ShadowBrokers’ Leak Has ‘Strong Connection’ to Equation Group

Researchers at Kaspersky Lab said there is a strong connection between the ShadowBrokers cache of exploits and those belonging to the Equation Group.

A high-stakes game of attribution started by a group claiming to have a cache of exploits belonging to the Equation Group took a somewhat definitive turn Tuesday afternoon. Researchers at Kaspersky Lab yesterday confirmed a connection between the tools currently up for auction by the ShadowBrokers and Equation Group exploits and malware that researchers at the security company uncovered and disclosed in February 2015.

“While we cannot surmise the attacker’s identity or motivation nor where or how this pilfered trove came to be, we can state that several hundred tools from the leak share a strong connection with our previous findings from the Equation group,” Kaspersky Lab researchers wrote in a post to the Securelist website.

The strongest link is the extensive use of RC5 and RC6 encryption algorithms in both the free file offered by the ShadowBrokers and in previous known Equation Group files.

Researchers explained that the Equation Group’s implementation of RC5 and RC6 uses a subtract operation with a constant of 0x61c88647. Kaspersky Lab said the ShadowBrokers free file includes 347 RC5 and RC6 implementations, and the implementations are “functionally identical” and include the same 0x61c88647 constant.

equation comparison

From the outset, there was speculation not only as to the ShadowBrokers’ identity, but as to the authenticity of the files they possess. Four days ago, a post to a GitHub page that has since been taken down (a cached copy is here) announced an auction of weaponized exploits belonging to the Equation Group. The stilted post claims the ShadowBrokers hacked the Equation Group, found its weapons and would auction them off to the highest bidder, with non-refundable bids payable in Bitcoin. The post claims the auction was an attempt to get the Equation Group to bid on its own files in order to keep them secret, or to create a bidding war. Finally, if the auction earned the ShadowBrokers 1 million Bitcoin, more Equation Group files would be dumped unencrypted and at no charge.

As proof of their claims, the ShadowBrokers offered up one set of files for free. As researchers studied the available files, it was becoming apparent this might not be a stunt.

The exploits in the free 300MB file are numerous and are mostly attacks against routers and firewalls from major vendors such as Cisco, Juniper and Fortinet. Most of the files were three years old, time-stamped between August and October 2013, months after the Edward Snowden leaks became public in June 2013.

One researcher who goes by the handle Xorcat analyzed one exploit against a Cisco Adaptive Security Appliance (ASA) firewall appliance called ExtraBacon. The exploit, Xorcat said, gives an attacker the unauthenticated access over SSH or telnet to the firewall.

“There you go, NSA built firewall exploits that are easy to use!” he wrote, adding that the attack did not crash the appliance, nor did it impact traffic.

Kaspersky Lab, meanwhile, hooked its confirmation on the specific RC5 and RC6 implementations, which it said had only been seen before with the Equation Group’s extensive malware set.

“There are more than 300 files in the Shadowbrokers’ archive which implement this specific variation of RC6 in 24 different forms. The chances of all these being faked or engineered is highly unlikely,” Kaspersky Lab researchers wrote. “This code similarity makes us believe with a high degree of confidence that the tools from the ShadowBrokers leak are related to the malware from the Equation group. While the ShadowBrokers claimed the data was related to the Equation group, they did not provide any technical evidence of these claims. The highly specific crypto implementation above confirms these allegations.”

News of the Equation Group first surfaced in early 2015 when Kaspersky Lab published a report on the cyber-espionage group’s activities that dated back likely before 2000. The group had an arsenal of zero-day exploits at its disposal, including two used by Stuxnet before the attacks in 2009 against Iran’s Natanz nuclear facilities.

Equation Group is considered among the top APT groups and has been widely linked to the National Security Agency’s operations. Among its many exploits, Equation Group had the capability to attack proprietary firmware, air-gapped machines and possessed a number of malware platforms that used dozens of plugins and bootkits designed for different operations.

Suggested articles