NSA-Linked Group Hacked?

But that might not be the truth. There has been many security news out on the message has NSA hacking group been hacked? It is hard to say for sure if that is true or not, but what seems to be true is that some of the hacking tools NSA has used (and Snowden has revealed) are now out on the wild.

So, Uh, Did The NSA Get Hacked?  article tells that a group of hackers say they’ve breached a hacking group known as the Equation Group, which is widely speculated to be an offshoot of the National Security Agency.The Equation Group, according to Kaspersky Lab, targeted the same victims as the group behind Stuxnet, which is widely believed to have been a joint US-Israeli operation targeting Iran’s nuclear program, and also used two of the same zero-day exploits.

NSA Hacked? ‘Shadow Brokers’ Crew Claims Compromise Of Surveillance Op article asks has the NSA just been hacked? Security experts speaking with FORBES think it’s possible, after a group published malware and attack code allegedly belonging to the Equation Group, a crew linked to the US intelligence agency. But while many believe the leak looks legitimate, the hackers could have pulled off a very clever ruse.

NSA Hacked? ‘Shadow Brokers’ Crew Claims Compromise Of Surveillance Op article also tells that  in 2015, researchers at Russian security company Kaspersky Lab revealed a highly-advanced arsenal of hacking tools used by the Equation campaign. They were believed to have been the work of the NSA as the code was linked with previous, allegedly US-sponsored hacks, including the infamous Regin and Stuxnet attacks (never definitively proven). The group’s connections to other high profile hacks and the use of similar codenames that were included in documents leaked by NSA whistleblower Edward Snowden raise serious suspicions.

What is released?

The hackers have provided some files including what could be parts of the agency’s surveillance tools The hackers have released files they claimed to have taken from the Equation Group. NSA Hacked? ‘Shadow Brokers’ Crew Claims Compromise Of Surveillance Op article tells that Two days ago, on August 13, a group calling themselves The Shadow Brokers released files on Github (now that account is disabled), claiming they came from the Equation Group. The files mostly contained installation scripts, configurations for command-and-control (C&C) servers, and exploits allegedly designed to target routers. The files included code allegedly designed to exploit firewalls from manufacturers Cisco, Juniper, Fortinet and Topsec. There are also some files posted to MEGA. Researchers who downloaded the sample posted by the group say it does include intriguing data, such as 300 megabytes of code that match up with actual exploits used by the NSA.

Matt Tait, another security researcher and former British intelligence officer, tweeted that the data could come from “an old counter-hack.”

“The proof files look pretty legit, and they are exactly the sorts of exploits you would expect a group that targets communications infrastructure“

Here’s part of a message the hackers, going by the name “The Shadow Brokers” posted: “How much you pay for enemies cyber weapons? Not malware you find in networks. Both sides, RAT + LP, full state sponsor tool set?”

The hackers have provided some files including what could be parts of the agency’s surveillance tools, but are demanding millions of dollars in bitcoins for the rest. The hackers say they’ve only released 40% of the breach, and will release the remaining 60% to the highest bidders. The Shadow Brokers said they would release the remaining data to the highest bidder in a Bitcoin auction if they received an extraordinary 1,000,000 Bitcoins, worth roughly $560 million, they would release all the files.

This project could be a way for some hackers to make a lot of money or some form of hoax or decoy. Hackers Say They Hacked NSA-Linked Group, Want 1 Million Bitcoins to Share More article notes: “If this is a hoax, the perpetrators put a huge amount of effort in,” the security researcher known as The Grugq told Motherboard. “The proof files look pretty legit, and they are exactly the sorts of exploits you would expect a group that targets communications infrastructure to deploy and use.” On the other hand one Kaspersky Lab researcher noted on Twitter that there is “nothing” in the dumped files that links them to the Equation Group, but some of their names are from the ANT Catalog, an NSA hacking toolset published by Der Spiegel in late 2013.

Good thing on this: More flaws on the different routers are revealed to public, and manufacturers can star making their products safer.

If the hack was real and as big as claimed, there is probably going to be a big manhunt to catch whoever did this. If this was not real, it will spark at least some security discussions.

Sources:

Hackers Claim to Auction Data They Stole From NSA-Linked Spies

So, Uh, Did The NSA Get Hacked? 

