Security Experts:

"Shadow Brokers" Claim Hack of NSA-Linked Equation Group

Has the Bear Raided the Eagle's Nest?

News that a supposedly NSA-related hacking group known as The Equation Group had itself been hacked by a separate group known as The Shadow Brokers emerged Monday. A number of files and screenshots were leaked by the latter with the offer of making the supposedly more damning files available for a fee of 1 million bitcoins (currently in excess of $500 million).

The Equation Group has been linked to the NSA since a Kaspersky Lab report dated February 16, 2015. This report said the group has been active for almost two decades and that it is "a threat actor that surpasses anything known in terms of complexity and sophistication of techniques." It does not specifically associate the group with the NSA, but suggests "the Equation group has interacted with other powerful groups, such as the Stuxnet and Flame operators -- generally from a position of superiority. The Equation Group had access to zero-days before they were used by Stuxnet and Flame."

There is nothing currently known about the Shadow Brokers.

The files leaked so far appear to be genuine. How, where, when and from whom they were acquired remains unknown -- and there is no guarantee that there really is anything else. The ransom fee of $0.5 billion takes this beyond a normal extortion exercise since there are few who could pay this. If the Equation Group really is the NSA, then it could be an attempt to get the US government to 'buy back' their cyber weapons -- but that would be unlikely.

There have been suggestions that perhaps the NSA itself has been hacked. This is also unlikely. A security researcher known as the Grugq tweeted  "This dump does not support the assertion that NSA was hacked. That sort of access is too valuable to waste for (almost) any reason." He added, "I would guess: the dump is the take from a counter hack against a pivot/C2 that was mistakenly loaded with too much data. Shit happens."

This view is shared by Sean Sullivan at F-Secure. "If the Shadow Brokers actually hacked something, it wasn't 'the NSA'. At least not in the sense that some group is now in the NSA's many various networks reading through documents and e-mails and such." Instead he also suggests that it could be an example of 'hacking back'. Perhaps an organization hacked by the Equation Group forensically "discovered a resource to go after. This 'auction' seems an awful good way to publicly embarrass a political rival in a way that can't be positively attributed."

Embarrassment would appear to be a strong motive behind this incident. The news emerged at the beginning of the week, and Shadow Brokers had pre-registered Tumblr, Reddit, Twitter and Github accounts to get their message out with maximum impact.

One question remains. Who are Shadow Brokers? Many are suggesting it is a Russian state-actor, potentially the Russian equivalent of the Equation Group. This is possible. There is a low-level cyber war between the US and Russia. It is suggested that Russia was behind the DNC hack, and that Guccifer 2.0 is in fact 'Russia'. For its part, the NSA will have been active against Russian targets; that's its job.

It is therefore a reasonable conjecture that the Equation Group breached a Russian target and that a Russian forensics team traced the breach back to a server that contained Equation Group files. But was the NSA hacked? Almost certainly not. Do the Shadow Brokers have more files? Possible; but probably nothing like they intimate. Given the armory of Equation Group weapons described by Kaspersky, would any criminal gang or foreign state either admit they have them or sell them back? Using the weapons would earn even more than their asking price.

We will likely learn more over the coming months -- but for the moment, we can only guess.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.