News Stay informed about the latest enterprise technology news and product updates.

Equation Group cyberweapons auctioned off; WikiLeaks promises release

Cyberweapons purportedly stolen from the NSA-linked Equation Group have been put up for auction; WikiLeaks promises it will publish a 'pristine copy in due course.'

A group attempting to auction off cyberweapons allegedly used by the NSA-linked Equation Group and Edward Snowden...

said this may be the beginning of the fallout.

The group, calling itself the Shadow Brokers, claimed it hacked one of the most advanced and longstanding cyberespionage actors, the Equation Group. There has been speculation that the Equation Group is part of the National Security Agency (NSA).

The Shadow Brokers posted images of the files stolen and some of the code -- the GitHub repository has since been disabled -- and experts have matched the code samples with exploits cataloged in the NSA's Advanced Network Technology (ANT) Division data leaked by Edward Snowden in 2013.

Claudio Guarnieri, a researcher at the University of Toronto's Citizen Lab, said on Twitter, "Some of those programs in the dump are parts related to network appliance implants from the ANT catalog." Guarnieri was careful to note he hadn't seen any evidence in the code of the source of the data, but the latest file modification date in the code was from June 2013 -- before the ANT catalog was published.

The Shadow Brokers set up an auction for the data, asking bidders to send bitcoin and promising to release the code to the highest bidder, but they would not refund losing bids. And, if the bidding reached 1 million bitcoin -- approximately $581 million -- the Shadow Brokers would "dump more Equation Group files, same quality, unencrypted, for free, to everyone." Though, as of this publication, the auction address had only received 1.6 bitcoin.

Rick Holland, vice president of strategy for cybersecurity firm Digital Shadows Ltd., jointly based in London and San Francisco, said even "if the data is false, the notoriety surrounding the ad alone could be enough for Shadow Brokers to generate some profit."

"From what we have observed previously, this is a common tactic amongst cyberactors who want to profit from what they often claim is stolen information," Holland told SearchSecurity via email. "The highest bidder might be able to collect whatever data is for sale and either release it to the public or create their own sale in an attempt to generate a return on their investment -- while also maintaining the illusion that the data is legitimate."

The original announcement by the Shadow Brokers has disappeared from Tumblr, though the Google cache of the page is still available. In suspicious timing that may just be coincidence, the NSA website has been down for most of the day, and WikiLeaks claimed to have the Equation Group data.

Edward Snowden himself commented on the happenings on Twitter, while being careful to not specifically confirm the claims made by the Shadow Brokers. Snowden described how the NSA hacks others and claimed the NSA itself is not immune to being hacked.

Snowden went on to conjecture, as others have, who might be behind such an attack on the NSA, but Guarnieri said any claims of attribution are nothing more than speculation.

Igor Baikalov, chief scientist for Securonix Inc., the Los Angeles-based security analytics firm, told SearchSecurity "too many things around this announcement don't make sense."

"There's no proof whatsoever that the code is in any way connected to [Equation Group] or NSA," Baikalov said. "Researchers who've seen it say it's good, but there's a lot more analysis [that] has to be done before any definitive conclusions, specifically on the lineage with any known code base. The most I'd give to he Shadow Brokers is that they've stumbled upon an old backup from 2013 -- that'd explain the most recent file date and names unchanged since the leak."

However, Snowden suggested whoever may be behind this release might be sending a "warning that someone can prove U.S. responsibility for any attacks that originated from this malware server. That could have significant foreign policy consequences. Particularly if any of those operations targeted U.S. allies."

Next Steps

Learn more about what the NSA's Tailored Operations Access unit means for enterprises.

Find out how Edward Snowden accessed secret NSA files.

Get info on how to prevent insider information leak incidents.

Dig Deeper on Hacker Tools and Techniques: Underground Sites and Hacking Groups

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

3 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What do you think about the auction of alleged Equation Group cyberweapons?
Cancel
The ugliest among us selling stolen goods to more bottom feeders. It should be treated like any other common theft. We need to go after them with, uh, real teeth. And we need to do it quickly before all these stolen goods come back to bite us all.
Cancel
Scum selling their stolen goods to bottom feeders. We need to treat these thieves as we would any crook. Of course we'll need the, uh, teeth to go after them, but we really, really, really need to get to it very quickly. And we need to ask ourselves (yes, we're the techs who are to blame) why everything, even secure data, has been left so vulnerable.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close