NSA Hacked? ‘Shadow Brokers’ Crew Claims Compromise Of Surveillance Op

Hackers Say They Hacked NSA-Linked Group, Want 1 Million Bitcoins to Share More

NSA’s Hacking Group Hacked! Bunch of Private Hacking Tools Leaked Online

‘Shadow Brokers’ Claim to be Selling NSA Malware, in What Could Be Historic Hack

Mysterious Group Hacks The NSA

 

82 Comments

  1. Tomi Engdahl says:

    “Shadow Brokers” Put NSA Exploits Up for Direct Sale
    http://www.securityweek.com/shadow-brokers-put-nsa-exploits-direct-sale

    After a failed attempt to sell stolen exploits from the National Security Agency at an auction just months ago, the hacker group calling itself Shadow Brokers has decided to sell them directly via a new website.

    In August, the group leaked 300 Mb of firewall exploits, implants and other tools allegedly stolen from the NSA-linked Equation Group, and decided to cash in on a second batch of files, which supposedly include exploits, vulnerabilities, RATs, persistence mechanisms and data collection tools. They launched an all-pay auction that raised less than two Bitcoin, so they switched to crowdfunding in October.

    The goal was to raise 10,000 Bitcoins (roughly $7.8 million) through crowdfunding, but the hacker group apparently decided to attempt a new approach: selling the stolen exploits directly for only 1,000 Bitcoins (~$780,000). This new attempt comes weeks after the group released a batch of files at the end of October, saying that the IPs mentioned in the files correspond to machines used by the Equation Group.

    A possible connection between the Equation Group and the NSA was made in Feb. 2015, and the Shadow Brokers leak appeared to consolidate that assumption. The leaked files appeared to come from the NSA-linked actor and were said to target a large number of devices from popular brands such as Fortinet, TOPSEC, Cisco, Juniper Networks, WatchGuard, and others.

    Now, the Shadow Brokers apparently took it to ZeroNet, a platform for hosting websites using blockchain and BitTorrent technology, to come up with a site on which to sell the stolen exploits.

    Reply
  2. Tomi Engdahl says:

    “Shadow Brokers” Data Obtained From Insider: Flashpoint
    http://www.securityweek.com/shadow-brokers-data-obtained-insider-flashpoint

    New evidence uncovered by researchers after the group calling itself “Shadow Brokers” made available some new files reinforces the theory that the exploits and tools were obtained from a rogue insider and not by hacking NSA systems.

    In mid-August, The Shadow Brokers leaked 300 Mb of firewall exploits, implants and tools, claiming that the files had been obtained from the NSA-linked Equation Group. The threat actor launched an all-pay auction in hopes of making a serious profit for a second batch of files that included exploits, vulnerabilities, RATs and data collection tools.

    The extensive use of Markdown, a lightweight markup language commonly used in code repositories, has led researchers to believe that the files have been copied from an internal system or a code repository, not obtained through remote access or from an external staging server.

    Flashpoint has assessed with “medium confidence” that the information was likely obtained from a rogue insider.

    Reply
  3. Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    After failing to get 10K bitcoins for stolen NSA exploits, Shadow Brokers post farewell message, dump a cache of Windows hacking tools online

    NSA-leaking Shadow Brokers lob Molotov cocktail before exiting world stage
    With 8 days before inauguration of Donald Trump, leak is sure to inflame US officials.
    http://arstechnica.com/security/2017/01/nsa-leaking-shadow-brokers-lob-molotov-cocktail-before-exiting-world-stage/

    Shadow Brokers, the mysterious group that gained international renown when it published hundreds of advanced hacking tools belonging to the National Security Agency, says it’s going dark. But before it does, it’s lobbing a Molotov cocktail that’s sure to further inflame the US intelligence community.

    In a farewell message posted Thursday morning, group members said they were deleting their accounts and making an exit after their offers to release their entire cache of NSA hacking tools in exchange for a whopping 10,000 bitcoins (currently valued at more than $8.2 million) were rebuffed. While they said they would still make good on the offer should the sum be transferred into their electronic wallet, they said there would be no more communications.

    Reply
  4. Tomi Engdahl says:

    Shadow Brokers “Retire” Awaiting Offer of 10,000 Bitcoins for Cache of Exploits
    http://www.securityweek.com/shadow-brokers-retire-awaiting-offer-10000-bitcoins-cache-exploits

    The mysterious hacking group calling themselves “The Shadow Brokers” has apparently decided to put an end to their failed attempts to sell exploits and hacking tools they claimed to have stolen from the NSA-linked Equation Group.

    Reply
  5. Tomi Engdahl says:

    Alleged NSA hack group Shadow Brokers releases new trove of exploits
    https://techcrunch.com/2017/04/08/shadow-brokers-be-back/?sr_share=facebook

    Shadow Brokers, the group behind last year’s release of hacking exploits allegedly used by the National Security Agency, has dropped another trove of files. In a Medium post today, the hacker group offered up a password giving free access to files it had previously tried to auction off.

