Implications of Shadow Brokers Hack

2016 seems to be the “Year of the Hack” (as well as year of the conspiracy). Both Guccifer 2.0 and Edward Snowden have been reported dead after big leaks, only to crop up Tweeting again a few weeks later. The recent hack of the Equation Group is taking things to the next level, with a billion dollar ransom claim and the potential for trillions of dollars of damage. I consider this the most significant hack I have ever seen.


Hackers stole NSA software from a Malware staging server they had access to up until some time in 2013.  Their initial message was taken down but has been cached.

Equation Group Cyber Weapons Auction – Invitation
– ————————————————

!!! Attention government sponsors of cyber warfare and those who profit from it !!!!

How much you pay for enemies cyber weapons? Not malware you find in networks. Both sides, RAT + LP, full state sponsor tool set? We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files.



They hate “wealthy elites”, which really sounds like code words for “Hillary Clinton”.

We have final message for “Wealthy Elites”. We know what is wealthy but what is Elites? Elites is making laws protect self and friends, lie and fuck other peoples. Elites is breaking laws, regular peoples go to jail, life ruin, family ruin, but not Elites. Elites is breaking laws, many peoples know Elites guilty, Elites call top friends at law enforcement and government agencies, offer bribes, make promise future handjobs, (but no blowjobs). Elites top friends announce, no law broken, no crime commit. Reporters (not call journalist) make living say write only nice things about Elites, convince dumb cattle, is just politics, everything is awesome, check out our ads and our prostitutes. Then Elites runs for president. Why run for president when already control country like dictatorship? What this have do with fun Cyber Weapons Auction? We want make sure Wealthy Elite recognizes the danger cyber weapons, this message, our auction, poses to their wealth and control. Let us spell out for Elites. Your wealth and control depends on electronic data. You see what “Equation Group” can do. You see what cryptolockers and stuxnet can do. You see free files we give for free. You see attacks on banks and SWIFT in news. Maybe there is Equation Group version of cryptolocker+stuxnet for banks and financial systems? If Equation Group lose control of cyber weapons, who else lose or find cyber weapons? If electronic data go bye bye where leave Wealthy Elites? Maybe with dumb cattle? “Do you feel in charge?” Wealthy Elites, you send bitcoins, you bid in auction, maybe big advantage for you?

Given this statement, and the timing, we should wonder if Shadow Brokers were behind this week’s highly damaging Soros hack as well.



The Equation Group have long been suspected of having NSA ties. Ars Technica called them “Omnipotent”, noting that they could get into supposedly virus-free Apple systems, including iPhones and iPads:

equation Victims-map-980x613Kaspersky researchers have documented 500 infections by Equation Group in at least 42 countries, with Iran, Russia, Pakistan, Afghanistan, India, Syria, and Mali topping the list. Because of a self-destruct mechanism built into the malware, the researchers suspect that this is just a tiny percentage of the total; the actual number of victims likely reaches into the tens of thousands.

Taken together, the accomplishments led Kaspersky researchers to conclude that Equation Group is probably the most sophisticated computer attack group in the world, with technical skill and resources that rival the groups that developed Stuxnet and the Flame espionage malware.

“It seems to me Equation Group are the ones with the coolest toys,” Costin Raiu, director of Kaspersky Lab’s global research and analysis team, told Ars. “Every now and then they share them with the Stuxnet group and the Flame group, but they are originally available only to the Equation Group people. Equation Group are definitely the masters, and they are giving the others, maybe, bread crumbs. From time to time they are giving them some goodies to integrate into Stuxnet and Flame.”

In an exhaustive report published Monday at the Kaspersky Security Analyst Summit here, researchers stopped short of saying Equation Group was the handiwork of the NSA—but they provided detailed evidence that strongly implicates the US spy agency.


Well, now the coolest toys in the hacker world – weapons better than StuxNet – are available to anyone with a million Bitcoins to spare.

Foreign Policy reports that the Shadow Brokers are trying to sell the stolen technology to the highest bidder.

The files posted over the weekend include two sets of files. The hackers have made one set available for free. The other remains encrypted and is the subject of an online auction, payable in bitcoin, the cryptocurrency. That set includes, according to the so-called Shadow Brokers, “the best files.” If they receive at least 1 million bitcoin — the equivalent of at least $550 million — they will post more documents and make them available for free.

The set of files available for free contains a series of tools for penetrating network gear made by Cisco, Juniper, and other major firms. Targeting such gear, which includes things like routers and firewalls, is a known tactic of Western intelligence agencies like the NSA, and was documented in the Edward Snowden files. Some code words referenced in the material Monday — BANANAGLEE and JETPLOW — match those that have appeared in documents leaked by Snowden. Security researchers analyzing the code posted Monday say it is functional and includes computer codes for carrying out espionage.


The Intercept verified the code by finding a match inside classified NSA malware documents leaked by Snowden to them.

If we get a big data dump from the Shadow Brokers, then we know they are white hat hackers trying to do good for the world – like Chelsea Manning. If we hear nothing more, then they are Black Hats using the data for blackmail purposes – and whoever was the target, paid the price. The NSA might pay them to shut up, but it’s hard to imagine China, Russia, or Israel forking over that type of cash.


There are believed to be more than 300 MB of files, including source code.

