The researchers who originally uncovered the Equation Group, a hacking team strongly believed to be tied to the NSA, says that the trove of offensive tools, exploits, and files apparently stolen from that group and dumped online this week has a “strong connection” to the Equation Group’s known toolsets.
An anonymous group calling itself the Shadow Brokers over the weekend released two large files, one in plaintext and the other encrypted. The plaintext file contains a huge number of files, scripts, and exploits that the group claims to have stolen from a server used by the Equation Group, a team tied to a number of high-level offensive operations that was uncovered last year by researchers at Kaspersky Lab. The second, encrypted, file is being auctioned off to the highest bidder.
The Kaspersky researchers originally described the Equation Group as the most advanced it had ever seen, and said its tools and skills were at the top of the food chain. Many observers immediately connected Equation Group to the NSA through circumstantial evidence, though Kaspersky’s researchers have never confirmed that. Outside analysts who have examined the files dumped by the Shadow Brokers say they look to be authentic.
The tools in the Shadow Broker dump appear to be several years old.
“Because of the sheer volume and quality, it is overwhelmingly likely that this data is authentic. And it does not appear to be information taken from compromised targets. Instead, the exploits, binaries with help strings, server configuration scripts, 5 separate versions of one implant framework, and all sort of other features indicate that this is analyst-side code—the kind that probably never leaves the NSA,” Nicholas Weaver of the International Computer Science Institute wrote on the Lawfare blog.
Meanwhile, Kaspersky’s researchers had a look at the tools dumped by Shadow Brokers, too, and found some very strong evidence that they came from the Equation Group’s arsenal. The Equation Group team uses a specific, unique implementation of the RC5 and RC6 ciphers, which is found in the Shadow Brokers dump.
“Comparing the older, known Equation RC6 code and the code used in most of the binaries from the new leak we observe that they are functionally identical and share rare specific traits in their implementation,” Kaspersky researchers wrote in a post analyzing the tools.
“This code similarity makes us believe with a high degree of confidence that the tools from the ShadowBrokers leak are related to the malware from the Equation group. While the ShadowBrokers claimed the data was related to the Equation group, they did not provide any technical evidence of these claims. The highly specific crypto implementation above confirms these allegations.”
The tools in the Shadow Broker dump appear to be several years old, based on the timestamps. The latest date found so far is from October 2013, meaning that the toolset likely has long since been replaced by newer versions.