    Reply
  6. Tomi Engdahl says:

    The Shadow Brokers are back with exploits for Windows and global banking systems
    https://techcrunch.com/2017/04/14/the-shadow-brokers-april-exploits-swift-windows/?ncid=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&sr_share=facebook

    The group, which last year dumped malware it had allegedly stolen from The Equation Group, a hacking team associated with the NSA, posted new files over the weekend and followed up today with a dump of Windows exploits.

    The latest files contain tools apparently designed to access Windows machines, as well as slideshows documenting the targeting of banking systems.

    “Is being too bad nobody deciding to be paying theshadowbrokers for just to shutup and going away. TheShadowBrokers rather being getting drunk with McAfee on desert island with hot babes,” the group wrote in a post announcing the file release.

    Reply
  7. Tomi Engdahl says:

    Microsoft: Latest ‘Shadow Brokers’ Exploits Already Patched
    http://www.securityweek.com/microsoft-latest-shadow-brokers-exploits-already-patched

    The hacker group calling itself “Shadow Brokers” has made public another batch of files allegedly obtained from the NSA-linked threat actor tracked as the Equation Group. Microsoft has assured customers that these new exploits don’t affect up-to-date systems.

    The Shadow Brokers recently published a password to a previously leaked file and many believed it would represent the group’s last dump. However, the hackers released another round of files on Friday, including exploits for Windows and IBM’s Lotus Domino platform. The leaked files also appear to show that the Equation Group breached the SWIFT banking network and monitored a number of Middle Eastern banks.

    Microsoft has analyzed the latest dump and identified a dozen exploits targeting its Windows operating system. According to the company, some of the vulnerabilities leveraged by these exploits were patched back in 2008, 2009, 2010 and 2014.

    Reply
  8. Tomi Engdahl says:

    Hacked Files Suggest NSA Penetrated SWIFT, Mideast Banks
    http://www.securityweek.com/hacked-files-suggest-nsa-penetrated-swift-mideast-banks

    Files released by the mysterious hacker Shadow Brokers suggested Friday the US National Security Agency had penetrated the SWIFT banking network and monitored a number of Middle East banks.

    The files, according to computer security analysts, also showed the NSA had found and exploited numerous vulnerabilities in a range of Microsoft Windows products widely used on computers around the world.

    Analysts generally accepted the files, which show someone exploiting so-called “zero-day” or hitherto unknown vulnerabilities in common software and hardware, came from the NSA.

    They are believed stolen from a hyper-secret hacking unit dubbed the “Equation Group” at the key US signals intelligence agency.

    Reply
  9. Tomi Engdahl says:

    Microsoft: Latest ‘Shadow Brokers’ Exploits Already Patched
    http://www.securityweek.com/microsoft-latest-shadow-brokers-exploits-already-patched

    The hacker group calling itself “Shadow Brokers” has made public another batch of files allegedly obtained from the NSA-linked threat actor tracked as the Equation Group. Microsoft has assured customers that these new exploits don’t affect up-to-date systems.

    The Shadow Brokers recently published a password to a previously leaked file and many believed it would represent the group’s last dump. However, the hackers released another round of files on Friday, including exploits for Windows and IBM’s Lotus Domino platform. The leaked files also appear to show that the Equation Group breached the SWIFT banking network and monitored a number of Middle Eastern banks.

    Microsoft has analyzed the latest dump and identified a dozen exploits targeting its Windows operating system. According to the company, some of the vulnerabilities leveraged by these exploits were patched back in 2008, 2009, 2010 and 2014.

    Four of the exploits, dubbed EternalBlue, EternalChampion, EternalRomance and EternalSynergy, were addressed by Microsoft with the March 2017 security updates — a majority with the MS17-010 patch. The tech giant also pointed out that the remaining exploits do not work on Windows 7 and later, or Exchange 2010 and later.

    Reply
  10. Tomi Engdahl says:

    >10,000 Windows computers may be infected by advanced NSA backdoor
    Did script kiddies use DoublePulsar code released by NSA-leaking Shadow Brokers?
    https://arstechnica.com/security/2017/04/10000-windows-computers-may-be-infected-by-advanced-nsa-backdoor/

    Security experts believe that tens of thousands of Windows computers may have been infected by a highly advanced National Security Agency backdoor. The NSA backdoor was included in last week’s leak by the mysterious group known as Shadow Brokers.

    DoublePulsar, as the NSA implant is code-named, was detected on more than 107,000 computers in one Internet scan.

