Security Experts:

Connect with us

Hi, what are you looking for?



Shadow Brokers Release More NSA Exploits

The hacker group calling itself “Shadow Brokers” has released another round of exploits and tools allegedly used by the NSA-linked threat actor “Equation Group,” along with a message to U.S. President Donald Trump.

The hacker group calling itself “Shadow Brokers” has released another round of exploits and tools allegedly used by the NSA-linked threat actor “Equation Group,” along with a message to U.S. President Donald Trump.

Over the weekend, the group published the password to a previously released password-protected archive. An analysis of the files revealed the existence of various exploits and lists of organizations apparently targeted by the Equation Group.

Google Project Zero researcher Tavis Ormandy said one of the leaked exploits, dubbed EXACTCHANGE, relies on a Linux kernel vulnerability that can be exploited for local privilege escalation. Ormandy believes the Equation Group had the exploit “for years” before it was discovered by Google researchers in 2009.

An analysis conducted by Maksym Zaitsev showed that the leaked files include what appear to be Solaris exploits, a cross-platform RAT, Linux keyloggers, exploits targeting Cisco firewalls, system fingerprinting tools, an IP.Board exploit, and Apache and Samba zero-days affecting several Linux distributions.

A researcher who uses the online moniker “x0rz” also analyzed the latest dump and identified a tool that can clean logs (TOAST), a fake Chinese browser (ELECTRICSLIDE), and several GSM-related tools (CURSEHAPPY, EDITIONHAZE, LIQUIDSTEEL, SHAKENGIRAFFE, WHOLEBLUE). He also found evidence that the Equation Group had been looking for clues of attacks by other threat actors on compromised systems.

Experts also found lists of IP addresses and domain names that may belong to organizations targeted by the Equation Group, and they pointed out that victims include U.S. allies.

The Shadow Brokers had initially attempted to sell the exploits they obtained, but none of their strategies, including auctions and direct sale offers, was successful. While the group has now made available another batch of files for free, Zaitsev and others, including Edward Snowden, believe there are still some files that have not been released.

In a message they posted on Medium, the Shadow Brokers told President Trump that they are disappointed by his actions.

“TheShadowBrokers voted for you,” the hackers said. “TheShadowBrokers supports you. TheShadowBrokers is losing faith in you. Mr. Trump helping theshadowbrokers, helping you. Is appearing you are abandoning ‘your base’, ‘the movement’, and the peoples who getting you elected.”

The group has once again claimed that it is not connected to Russia, but they did say that Russia and Putin are the United States’ “best allies until the common enemies are defeated and America is great again.”

However, some people have pointed out that the timing of the leak is suspicious – it comes shortly after the U.S. decided to bomb Syria, which is an ally of Russia. Some experts had previously suggested that the Shadow Brokers is actually an English-speaking group.

While many of the exploits leaked previously by Shadow Brokers turned out to rely on old vulnerabilities, some companies, including Cisco, did identify some zero-days. It remains to be seen if tech companies confirm any unpatched flaws in the latest leaks.

Related: Industry Reactions to Shadow Brokers Leak

Related: Shadow Brokers “Retire” Awaiting Offer of 10,000 Bitcoins for Cache of Exploits

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...