The Shadow Brokers, a hacker group that had stolen NSA cyberwar weapons, revealed a list of servers the US surveillance agency may have targeted.
In a message posted on blogging site Medium, the anonymous group accused the US election system as serving the interests of the wealthy and powerful. It also questioned the threats of cyberwar from the US in response to alleged Russian hacking, suggesting that the government was trying to cover up the NSA’s vulnerabilities by focusing on hacked election systems.
Here’s what you need to know about the latest hack:
1. Shadow Brokers Hacked ‘The Equation Group’ Within the NSA and Demanded One Million Bitcoin for Stolen Cyberweapons
The Shadow Brokers revealed the cyberweapons in August, which it tried to auction off for 1 million bitcoin (726 million US dollars today). NSA whistleblower Edward Snowden confirmed the authenticity of the leaked documents, which have been tied to the elite NSA-affiliated team “The Equation Group”.
Cybersecurity experts have found parallels between The Equation Group’s hacking techniques and the NSA’s. For example, the group’s source code includes a certain keylogger ‘Grok’, which also appeared in an Intercept article about Edward Snowden’s leaked NSA documents. The Equation Group’s targets overseas and sophisticated hacking techniques, lead some cybersecurity experts to believe US involvement. In the latest leak, Shadow Brokers repeated their request for payment.
When you are ready to make the bleeding stop, payus, so we can move onto the next game. The game where you try to catch us cashing out! Swag us out!
2. The Latest Leak Reveals IP Addresses and Domain Names Hacked by the NSA
Timestamps from the leak suggest the servers were hacked between August 22, 2000 and August 18, 2010. The leaked data includes 352 unique IP addresses and 306 domain names, which included 32 .edu domains and nine .gov domains. Servers were targeted in 49 countries with the top targets being China, Japan and Korea. Here are the top attacks on servers by country:
3. The Affected Servers Could Have Been Used as a Staging Ground for Future Attacks
Most of the hacked servers were in the Asian-Pacific region with China, Japan and Korea leading the way. These servers could help the NSA stage more attacks, Hacker House reports.
If the data is real, it may help some affected organizations track down those responsible for suspicious server interactions, according to Ars Technica. The Shadow Brokers mention a ‘redirector’ that covertly redirects someone to another domain name from a compromised server.
Hacker House reports:
You may have inadvertently been hosting Equation Group APT cyber attacks from your environment. The Shadow Brokers previously leaked a data dump which contained exploits for various appliances and this leak is intended to show that still more UNIX related toolkits could surface.
4. The Leak Includes Names of Secret Hacking Tools Such as DEWDROP and ORANGUTAN
The Shadow Brokers released an unknown toolkit used to target servers running on Unix operating systems. Most of the servers were running the Solaris operating system while others ran Linux and FreeBSD. According to Hacker House, the leak is littered with references to other secret tools such as DEWDROP, ORANGUTAN and RETICULUM. Some of the compromised servers are still running the software, reports Hacker House.
5. Hal Martin, the Main Suspect Behind the Shadow Brokers Leak, is in Federal Custody
The NSA contractor Hal Martin is the prime suspect in leaking materials to the Shadow Brokers. Martin was arrested in August after the FBI raided his house where they discovered classified documents and government property. The 51-year-old will face espionage charges after having stolen 50 terabytes of code involving NSA data.
Martin is a retired Navy officer who was enrolled in a PhD program at the University of Maryland Baltimore County. He was working as a contractor for Booz Allen Hamilton, the same consulting firm NSA whistleblower Edward Snowden worked for.