    Reply
  11. Tomi Engdahl says:

    There’s now a tool to test for NSA spyware
    A script that detects a related code implant has shown as many as 100,000 systems worldwide may be infected
    http://www.pcworld.com/article/3191728/security/theres-now-a-tool-to-test-for-nsa-spyware.html

    A python2 script for processing a PCAP file to decrypt C2 traffic sent to DOUBLEPULSAR implant
    https://github.com/countercept/doublepulsar-c2-traffic-decryptor

    Reply
  12. Tomi Engdahl says:

    How leaked NSA spy tools created a hacking free-for-all
    http://money.cnn.com/2017/04/25/technology/nsa-doublepulsar-hacking-tool/

    Hackers have compromised thousands of computers around the world with a government-grade spy tool.

    A backdoor published in a trove of leaked NSA hacking tools is being loaded onto vulnerable Windows computers. The attacks demonstrate what happens when people fail to regularly update their machines.

    The hacks were leaked almost two weeks ago by the anonymous Shadow Brokers group and contain a backdoor called DOUBLEPULSAR. It can be remotely installed on Windows machines that have not been patched since March. This allows hackers to take over the computers and execute tasks as if they were the computer’s administrator.

    As of Monday, there are over 144,000 machines infected with this backdoor, according to research from Dan Tentler, founder and CEO of The Phobos Group security firm. Tentler built a tool to scan the internet for Windows machines vulnerable to the backdoor, and says the number is steadily climbing. He estimates between 200,000 and 300,000 could be infected by the end of the week.

    NSA’s powerful Windows hacking tools leaked online
    http://money.cnn.com/2017/04/14/technology/windows-exploits-shadow-brokers/index.html

    A hacking group has dumped a collection of spy tools allegedly used by the National Security Agency online. Experts say they are damaging.

    The exploits, published by the Shadow Brokers on Friday, contain vulnerabilities in Windows computers and servers. They may have been used to target a global banking system. One collection of 15 exploits contains at least four Windows hacks that researches have already been able to replicate.

    Reply
  13. Tomi Engdahl says:

    THE SHADOW BROKERS
    This Is How the NSA Infiltrated a Huge Banking Network in the Middle East
    https://motherboard.vice.com/en_us/article/nsa-eastnets-hack-banking-network-middle-east

    The NSA hacking tools dumped by The Shadow Brokers show how the spy agency broke into the major Dubai-based EastNets system.

    The firm vehemently denied any breach, despite the fact that the documents appeared undeniable.

    Reply
  14. Tomi Engdahl says:

    Ransomware based on leaked NSA tools spreads to dozens of countries
    https://techcrunch.com/2017/05/12/ransomware-based-on-leaked-nsa-tools-spreads-to-dozens-of-countries/?ncid=rss&utm_source=tcfbpage&utm_medium=feed&utm_campaign=Feed%3A+Techcrunch+%28TechCrunch%29&utm_content=FaceBook&sr_share=facebook

    A ransomware attack seemingly based on leaked NSA hacking tools is spreading like wildfire among unpatched Windows systems worldwide. Early reports suggested it was targeted at the UK’s National Health Service, but it’s clear now that the attack is a global one, with thousands of computers apparently affected in Russia alone.

    A Kaspersky lab analysis puts the number of infected computers at more than 45,000 as of early Friday afternoon, the vast majority of which are Russian (Ukraine, India, and Taiwan follow).

    Reply
  15. Tomi Engdahl says:

    A Group Linked to Leaking NSA Spying Tools Is Making Another Threat
    http://fortune.com/2017/05/16/ransomware-wannacry-nsa/

    A group that took credit for leaking NSA cyber spying tools—including ones used in the WannaCry global ransomware attack—has said it plans to sell code that can be used to hack into the world’s most used computers, software and phones.

    Using trademark garbled English, the Shadow Brokers group said in an online statement that, from June, it will begin releasing software to anyone willing to pay for access to some of the tech world’s biggest commercial secrets.

    It said it was set to sell access to previously undisclosed vulnerabilities, known as zero-days, that could be used to attack Microsoft’s latest software system, Windows 10 (msft, +0.98%). The post did not identify other products by name.

    It also threatened to dump data from banks using the SWIFT international money transfer network and from Russian, Chinese, Iranian, or North Korean nuclear and missile programs, without providing further details.

    “More details in June,” it promised.

    Shadow Brokers came to public attention last August when it mounted an unsuccessful attempt to auction off a set of older cyber-spying tools it said were stolen from the U.S. National Security Agency.

    The leaks, and the global WannaCry virus attack, have renewed debate over how and when intelligence agencies should disclose vulnerabilities used in cyber spying programs to so that businesses and consumers can better defend themselves against attacks.

