Confirmed: Leaked Equation Group Hacking Tools Are Real

Anti-Malware , Data Loss , Network & Perimeter

Dump May Reveal Russian, US Intelligence Agencies Openly Squaring Off Confirmed: Leaked Equation Group Hacking Tools Are Real

The release of spying code authored by one of the most sophisticated hacking groups in the world has prompted questions about whether Russia may be taunting the United States in an unprecedented, public cyber stunt.

See Also: Hide & Sneak: Defeat Threat Actors Lurking within Your SSL Traffic

On Aug. 13, a group calling itself the Shadow Brokers released samples of exploits and software implants from the Equation Group, which many security experts suspect is linked to the U.S. National Security Agency. The dumped code is designed to compromise network-level equipment such as firewalls and includes notes on infiltration techniques (see Mystery Surrounds Breach of NSA-Like Spying Toolset).

If Shadow Brokers is indeed a state-sponsored group, its outing of one of its peers is unprecedented. The action comes as the United States investigates potential Russian involvement in the Democratic Party breaches, which have caused turbulence during a fierce U.S. presidential campaign (see DNC Breach More Severe Than First Believed).

Shadow Brokers claims to be auctioning the password for a second, encrypted file that it also released. The password will go to the highest bidder, or alternatively the group claims it will be publicly released if it receives 1 million bitcoins, currently worth about $568 million. That file - which could be fake - might have already served its purpose: creating anxiety within the Equation Group over what might be dumped next.

Leaked Code Matches

There's now little doubt that the sample code that was dumped indeed belongs to the Equation Group.

Moscow-based security firm Kaspersky Lab, which cast the first light on the Equation Group in February 2015, finally weighed in on the new data dump on Aug. 16. It's compared the implementation of the encryption algorithms used by the Equation Group to the code dumped by Shadow Brokers, and found that the crypto is nearly the same.

"While we cannot surmise the attacker's identity or motivation nor where or how this pilfered trove came to be, we can state that several hundred tools from the leak share a strong connection with our previous findings from the Equation Group," Kaspersky Lab researchers write in a blog post.

The Equation Group used the RC5 and RC6 encryption algorithms within its malware. Kaspersky had previously identified 20 compiled versions of RC5/6 code in the Equation Group's malware. The Shadow Brokers' archive provided another large sample set for Kaspersky to analyze, and it found 300 files that implement a specific version of RC6 - used by the Equation Group - in 24 different forms, according to Costin Raiu, director of the Kaspersky Lab research team.

Over 300 tools from the Shadowbrokers leak have shared code with known Equation tools. pic.twitter.com/BtWevPjD14

"The chances of all these being faked or engineered is highly unlikely," according to Kaspersky Lab.

The hacking tools are relatively old - the most recent ones date from late 2013 - which has somewhat diminished their usefulness. But a Brisbane, Australia-based network security consultant has successfully tested one of the exploits against an older version of Cisco's Adaptive Security Appliance firewalls.

The exploit works against Cisco ASA version 8.4, which dates from 2012, says XORcat, who spoke on condition of only being identified by his Twitter handle. The attack creates a backdoor that allows for access to the firewall without a password. A firewall is a key piece of network equipment to attack since all of an organization's web traffic flows through it.

It's unclear if Cisco has patched the buffer overflow vulnerability that the attack exploits or if newer versions are affected. Still, it's an example of a functional exploit that would work against the right product version.

"You get people running old code all the time if they don't have a support contract anymore," XORcat says in a phone interview. "They'll be stuck with whatever version they've got."

But not much of the newly released code rivals the firmware exploits against hard drives that Kaspersky says the Equation Group had developed. The new code, simply put, appears to be less refined. "The sad thing is that all of these Equation Group exploits are totally boring, trivial stuff," writes Héctor Martín Cantero, a Tokyo-based IT security consultant, on Twitter. "None of it is particularly impressive."

Exfiltration Method Remains Unclear

What remains unclear is how the Shadow Brokers may have grabbed the newly leaked tools. One idea floated by none other than former NSA contractor Edward Snowden is that the Equation Group forgot to scrub a command-and-control server that was used for launching an attack.

Cyberattacks are typically staged from proxy servers that are hard to trace back to those running an offensive operation. It's possible that Shadow Brokers compromised one of those servers.

Snowden says the NSA, as well as other state actors, are known to "lurk" on such servers to figure out what their adversaries are up to. But whatever they observe, at least historically, has remained a closely held secret.

"NSA malware staging servers getting hacked by a rival is not new," Snowden writes on Twitter. "A rival publicly demonstrating they have done so is."

Others have suggested the leak came from an insider, based on a screenshot of an internal file structure that Shadow Brokers released. One anonymous commentator, going by the handle Zipa Dux, claims on Twitter that "Shadow Brokers is an insider who grabbed the data via USB and is trying to pass himself off as a foreign group."

@msuiche ShadowBrokers is an insider who grabbed the data via USB and is trying to pass himself off as a foreign group.

@msuiche File directories like the one he screenshot are physically gapped and not accessible externally.Names are changed before deployment

In an email reply to Information Security Media Group, Zipa Dux implied previously working for the NSA's Tailored Access Operations group, which specializes in infiltrating computers.

Zipa Dux says the file directories shown in the screenshot wouldn't be externally accessible and would have to have been taken from an air-gapped system. The filenames for the resources shown also get changed before an operation, meaning that if Shadow Brokers had accessed a staging server, the files wouldn't appear in that form.

"It was also a concern of everyone working in TAO that operators had access to all of this and could easily be taken such as via USB," Zipa Dux says. "One theory is that this guy separated the military/NSA and has been sitting on this data for some time before trying to profit from it. Another could be that he is still working there - however unlikely - and using NSA infrastructure for anonymity."

The name of the group also raises suspicions of an insider theft since many TAO employees played Mass Effect, a popular Xbox video game, Zipa Dupa says. In that game, a "shadow broker" is someone who trades in information.

"We can remember disgruntled employees working there and people that didn't leave on good terms," Zipa Dupa writes.

Dave Aitel, CTO of the penetration testing consultancy Immunity and a former NSA research scientist, has also suggested that an internal leaker might be the source. "First off, it's not a 'hack' of a command and control box that resulted in this leak," Aitel writes in a blog post. "It's almost certainly human intelligence - someone walked out of a secure area with a USB key."

Russian Connection Eyed

The Shadow Brokers intrigue comes as the United States continues to investigate the Democratic Party breaches. Guccifer 2.0, the handle for someone or some group that began leaking Democratic National Committee files in June, continues to release sensitive documents. The most recent significant one included phone numbers and email addresses for close to 200 Democratic party officials.

Snowden hints at a Russian connection to Shadow Brokers. "Why did they do it? No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack," he writes on Twitter.

7) Why did they do it? No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack.

Aitel seconds Snowden's observation, based on the timing of the release and the Democratic Party incidents. Also, Shadow Brokers' ability to hold onto the data for more than three years after it was apparently breached shows some operational discipline. The release of it is bold, he writes.

"No team of 'hackers' would want to piss off Equation Group this much," Aitel writes. "That's the kind of cojones that only come from having a nation-state protecting you."