Security Experts:

Shadow Brokers Release Tool Used by NSA to Hack PCs

The hacker group calling itself Shadow Brokers continues to release tools and exploits allegedly stolen from the U.S. National Security Agency (NSA), including a sophisticated espionage platform that can be used to take full control of targeted computers.

In the past year, Shadow Brokers has apparently tried to make a significant amount of money by offering to sell various tools and exploits used by the Equation Group, a cyber espionage actor linked by researchers to the NSA.

After several failed attempts, the Shadow Brokers’ latest offer involves monthly leaks for which interested parties have to pay a fee ranging between 100 Zcash (roughly $24,000) and 16,000 Zcash (roughly $3.8 million) -- older dumps can be acquired for a few hundred Zcash while the price of future dumps will increase exponentially. An analysis of their cryptocurrency addresses showed that the hackers have made at least tens of thousands of dollars from the monthly dump service.

With the September release, announced on Wednesday, Shadow Brokers informed interested entities that they will offer two dumps every month, and that Monero digital currency is no longer accepted.

While the content of each leak is not disclosed, one of the files made available for free this month, a user manual, suggests that last month’s dump included an NSA tool known as UNITEDRAKE.

UNITEDRAKE is a modular platform that allows users to take complete control of a Windows machine. It was one of the tools mentioned by The Intercept in 2014 when it started releasing files from NSA whistleblower Edward Snowden.

The tool was also detailed in February 2015 by Kaspersky Lab in the first report to link tools detailed in Snowden documents to a cyberespionage group, namely the Equation Group.

Kaspersky tracked UNITEDRAKE as EquationDrug, whose successor was GrayFish. The security firm said EquationDrug and GrayFish were used between 2003 and 2014, and described them as the most sophisticated espionage platforms used by the Equation Group.

Some pointed out that screenshots included in the UNITEDRAKE manual appear to show that the NSA had used McAfee antivirus based on the presence of the McAfee agent icon in the taskbar. However, it’s worth pointing out that, for several years, a limited version of the McAfee antivirus was installed alongside Adobe Flash Player if users neglected to untick a box during installation.

The Shadow Brokers claim this month’s dump contains exploits, but experts doubt too many people are willing to pay the increasingly significant amounts of money, especially since at least one previous subscriber complained that they only received a worthless tool after paying tens of thousands of dollars.

A group of researchers did try to launch a crowdfunding initiative back in May in an effort to raise money for the monthly dumps, but they ended up canceling the project due to legal reasons.

Related: 'Shadow Brokers' Threaten to Dox Former NSA Hacker

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.