    Reply
  16. Tomi Engdahl says:

    Lucian Constantin / PCWorld:
    Shadow Brokers group claims to have more exploits and plans to offer them via a subscription based service slated for June — The group plans to sell more Equation exploits and cyberespionage data through a subscription-based service — A group of hackers that previously leaked alleged …

    Shadow Brokers tease more Windows exploits and cyberespionage data
    http://www.pcworld.com/article/3197110/security/shadow-brokers-teases-more-windows-exploits-and-cyberespionage-data.html

    The group plans to sell more Equation exploits and cyberespionage data through a subscription-based service

    A group of hackers that previously leaked alleged U.S. National Security Agency exploits claims to have even more attack tools in its possession and plans to release them in a new subscription-based service.

    The group also has intelligence gathered by the NSA on foreign banks and ballistic missile programs, it said.

    The Shadow Brokers was responsible for leaking EternalBlue, the Windows SMB exploit that was used by attackers in recent days to infect hundreds of thousands of computers around the world with the WannaCry ransomware program.

    http://www.epanorama.net/newepa/2017/05/12/an-nsa-derived-ransomware-worm-is-shutting-down-computers-worldwide/

    Reply
  17. Tomi Engdahl says:

    Shadow Brokers Promise More Exploits for Monthly Fee
    http://www.securityweek.com/shadow-brokers-promise-more-exploits-monthly-fee

    The hacker group calling itself Shadow Brokers claims to possess even more exploits stolen from the NSA-linked Equation Group, and anyone can have them by paying a monthly “membership” fee.

    The Shadow Brokers have been in the news over the past days after unknown threat actors leveraged two of the exploits they leaked to deliver WannaCry ransomware to hundreds of thousands of systems worldwide.

    Reply
  18. Tomi Engdahl says:

    7 NSA hack tool wielding follow-up worm oozes onto scene: Hello, no need for any phish!
    Why can’t you be like a cheerful HHGTTG dolphin overlord?
    https://www.theregister.co.uk/2017/05/22/eternalrocks_worm/

    Miscreants have created a strain of malware that targets the same vulnerability as the infamous WannaCrypt worm.

    EternalRocks worm uses flaws in the SMB Server Message Block (SMB) shares networking protocol to infect unpatched Windows systems. Unlike WannaCrypt, EternalRocks doesn’t bundle a destructive malware payload, at least for now. The new nasty doesn’t feature a kill switch domain either.

    The new nasty bundles seven NSA created hacking tools compared to the two deployed to spread WannaCrypt, according to early analysis of the EternalRocks worm.

    Reply
  19. Tomi Engdahl says:

    Bruce Schneier / The Atlantic:
    Educated guesses on who the Shadow Brokers are and how they acquired their NSA exploits — In 2013, a mysterious group of hackers that calls itself the Shadow Brokers stole a few disks full of National Security Agency secrets. Since last summer, they’ve been dumping these secrets on the internet.

    Who Are the Shadow Brokers?
    https://www.theatlantic.com/technology/archive/2017/05/shadow-brokers/527778/

    What is—and isn’t—known about the mysterious hackers leaking National Security Agency secrets

    In 2013, a mysterious group of hackers that calls itself the Shadow Brokers stole a few disks full of National Security Agency secrets. Since last summer, they’ve been dumping these secrets on the internet. They have publicly embarrassed the NSA and damaged its intelligence-gathering capabilities, while at the same time have put sophisticated cyberweapons in the hands of anyone who wants them. They have exposed major vulnerabilities in Cisco routers, Microsoft Windows, and Linux mail servers, forcing those companies and their customers to scramble. And they gave the authors of the WannaCry ransomware the exploit they needed to infect hundreds of thousands of computer worldwide this month.

    After the WannaCry outbreak, the Shadow Brokers threatened to release more NSA secrets every month, giving cybercriminals and other governments worldwide even more exploits and hacking tools.

    Who are these guys? And how did they steal this information? The short answer is: We don’t know. But we can make some educated guesses based on the material they’ve published.

    In total, the group has published four sets of NSA material: a set of exploits and hacking tools against routers, the devices that direct data throughout computer networks; a similar collection against mail servers; another collection against Microsoft Windows; and a working directory of an NSA analyst breaking into the SWIFT banking network. Looking at the time stamps on the files and other material, they all come from around 2013. The Windows attack tools, published last month, might be a year or so older, based on which versions of Windows the tools support.

    The releases are so different that they’re almost certainly from multiple sources at the NSA.

    The Shadow Brokers have released all the material unredacted, without the care journalists took with the Snowden documents or even the care WikiLeaks has taken with the CIA secrets it’s publishing. They also posted anonymous messages in bad English but with American cultural references.

