ShadowBrokers Dumps Lists of Equation Group Hacked Servers

The Shadowbrokers dumped lists of hacked servers compromised by the Equation Group and allegedly used in its campaigns.

The ShadowBrokers’ last two bits of outreach to the world lacked the oomph of August’s showstopper dump of Equation Group zero days, but the group is more than making up for it in severely broken English political banter, and another plea to buy the full boat of NSA exploits it allegedly has stolen.

The group posted a scattered message last night that included links to downloads of lists of hacked Sun Solaris and Linux servers that the Equation Group allegedly compromised and used to launch attacks.

The pwned servers are old; the list ranges from 2001 to 2010. Most of the IP addresses of compromised servers are in Iran, Russia, China, Pakistan, India, Japan, South Korea, Bosnia and elsewhere.

Researcher Matt Suiche, founder of a UAE security startup called Comae, analyzed the files and found 331 IP addresses compromised by a pair of spy tools called Intonation and PitchImpair.

“There’s not much to see,” Suiche told Threatpost, adding that most of the folders in the dumps contain metadata and some configuration variables. “There’s no source code this time. It’s not that significant as a leak.”

The group claims that “many missions” were carried out from these compromised machines, and renewed its pitch for someone to buy the auction file of Equation Group exploits put up for bid in August.

“Maybe tools no more installed? Maybe is being cleaned up? To peoples is being owner of pitchimpair computers, don’t be looking for files, rootkit will self destruct,” the note says.

Experts believe this message, like its last one, is another plea for attention from the ShadowBrokers. In a Pastebin message earlier this month, the group complained about a lack of interest—and bidding—on the files it put up for auction. As of this afternoon, there has been minimal movement since August; currently the bid is 2.006074 Bitcoin, or roughly $1,414.

https://twitter.com/GossiTheDog/status/793004319331217408

The ShadowBrokers’ note starts off as an ode to the political rhetoric over alleged Russian interference with the U.S. presidential election, and intimating that they are offended that the CIA and not the NSA is threatening retaliation. “Where is the cyber A-Team?” the note says. “Maybe threating is not being for external propaganda? Maybe is being for internal propaganda? Oldest control trick in book, yes? Waving flag, blaming problems on external sources, not taking responsibility for failures.”

The note also rants about political corruption and its influence on the U.S. (or USSA) election with a veiled threat to hack or further disrupt next week’s general election.

“Maybe peoples not be going to work, be finding local polling places and protesting, blocking , disrupting , smashing equipment, tearing up ballots? The wealthy elites is being weakest during elections and transition of power,” the note says. “Is being why USSA is targeting elections in foreign countries. Don’t beleiving? Remembering Iran elections? Rembering stuxnet? Maybe is not Russia hacking election, maybe is being payback from Iran?”

The Shadowbrokers emerged in August when it announced an auction of weaponized exploits belonging to the Equation Group, which Kaspersky Lab identified in February 2015 and other experts have linked to the NSA. The group claims to have hacked the Equation Group and if the auction earned the group 1 million Bitcoin, more files would be dumped unencrypted.

The group did post a 300MB file that included a number of attacks against Cisco, Juniper, Fortinet and other high end enterprise networking gear. While some of the files were old, the dump did send Cisco and other vendors racing to patch suddenly disclosed zero-day vulnerabilities.

Kaspersky Lab, meanwhile, did confirm that the Shadowbrokers’ initial dump and its research on the Equation Group shared a “strong connection.”

Suggested articles