNjWCvgoG — Mustafa Al-Bassam (@musalbas) 31 ottobre 2016

Stay Tuned!

Pierluigi Paganini

(Security Affairs – The Equation Group, ShadowBrokers)

Share this...

Linkedin Reddit Pinterest

Share On