    Given all of this, I don’t think the agent responsible is a whistleblower.

    I also don’t think that it’s random hackers who stumbled on these tools and are just trying to harm the NSA or the U.S. Again, the three-year wait makes no sense.

    Additionally, the publication schedule doesn’t make sense for the leakers to be cybercriminals. Criminals would use the hacking tools for themselves, incorporating the exploits into worms and viruses, and generally profiting from the theft.

    That leaves a nation state. Whoever got this information years before and is leaking it now has to be both capable of hacking the NSA and willing to publish it all.

    the obvious list of countries who fit my two criteria is small: Russia, China, and—I’m out of ideas.

    But the problem with the Russia theory is, why? These leaked tools are much more valuable if kept secret. Russia could use the knowledge to detect NSA hacking in its own country and to attack other countries. By publishing the tools, the Shadow Brokers are signaling that they don’t care if the U.S. knows the tools were stolen.

    So, how did the Shadow Brokers do it? Did someone inside the NSA accidentally mount the wrong server on some external network? That’s possible, but seems very unlikely for the organization to make that kind of rookie mistake. Did someone hack the NSA itself? Could there be a mole inside the NSA?

    That points to two possibilities. The first is that the files came from Hal Martin. He’s the NSA contractor who was arrested in August for hoarding agency secrets in his house for two years. He can’t be the publisher, because the Shadow Brokers are in business even though he is in prison.

    If the source of the documents is Hal Martin, then we can speculate that a random hacker did in fact stumble on it—no need for nation-state cyberattack skills.

    The other option is a mysterious second NSA leaker of cyberattack tools. Could this be the person who stole the NSA documents and passed them on to someone else?

    It’s also not over. Last week, the Shadow Brokers were back, with a rambling and taunting message announcing a “Data Dump of the Month” service. They’re offering to sell unreleased NSA attack tools—something they also tried last August—with the threat to publish them if no one pays.

    Reply
  20. Tomi Engdahl says:

    Charlie Osborne / ZDNet:
    Kaspersky says it briefly obtained archive of NSA-linked Equation Group source code after scanning an infected PC in 2014; PC likely belonged to NSA contractor

    Kaspersky says NSA hacking tools obtained after malware was found
    Apparently, a pirate download of Microsoft Office could be the root of all the trouble.
    http://www.zdnet.com/article/kaspersky-admits-to-reaping-nsa-code-from-us-pc/

    On Wednesday, the Moscow-based firm said in a statement that the results of a preliminary investigation have produced a rough timeline of how the incident took place.

    It was actually a year earlier than the Journal believed, in 2014, that code belonging to the NSA’s Equation Group was taken.

    Kaspersky says the company was in the middle of an Advanced Persistent Threat (APT) investigation, and when on the trail of the Equation Group, detection subsystems “caught what appeared to be Equation malware source code files.”

    There were over 40 active infections worldwide at the time, but one of the “infections” in the US “consisted in what appeared to be new, unknown and debug variants of malware used by the Equation group.”

    Kaspersky’s antivirus detected the sample on a home computer which had Kaspersky’s Security Network (KSN) enabled, a system which automatically collects threat data and sends it to the cloud.

    The company claims that the user in question had installed pirate software on their machine as illegal Microsoft Office keygens were present.

    Reply
  21. Tomi Engdahl says:

    New York Times:
    Inside NSA’s Tailored Access Operations group and the investigation into Shadow Brokers, a hack of NSA now considered much more damaging than Snowden leak — A serial leak of the agency’s cyberweapons has damaged morale, slowed intelligence operations and resulted in hacking attacks on businesses and civilians worldwide.
    https://www.nytimes.com/2017/11/12/us/nsa-shadow-brokers.html

    Reply
  22. Tomi Engdahl says:

    Kaspersky: Yes, we obtained NSA secrets. No, we didn’t help steal them
    Moscow-based AV provider challenges claims it helped Russian spies.
    https://arstechnica.com/information-technology/2017/11/kaspersky-yes-we-obtained-nsa-secrets-no-we-didnt-help-steal-them/

    For almost two months in 2014, servers belonging to Moscow-based Kaspersky Lab received confidential National Security Agency materials from a poorly secured computer located in the United States that stored the files, most likely in violation of US laws, company officials said.

    The classified source code, documents, and executable binaries were stored on a computer that used an IP address reserved for Verizon FIOS customers in Baltimore, about 20 miles from the NSA’s Fort Meade, Maryland, headquarters, Kaspersky Lab said in an investigation report it published early Thursday morning. Starting on September 11, 2014 and running until November 9 of that year, Kaspersky Lab servers downloaded the confidential files multiple times after the company’s antivirus software, which was installed on the machine, found they contained malicious code from Equation Group, an NSA-linked hacking group that operated for at least 14 years before Kaspersky exposed it in 2015.