If the stolen information includes logs of past operations, the consequences could be serious. What sort of things might be found on an NSA Weaponized Malware staging server? Here are some hypothetical (but plausible) scenarios:

  • attacks against political campaigns, which would show complicity of intelligence agencies in manipulating domestic politics
  • it could show that StuxNet attacked a much larger number and broader range of systems than just the secret Iranian centrifuge program. It was supposedly injected via a USB thumb drive inside the Natanz facility…which later turned out to be 4 Zero Day exploits in Windows itself, almost certainly put there by Microsoft on behalf of US/Israeli intelligence.
  • our own nuclear power plants may be vulnerable to these “better than Stuxnet” cyber-weapons.
  • if it proved deliberate Malware attacks against supposed allies of the US (like Mexico and India, named as targets by Kaspersky), this may weaken alliances during TPP negotiations and while NATO and Europe are facing strife.
  • attacks that were not about our national security interests but were aligned with the agenda of non-State actors such as George Soros or the Clinton Foundation
  • it may show that NSA Malware is doing more than just intruding into systems to sniff data packets; they may be committing actual Black Hat crimes such as looting bank accounts, insider trading, or injecting child pornography into systems
  • there were rumors of significant electronic systems being stolen during the Benghazi debacle. If this NSA malware server was located there – or anywhere else it shouldn’t have been – this could be very embarrassing to somebody. A billion dollars embarrassing,?


Who Did It?

It would not surprise me that it was Snowden himself doing this hack. It is “confirmed” by documents the Intercept obtained from him. It’s the type of code he would have had on his hard drive when he took off. Hey, guess what! He’s got a movie with Oliver Stone out now. It makes no sense for him to be blaming Russia on Twitter, when they are the only nation on earth that gave him asylum and a job. And let’s not forget all the cryptic Tweets, “is he isn’t he dead’ from the girlfriend, etc. He’s even connected Russia to the DNC leak – forget about the WikiLeaks reward for a dead American staffer!

The first reporting of the hack was that Shadow Brokers penetrated inside the NSA’s systems. This reminds me of the current season of Mr Robot (spoiler alert) where they are trying to hack the FBI. They need someone on the inside, to physically get them in the network. This is Chelsea Manning with a Lady Gaga CD, or Aaron Swartz in a hoodie plugging an unauthorized device into the MIT server room. We know these things are possible.

NSA Whistleblower William Binney said he thought it was much more likely that the hack was a leak from the inside, than that the most secure networks in the country were compromised as if they were one of Hillary’s multiple servers. There are multiple Internets, the one for SECRET level Classified information is called SIPRNet.

He believes all the current leaks may be coming from someone inside the NSA, since there are multiple people there with access to Clinton’s 33,000 deleted emails.

If it is a staging server outside the Defense Information Systems Network that was compromised, the variety of potential perpetrators increases majorly. This could be regular old kid-in-a-basement hacking, taking advantage of sloppy server wiping from the Equation Group.

Some good discussion of this at the Corbett Report:


I agree with Corbett and Snowden that this – and other recent hacks – may have been a warning shot from a State Actor that they can get inside any of our systems at any time. Because there is no doubt in my mind that they can. Even if the NSA systems are secure, we know the Department of State wasn’t. So what about the rest of the sprawling bureaucracy? I am sad to tell you that our infrastructure is very exposed. Think Die Hard IV.

We always associate “hackers” with “banking”, thanks to the movies. The true dangers are much more basic.

This wouldn’t be the first time we’ve been warned recently. In 2014 there was a combined hacker/sniper attack on a San Jose power station, and the cutting of multiple (hardened) undersea cables in Singapore on Feb 29 2016. Two thirds of the world’s trade passes through Singapore via ship, it is the busiest port in the world and a major energy hub (which is offshore so not seen by most tourists).

Cable Landing Site, Guam. Image: WIRED
Cable Landing Site, Guam. Image: WIRED

Last year the New York Times reported that Russian naval vessels were “Too Close For Comfort” to our undersea cables:

Just last month, the Russian spy ship Yantar, equipped with two self-propelled deep-sea submersible craft, cruised slowly off the East Coast of the United States on its way to Cuba — where one major cable lands near the American naval station at Guantánamo Bay. It was monitored constantly by American spy satellites, ships and planes. Navy officials said the Yantar and the submersible vehicles it can drop off its decks have the capability to cut cables miles down in the sea.


WIRED magazine covered the cable vulnerabilities last year. As you can see from the image below, it wouldn’t take much to shut down everything:

Image: WIRED
Image: WIRED

The links between Wall Street, the City of London, and Europe are more numerous:

Image: CNN
Image: CNN

Although the Internet was designed to re-route traffic if any particular node goes out, the reality of NetFlix and YouPorn is that if the Internet starts getting slow and videos keep timing out, everyone is pissed. Nobody can even imagine what would happen if the Internet went totally down for a few days.

Last month, fiber optic cables in San Francisco were cut for the 11th time this year. Although the Unabomber was from U C Berkeley, he is now in prison. Trust me, there is nobody in Silicon Valley that wants to go around cutting fiber optic cables for the fun of it. Can you imagine what would happen to this city if all the Pokemons disappeared at once?


Our systems are dangerously open. The damage from our undersea cables being taken out could be trillions of dollars. Hackers can now attack big-rig trucks. Who is going to defend our National Security against this?

We have the former Secretary of State, who now wants to be President, making up her own server hosting config that exposed all the details needed by hackers; sending classified emails to third-party spam services, and disabling security protections in the State Department so she could use her Blackberry. Donald Trump at least understands how to use Twitter, but while he is sending Tweets, John McAfee and his team are hacking into Whatsapp and Google. Somebody needs to make that guy our Electronic Tsar or Khazar or Caesar, or whatever they are called these days.

We need to bring our troops home and patch up the many holes in our electronic systems, not rattle sabers at the Russians and Chinese who have hundreds of thousands of trained hackers at their disposal, with tools at least as sophisticated as ours.

Further details: The Intercept

Download the 44-page Kaspersky report on the Equation Group

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s