Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

“Shadow Brokers” Claim Hack of NSA-Linked Equation Group

Has the Bear Raided the Eagle’s Nest?

Has the Bear Raided the Eagle’s Nest?

News that a supposedly NSA-related hacking group known as The Equation Group had itself been hacked by a separate group known as The Shadow Brokers emerged Monday. A number of files and screenshots were leaked by the latter with the offer of making the supposedly more damning files available for a fee of 1 million bitcoins (currently in excess of $500 million).

The Equation Group has been linked to the NSA since a Kaspersky Lab report dated February 16, 2015. This report said the group has been active for almost two decades and that it is “a threat actor that surpasses anything known in terms of complexity and sophistication of techniques.” It does not specifically associate the group with the NSA, but suggests “the Equation group has interacted with other powerful groups, such as the Stuxnet and Flame operators — generally from a position of superiority. The Equation Group had access to zero-days before they were used by Stuxnet and Flame.”

There is nothing currently known about the Shadow Brokers.

The files leaked so far appear to be genuine. How, where, when and from whom they were acquired remains unknown — and there is no guarantee that there really is anything else. The ransom fee of $0.5 billion takes this beyond a normal extortion exercise since there are few who could pay this. If the Equation Group really is the NSA, then it could be an attempt to get the US government to ‘buy back’ their cyber weapons — but that would be unlikely.

There have been suggestions that perhaps the NSA itself has been hacked. This is also unlikely. A security researcher known as the Grugq tweeted  “This dump does not support the assertion that NSA was hacked. That sort of access is too valuable to waste for (almost) any reason.” He added, “I would guess: the dump is the take from a counter hack against a pivot/C2 that was mistakenly loaded with too much data. Shit happens.”

This view is shared by Sean Sullivan at F-Secure. “If the Shadow Brokers actually hacked something, it wasn’t ‘the NSA’. At least not in the sense that some group is now in the NSA’s many various networks reading through documents and e-mails and such.” Instead he also suggests that it could be an example of ‘hacking back’. Perhaps an organization hacked by the Equation Group forensically “discovered a resource to go after. This ‘auction’ seems an awful good way to publicly embarrass a political rival in a way that can’t be positively attributed.”

Embarrassment would appear to be a strong motive behind this incident. The news emerged at the beginning of the week, and Shadow Brokers had pre-registered Tumblr, Reddit, Twitter and Github accounts to get their message out with maximum impact.

One question remains. Who are Shadow Brokers? Many are suggesting it is a Russian state-actor, potentially the Russian equivalent of the Equation Group. This is possible. There is a low-level cyber war between the US and Russia. It is suggested that Russia was behind the DNC hack, and that Guccifer 2.0 is in fact ‘Russia’. For its part, the NSA will have been active against Russian targets; that’s its job.

It is therefore a reasonable conjecture that the Equation Group breached a Russian target and that a Russian forensics team traced the breach back to a server that contained Equation Group files. But was the NSA hacked? Almost certainly not. Do the Shadow Brokers have more files? Possible; but probably nothing like they intimate. Given the armory of Equation Group weapons described by Kaspersky, would any criminal gang or foreign state either admit they have them or sell them back? Using the weapons would earn even more than their asking price.

We will likely learn more over the coming months — but for the moment, we can only guess.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Expert Insights

Related Content

Cybercrime

Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.

Cyberwarfare

The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cybercrime

A Pro-Russian cybercrime group named NoName057(16) is actively launching distributed denial-of-service (DDoS) attacks against organizations in Ukraine and NATO countries.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

Cybersecurity firm Group-IB is raising the alarm on a newly identified advanced persistent threat (APT) actor targeting government and military organizations in Asia and...

Application Security

Google’s Threat Analysis Group (TAG) has shared technical details on an Internet Explorer zero-day vulnerability exploited in attacks by North Korean hacking group APT37.