    The downloads—which, like other AV software, the Kaspersky program automatically initiated when it encountered suspicious software that warranted further inspection—included a 45MB 7-Zip archive that contained source code, malicious executables, and four documents bearing US government classification markings. A company analyst who manually reviewed the archive quickly determined it contained confidential material. Within a few days and at the direction of CEO and founder Eugene Kaspersky, the company deleted all materials except for the malicious binaries. The company then created a special software tweak to prevent the 7-Zip file from being downloaded again.

    “The reason we deleted those files and will delete similar ones in the future is two-fold,” Kaspersky Lab officials wrote in Thursday’s report. “We don’t need anything other than malware binaries to improve protection of our customers and secondly, because of concerns regarding the handling of potential classified materials. Assuming that the markings were real, such information cannot and will not [be] consumed even to produce detection signatures based on descriptions.”

    Reply
  23. Tomi Engdahl says:

    New York Times:
    Former NSA employee Nghia H. Pho pleads guilty to taking classified files home, where, officials say, Russian hackers stole the files via Kaspersky software

    Former N.S.A. Employee Pleads Guilty to Taking Classified Information
    https://www.nytimes.com/2017/12/01/us/politics/nsa-nghia-pho-classified-information-stolen-guilty.html

    A former National Security Agency employee admitted on Friday that he had illegally taken from the agency classified documents believed to have subsequently been stolen from his home computer by hackers working for Russian intelligence.

    Nghia H. Pho, 67, of Ellicott City, Md., pleaded guilty to one count of willful retention of national defense information, an offense that carries a possible 10-year sentence.

    But in court documents, prosecutors did disclose that he worked from 2006 to 2016 for the N.S.A.’s “Tailored Access Operations.” The unit, whose name has now been changed to Computer Network Operations, is the N.S.A.’s fastest-growing component.

    He kept those materials, some in digital form, at his home in Maryland, according to prosecutors.

    Mr. Pho is one of three N.S.A. workers to be charged in the past two years with mishandling classified information, a dismal record for an agency that is responsible for some of the government’s most carefully guarded secrets.

    Mr. Pho took the classified documents home to help him rewrite his resume. But he had installed on his home computer antivirus software made by Kaspersky Lab, a top Russian software company, and Russian hackers are believed to have exploited the software to steal the documents, the officials said.

    Reply
  24. Tomi Engdahl says:

    Former N.S.A. Employee Pleads Guilty to Taking Classified Information
    https://www.nytimes.com/2017/12/01/us/politics/nsa-nghia-pho-classified-information-stolen-guilty.html?_r=0

    BALTIMORE — A former National Security Agency employee admitted on Friday that he had illegally taken from the agency classified documents believed to have subsequently been stolen from his home computer by hackers working for Russian intelligence.

    Nghia H. Pho, 67, of Ellicott City, Md., pleaded guilty to one count of willful retention of national defense information, an offense that carries a possible 10-year sentence.

    Mr. Pho, who worked as a software developer for the N.S.A., was born in Vietnam but is a naturalized United States citizen.

    But in court documents, prosecutors did disclose that he worked from 2006 to 2016 for the N.S.A.’s “Tailored Access Operations.”

    Reply
  25. Tomi Engdahl says:

    The leaks have come to light as investigators scramble to trace the source of an even worse breach of N.S.A. security: the public release of the agency’s hacking tools by a still-unidentified group calling itself the Shadow Brokers. Some of those tools have been subsequently used for “ransomware” attacks that shut down or disrupted businesses, hospitals, railways and other enterprises around the world this year.

    Reply
  26. Tomi Engdahl says:

    Security
    NSA employee pleads guilty after stolen classified data landed in Russian hands

    NSA employee pleads guilty after stolen classified data landed in Russian hands
    http://www.zdnet.com/article/former-nsa-staffer-pleads-guilty-after-classified-data-theft/
    The classified data was later collected by Kaspersky software running on the staffer’s home computer.

    Eugene Kaspersky: We would quit Moscow if Russia asked us to spy
    http://www.zdnet.com/article/eugene-kaspersky-we-would-quit-moscow-if-russia-asked-us-to-spy/

    Kaspersky Lab founder hits back at espionage claims.

    Reply
  27. Tomi Engdahl says:

    Event Logs Manipulated With NSA Hacking Tool Recoverable
    http://www.securityweek.com/event-logs-manipulated-nsa-hacking-tool-recoverable

    Researchers at security firm Fox-IT have developed a tool that allows investigators to detect the use of specific NSA-linked malware and recover event log data it may have deleted from a machine.

