A Quick Breakdown of the Equation Group Hack
Are we going to run out of popcorn in 2016...?
We've had quite a few interesting hacks and leaks this year. We had Guccifer 2.0 and his DNC leaks and of course Hillary Clinton's emails. And now today we have an unknown group calling themselves Shadow Brokers who seem to have stolen at least some of the Equation Group's offensive toolchain. Equation group is largely believed to be the authors of Stuxnet & Flame. This is rather big news, and quite embarrassing for the NSA as they were a known contractor of theirs. Maybe even an MVP.
The files were also present on github before the story broke on Twitter, using the GitHub API we can retrieve the email address of the original github user.
tutanota.com offers free secure encrypted email and is based in Germany.
The Files
To get the files see this page (archived): https://archive.is/rdYpc#selection-915.0-915.373
Torrent URL of the file dump: magnet:?xt=urn:btih:40a5f1514514fb67943f137f7fde0a7b5e991f76&tr=http://diftracker.i2p/announce.php
You'll need to install gpg to unencrypt them with this command:
gpg --decrypt --output eqgrp-free-file.tar.xz eqgrp-free-file.tar.xz.gpg
Password = theequationgroup
The resulting archive is a 1GB dump including mostly offensive firewall exploits, but there are also some command and control servers, ELF implant flashes, and random tools.
Codenames
Here are some code names that I extracted from the free files offered as a teaser on the Shadow Broker's dump, the main targets appear to be Fortinet, TopSec, Cisco & Juniper firewalls.
Most of the code appears to be batch scripts and poorly coded python scripts, and seems to be a Toolkit against firewalls. Nonetheless, this appears to be legitimate code.
4 letters codename are from the EXPLOITS folder
For clarification, yes there are actual exploits in the dump, with a 2013 timestamp on files. We do not know if they are working as nobody as tried them, but they are actual exploits and not only references.
EGBL = EGREGIOUS BLUNDER (Fortigate Firewall + HTTPD exploit (apparently 2006 CVE )
ELBA = ELIGIBLE BACHELOR
ELBO = ELIGIBLE BOMBSHELL (Chinese TOPSEC firewall versions 3.3.005.057.1 to 3.3.010.024.1)
ELCA = ELIGIBLE CANDIDATE
ELCO = ELIGIBLE CONTESTANT
EPBA = EPIC BANANA
ESPL = ESCALATE PLOWMAN
EXBA = EXTRA BACON (Cisco Adaptive Security Appliance v8.0 to v8.4)
BANANAGLEE = Juniper Netscreen Devices
BARGLEE
BLATSTING
BUZZDIRECTION
SP = ScreamPlow 2.3 (BG3001 BG3000 BG3100)
BD = BannanaDaiquiri 3.0.5.1 (BG3001 BG3000 BG3100)
More details can be found in EQGRP-Auction-Files\eqgrp-free-file.tar\Firewall\SCRIPTS
Banana Glee is particularly interesting because it allows references to the JETPLOW explanation from the 2014 NSA’s Tailored Access Operations (TAO) catalog: https://www.schneier.com/blog/archives/2014/01/jetplow_nsa_exp.html. This lends much credence that this hack is legitimate.
Given the timeframe (Post-DNC hack), this could possibly be orchestrated by the Russian government so America will be stuck with Donald Trump as a President. Or not! What does the steemit community think? Will we run out of popcorn this year?
Makes you wonder what the NSA did to piss off the group. Must be a good reason they hacked them, or are the files just that valuable?
Many of the exploits are known but I suspect not all of them. The files in the dump are mostly from around 2013. Still going through it...
Interesting, I'm new to the crypto game but highly interested. Keep it updated!
Yes, please let us know what you find