You don't see this every day...a hacking group claims to have hacked a U.S. intelligence agency-linked hacking group and has put the 'best' cyber weapons up for auction.
When Kaspersky Lab released a report on the cyberespionage “Equation Group,” researchers said the threat actor “surpasses anything known in terms of complexity and sophistication of techniques.” The group’s toolset resembled what is used by U.S. intelligence agencies and included an attack that could reprogram your hard drive firmware. Kaspersky didn’t go so far as to accuse the NSA of being linked to the Equation Group, but many news outlets and security researchers did.
Well now a group dubbed the Shadow Brokers claim to have hacked the Equation Group and put the possible NSA-linked cyber weapons up for auction.
Quite honestly this could be fake – even the broken English announcement could be faked to make the attackers seem to not use English as their native language – but the Shadow Brokers said on GitHub:
How much you pay for enemies cyber weapons? Not malware you find in networks. Both sides, RAT + LP, full state sponsor tool set? We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files.
But, according to the accompanying FAQ, if you want to get your hands on those files, send bitcoin. If you want more information, send bitcoin. If you want to know what all files are included in the auction…it is a “secret.”
The Shadow Brokers claim it’s a secret because the Equation Group doesn’t know what all was stolen during the hack. In fact, the group suggests it wants the Equation Group to bid in order to find out what the Shadow Brokers have. The auction states:
“You bid against Equation Group, win and find out or bid pump price up, p**s them off, everyone wins.”
Apparently there is no specified end time for the auction, it’s just whenever Shadow Brokers decide it’s over. If a person were to bid and it were not the top bid, too bad, so sad, the Shadow Brokers are keeping all the bid money.
The whole episode screams elaborate SCAM, but maybe it is legit as Twitter chatter by some security experts seem to lean toward believing it. On the flipside, it doesn’t appear as if many trust it enough yet to have coughed up bitcoins.
Other hackers are suggesting the auction is made up of really old vulnerabilities; this is partially based on the “free” files being offered by Shadow Broker as proof of hacking the Equation Group. Or it could be a mix, old and new, to keep everyone off-balance. Another oddity, pointed out in a Pwn All The Things tweet, is that the “free sample” file size is actually larger than the auction file size.
Yet security pro Matt Suiche dived into the free files offered by Shadow Broker, then took to Medium to say, “Most of the code appears to be batch scripts and poorly coded Python scripts. Nonetheless, this appears to be legitimate code.”
Suiche said the main targets in the dump he reviewed “appeared to be Fortigate, TopSec, Cisco and Juniper firewalls.” He described some of the codenamed-exploits such as Eligible Bachelor, Extra Bacon and Banana Glee. The latter, he pointed out, is “particularly interesting because it allows references to the JETPLOW explanation from the 2014 NSA’s Tailored Access Operations (TAO) catalog.”
The Shadow Brokers included a strange closing message in the auction, this time to “wealthy elites” which the group claims need to wake up to the dangers of cyber weapons.