File under hacking the hackers: A group of black hats claim to have compromised the NSA’s elite team of cyber-spies.
The group, which calls itself the Shadow Brokers, has claimed responsibility for stealing files from an NSA-linked spy group called the Equation Group. And to boot, they are auctioning them off via their Tumblr page:
“How much you pay for enemies cyber weapons? Not malware you find in networks. Both sides, RAT + LP, full state sponsor tool set? We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files.”
The Shadow Brokers say they’ve only released 40% of the breach as a free dump, and will release the remaining 60% to the highest bidder:
“We auction best files to highest bidder. Auction files better than stuxnet. Auction files better than free files we already give you. The party which sends most bitcoins to address: 19BY2XCgbDe6WtTVbTyzM9eR3LYr6VitWK before bidding stops is winner, we tell how to decrypt. Very important!!! When you send bitcoin you add additional output to transaction. You add OP_Return output. In Op_Return output you put your (bidder) contact info. We suggest use bitmessage or I2P-bote email address. No other information will be disclosed by us publicly. Do not believe unsigned messages. We will contact winner with decryption instructions. Winner can do with files as they please, we not release files to public.”
The claims appear to be partially verified: Claudio Guarnieri, a researcher at the University of Toronto’s Citizen Lab, said that among the data is 300 megabytes of code that match up with NSA exploits from a catalog leaked by Edward Snowden in 2013.
He tweeted: “This #EquationGroup free dump seems mostly binary builds, installation scripts, and general configuration for a C&C. Seems credible.— Nex ~ Claudio (@botherder) August 15, 2016
“It looks very much as if the NSA attacked someone, and that someone managed to source the origin of the attacks, and counter-hacked them,” he told Wired. “The content is credible enough and properly reflects what we know of some of the program names in there.”
Photo © produktionsbnero TINUS