The Shadow Brokers dumps list of NSA-targeted servers

• 
  Peter Loshin

  Site Editor
• Published: 31 Oct 2016

The entity known as The Shadow Brokers dumped a data file Monday containing a list of servers targeted by the NSA-linked Equation Group and potentially used as staging servers for cyberattacks.

The disjointed message, the fifth from The Shadow Brokers, claims the servers listed in the dump were compromised by the Equation Group and then used to stage the group's exploits and hacking tools. The message, which was linked to download pages on websites Mega and Yandex, was signed with the same PGP key used to sign previous messages from The Shadow Brokers. The server list included timestamps with each server, dating as far back as August 2000 and as recently as August 2010.

The Shadow Brokers has already shaken the cybersecurity world with its release of Equation Group exploits for security devices from Cisco, Fortinet and others. In the latest message the group railed against U.S. political corruption and news organizations and ended with a call to disrupt the upcoming U.S. presidential election, as well as a short description of the contents of the encrypted file.

The list includes servers that were used by the Equation Group to stage attacks, the message read, referring to the Equation Group PITCHIMPAIR software exploit kit. Other IP addresses were released in connection with the INTONATION hacking tool; 329 IP addresses in all, with 41 located in China, 32 in Japan, 31 in Korea. Only four IP addresses in the list were located in the U.S.

In an attempt to drum up support for the auction it claimed was being conducted for access to cyberweapons used by Equation Group, The Shadow Brokers' message ended with a warning that owners of the systems listed should be careful if they decide to search for Equation Group cyberweapons because the "rootkit will self-destruct," and investigators should make a "cold forensic image" of the systems for research purposes.

Reaction to the dump was swift. Mustafa Al-Bassam, doctoral researcher with the Information Security Research Group at the University College London, noted on Twitter that the list demonstrates one reason cyber attribution is difficult:

So even the NSA hacks machines from compromised servers in China and Russia. This is why attribution is hard. https://t.co/q7htD7jHjZ

— Mustafa Al-Bassam (@musalbas) October 31, 2016

And Liverpool, U.K.-based security architect Kevin Beaumont noted the list of servers was quite old and likely not to have much value:

The Shadow Brokers continue to grapple for publicity and money. The list of servers is 9 years old, likely no longer exist or reinstalled. https://t.co/bEJGsvZItY

— Kevin Beaumont (@GossiTheDog) October 31, 2016