A secretive hacking group calling themselves "The Shadow Brokers" has leaked a massive trove of previously never-seen hacking tools alleged to have been exfiltrated from what is widely considered to be the world's most advanced, state-sponsored, hacking organization, known as the Equation Group - strongly believed to be linked to the NSA.
The Moscow based security research firm Kaspersky Labs, calling the Equation Group "The Equation APT1 group is probably one of the most sophisticated cyber attack groups in the world", wrote:
Since 2001, the Equation group has been busy infecting thousands, or perhaps even tens of thousands of victims throughout the world, in the following sectors:
* Government and diplomatic institutions
* Telecoms
* Aerospace
* Energy
* Nuclear research
* Oil and gas
* Military
* Nanotechnology
* Islamic activists and scholars
* Mass media
* Transportation
* Financial institutions
* Companies developing encryption technologies
1 APT = Advanced Persistent Threat
"The Shadow Brokers" seem to have derived their name from the game Mass Effect, whose Wiki states:
The Shadow Broker is an individual at the head of an expansive organization which trades in information, always selling to the highest bidder. The Shadow Broker appears to be highly competent at its trade: all secrets that are bought and sold never allow one customer of the Broker to gain a significant advantage, forcing the customers to continue trading information to avoid becoming disadvantaged, allowing the Broker to remain in business
The group announced the auction on August 13 via their Twitter account.
They released two compressed and encrypted archives containing what they refer to as "Equation Group Cyber Weapons".
One of the encrypted files has a password which will only be given to the winner of the auction.
The password to the other archive was given ("theequationgroup"), so that the archive may serve as "proof" of their wares.
They uploaded these files to several file sharing sites (most of these have been removed) and also announced the release on Tumblr (since removed) on August 13.
Speaking in what appears to be faux broken English (for the purposes of rendering stylometric analysis ineffective and also to plant the subtle hint that the hackers are Russian or Chinese), the group introduces the auction on PBIN as follows:
Equation Group Cyber Weapons Auction - Invitation!!!
Attention government sponsors of cyber warfare and those who profit from it!!!!
How much you pay for enemies cyber weapons?
Not malware you find in networks.
Both sides, RAT + LP, full state sponsor tool set?
We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group.
We follow Equation Group traffic.
We find Equation Group source range.
We hack Equation Group. We find many many Equation Group cyber weapons.
You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!!
You break many things.
You find many intrusions.
You write many words.
But not all, we are auction the best files.
They continue, with instructions for how to enter and participate in the auction:
Auction Instructions
We auction best files to highest bidder.
Auction files better than stuxnet. Auction files better than free files we already give you.
The party which sends most bitcoins to address:
ADDRESS REMOVEDbefore bidding stops is winner, we tell how to decrypt. Very important!!!
When you send bitcoin you add additional output to transaction.
You add OP_Return output.
In Op_Return output you put your (bidder) contact info.
We suggest use bitmessage or I2P-bote email address.
No other information will be disclosed by us publicly.
Do not believe unsigned messages.
We will contact winner with decryption instructions. Winner can do with files as they please, we not release files to public.
Well there you have it. As of today the Shadow Brokers motives and intentions are unknown.
Oh - I should note that it appears that the group signed up for a Reddit account on August 1, nearly two weeks prior to announcing the auction.
A directory listing of the 100MB "proof" archive was obtained by decrypting the file, decompressing it (expands to ~300MB), unarchiving it, and running 'tree':
$~: gpg -d -o eqgrp-free-file.tar.xz eqgrp-free-file.tar.xz.gpg
$~: lzma -d eqgrp-free-file.tar.xz
$~: tar xf eqgrp-free-file.tar
$~: tree eqgrp-free-file
the (voluminous) output may be seen here
For the technically inclined reader wishing to know more, I can hardly do worse than to refer you to Kaspersky Labs' excellent:
Equation Group Questions And Answers published in Feb 2015.
Sounds like someone is trying to get paid to not act like they are stealing something again. But I could be wrong here...