Connect with us

Hi, what are you looking for?



“Shadow Brokers” Claim Hack of NSA-Linked Equation Group

Has the Bear Raided the Eagle’s Nest?

Has the Bear Raided the Eagle’s Nest?

News that a supposedly NSA-related hacking group known as The Equation Group had itself been hacked by a separate group known as The Shadow Brokers emerged Monday. A number of files and screenshots were leaked by the latter with the offer of making the supposedly more damning files available for a fee of 1 million bitcoins (currently in excess of $500 million).

The Equation Group has been linked to the NSA since a Kaspersky Lab report dated February 16, 2015. This report said the group has been active for almost two decades and that it is “a threat actor that surpasses anything known in terms of complexity and sophistication of techniques.” It does not specifically associate the group with the NSA, but suggests “the Equation group has interacted with other powerful groups, such as the Stuxnet and Flame operators — generally from a position of superiority. The Equation Group had access to zero-days before they were used by Stuxnet and Flame.”

There is nothing currently known about the Shadow Brokers.

The files leaked so far appear to be genuine. How, where, when and from whom they were acquired remains unknown — and there is no guarantee that there really is anything else. The ransom fee of $0.5 billion takes this beyond a normal extortion exercise since there are few who could pay this. If the Equation Group really is the NSA, then it could be an attempt to get the US government to ‘buy back’ their cyber weapons — but that would be unlikely.

There have been suggestions that perhaps the NSA itself has been hacked. This is also unlikely. A security researcher known as the Grugq tweeted  “This dump does not support the assertion that NSA was hacked. That sort of access is too valuable to waste for (almost) any reason.” He added, “I would guess: the dump is the take from a counter hack against a pivot/C2 that was mistakenly loaded with too much data. Shit happens.”

This view is shared by Sean Sullivan at F-Secure. “If the Shadow Brokers actually hacked something, it wasn’t ‘the NSA’. At least not in the sense that some group is now in the NSA’s many various networks reading through documents and e-mails and such.” Instead he also suggests that it could be an example of ‘hacking back’. Perhaps an organization hacked by the Equation Group forensically “discovered a resource to go after. This ‘auction’ seems an awful good way to publicly embarrass a political rival in a way that can’t be positively attributed.”

Advertisement. Scroll to continue reading.

Embarrassment would appear to be a strong motive behind this incident. The news emerged at the beginning of the week, and Shadow Brokers had pre-registered Tumblr, Reddit, Twitter and Github accounts to get their message out with maximum impact.

One question remains. Who are Shadow Brokers? Many are suggesting it is a Russian state-actor, potentially the Russian equivalent of the Equation Group. This is possible. There is a low-level cyber war between the US and Russia. It is suggested that Russia was behind the DNC hack, and that Guccifer 2.0 is in fact ‘Russia’. For its part, the NSA will have been active against Russian targets; that’s its job.

It is therefore a reasonable conjecture that the Equation Group breached a Russian target and that a Russian forensics team traced the breach back to a server that contained Equation Group files. But was the NSA hacked? Almost certainly not. Do the Shadow Brokers have more files? Possible; but probably nothing like they intimate. Given the armory of Equation Group weapons described by Kaspersky, would any criminal gang or foreign state either admit they have them or sell them back? Using the weapons would earn even more than their asking price.

We will likely learn more over the coming months — but for the moment, we can only guess.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...


Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...