    The group calling itself Shadow Brokers has published several tools and exploits stolen from the Equation Group, cyberspies believed to be working for the U.S. National Security Agency (NSA). One of the tools leaked by the Shadow Brokers in April is DanderSpritz, a post-exploitation framework that allows hackers to harvest data, bypass and disable security systems, and move laterally within a compromised network.

    An interesting DanderSpritz plugin is EventLogEdit, which is designed for manipulating Windows Event Log files to help attackers cover their tracks. While hacker tools that modify event logs are not unheard of, EventLogEdit is more sophisticated compared to others as it allows removal of individual entries from the Security, Application and System logs without leaving any obvious clues that the files had been edited.

    “While we understand that event logs can be cleared and event logging stopped, surgically editing event logs is usually considered to be a very advanced capability (if possible at all),” Jake Williams, founder of Rendition Infosec and an expert in Shadow Broker leaks, said after news of the tool emerged. “Knowing that some attackers apparently have the ability to edit event logs can be a game changer for an investigation.”

    Reply
  28. Tomi Engdahl says:

    NSA Contractor Pleads Guilty in Embarrassing Leak Case
    http://www.securityweek.com/nsa-contractor-pleads-guilty-embarrassing-leak-case

    A former contractor for the US National Security Agency’s elite hacking group has agreed to plead guilty to removing classified documents in a case that highlighted a series of disastrous leaks of top-secret NSA materials.

    Harold Martin, who reportedly worked for an NSA unit focused on hacking into target computer systems around the world, will plead guilty to one of 20 counts against him with the aim of concluding a 15-month-old case couched in deep secrecy, according to court documents filed late Wednesday.

    The indictment filed on February 8, 2017 accused Martin of hoarding an estimated 50 terabytes of NSA data and documents in his home and car over a 20-year period. The material reportedly included sensitive digital tools for hacking foreign governments’ computers.

    His arrest in late 2016 followed the NSA’s discovery that a batch of its hacking tools had fallen into the hands of a still-mysterious group called the Shadow Brokers, which offered them for sale online and also released some for free.

    At least publicly, Martin has not been accused of responsibility for any NSA leaks.

    In December, Nghia Hoang Pho, 67, a 10-year veteran of the NSA’s Tailored Access Operations hacking unit, was charged with and agreed to plead guilty to one count of removing and retaining top-secret documents from the agency.

    Vietnam-born Pho also had taken home highly classified NSA materials and programs.

    According to The New York Times, apparent Russian hackers broke into his personal computer to steal the files, accessing them via Pho’s use of Kaspersky software.

    But that case also has not been linked to the Shadow Brokers theft.

    Reply
  29. Tomi Engdahl says:

    NSA Used Simple Tools to Detect Other State Actors on Hacked Devices
    https://www.securityweek.com/nsa-used-simple-tools-detect-other-state-actors-hacked-devices

    An analysis of leaked tools believed to have been developed by the U.S. National Security Agency (NSA) provides a glimpse into the methods used by the organization to detect the presence of other state-sponsored actors on hacked devices, and it could help the cybersecurity community discover previously unknown threats.

    Over the past few years, a mysterious hacker group calling itself Shadow Brokers has been leaking tools allegedly created and used by the Equation Group, a threat actor widely believed to be linked to the NSA. The Shadow Brokers have been trying to sell Equation Group tools and exploits, but without much success. They say their main goal has been to make money, but many doubt their claims.

    Reply
  30. Tomi Engdahl says:

    Lily Hay Newman / Wired:
    Alleged NSA EternalBlue exploit, which leaked a year ago, has become a go-to tool for hackers because of its versatility and the many machines still unpatched

    The Leaked NSA Spy Tool That Hacked the World
    https://www.wired.com/story/eternalblue-leaked-nsa-spy-tool-hacked-world

    An elite Russian hacking team, a historic ransomware attack, an espionage group in the Middle East, and countless small time cryptojackers all have one thing in common. Though their methods and objectives vary, they all lean on leaked NSA hacking tool EternalBlue to infiltrate target computers and spread malware across networks.

    Leaked to the public not quite a year ago, EternalBlue has joined a long line of reliable hacker favorites.

    The Conficker Windows worm infected millions of computers in 2008, and the Welchia remote code execution worm wreaked havoc 2003. EternalBlue is certainly continuing that tradition—and by all indications it’s not going anywhere.

    “When you take something that’s weaponized and a fully developed concept and make it publicly available you’re going to have that level of uptake,”

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*