Shadow Brokers Dump List of Servers Hacked by the NSA’s Equation Group

The battle between ShadowBrokers and Equation Group is getting heated ever since the latter scored points with its dumping of series of zero-day vulnerabilities. But we knew that ShadowBrokers group would not stay silent for long. So here is the group’s latest feat. Reportedly, ShadowBrokers have dumped the lists of Linux and Sun Solaris servers that were hacked by the Equation group.

The group has posted a message in broken English and presented the links from where the lists of hacked Sun Solaris and Linux servers could be downloaded. The lists were actually hacked by the Equation Group for launching attacks.

We first heard about ShadowBrokers earlier in August when the group launched an auction of the Equation Group’s exploits. These exploits were discovered by the Kaspersky Lab in February last year. It is also speculated that the exploits were identified by the NSA. The group claimed that if it managed to make around 1 million Bitcoin through this auction then it would dump more unencrypted files. Kaspersky Lab did confirm that there was a “strong connection” between the dumps from the Equation Group and the ShadowBrokers.

However, things haven’t turned out as expected for the ShadowBrokers because the group is finding it hard to attract bidders and reach its target amount even after so many months. Now, the group is adopting desperate measures to gain attention from the public. The latest note and those preceding this one are a clear indication of the growing unease and irritation among ShadowBrokers.

It must be noted that the servers are quite old since the lists range from 2001 to 2010 while a majority of the compromised servers are located in Pakistan, India, Iran, Japan, China, Russia, Bosnia, and South Korea, etc. This could be the reason why few are interested in the auction.

A UAE-based security startup Comae’s researcher Matt Suiche discovered while inspecting the links that around 331 IP addresses were compromised through the spy tools pair known as Intonation and PitchImpair. According to Suiche, currently there is not a great deal of information available but most of the folders contain some configuration variables and metadata but there isn’t any “source code this time.”

Whereas ShadowBrokers claimed in another note that multiple missions were conducted through these compromised servers and the pitch has been renewed so that the exploits could be put up for sale. Auctioning off the exploits started in August. A note further described that:

“Maybe tools no more installed? Maybe is being cleaned up? To peoples is being the owner of pitch impair computers, don’t be looking for files, the rootkit will self-destruct.”

Security researchers and experts consider the messages from ShadowBrokers not as a threat but actually a plea because the Equation group has taken all the limelight by hacking Sun Solaris and Linux servers and the ShadowBrokers now are unable to benefit from it through auction.

Earlier in October, the ShadowBrokers posted on Pastebin that the group was concerned about the “lack of interest” and lukewarm response to their bidding since they have put up the files for auction. That’s quite true because the current bid is just 2.006074 Bitcoin which is equal to $1,414. That’s quite a meager amount and we are also startled that there hasn’t been much movement in terms of bidding since August.

The current note posted by ShadowBrokers seems more like a response to the ongoing political situation where Russia is being blamed for attempting to sabotage US presidential election campaigners, candidates, and the entire electoral system. The group is apparently offended at the fact that the CIA is retaliating instead of the NSA, while it should be the other way around as per the group.

The group inquires: “Where is the cyber A-Team? Maybe threating is not being for external propaganda? Maybe is being for internal propaganda? Oldest control trick in the book, yes? Waving the flag, blaming problems on external sources, not taking responsibility for failures.”

The group also posted its opinion regarding the influence of political corruption on the US elections and even went a step ahead and threatened to disrupt the general elections further, which are due to be held in the second week of November. The group states:

“Maybe people are not going to work, be finding local polling places and protesting, blocking, disrupting, smashing equipment, tearing up ballots? The wealthy elites is being weakest during elections and transition of power.”

“Is being why USSA is targeting elections in foreign countries. Don’t believe? Remembering Iran elections? Remembering Stuxnet? Maybe is not Russia hacking election, maybe is being payback from Iran?” the rant continues.

A 300MB file was posted by the group too, which included information about attacks on high profile networking enterprises like Cisco, Juniper, and Fortinet. Though many of the files were quite old the dump did compel Cisco and the rest to release patches for the newly exposed zero-day vulnerabilities.

Related Posts