Shadow Brokers ( TSB ) were the first hackers group to appear in the summer of 2016. They published some leaks containing hacking tools from the National Security Agency (NSA), including some zero exploits -day. Specifically, these exploits and vulnerabilities target enterprise firewalls, antivirus software, and Microsoft products. The Shadow Brokers initially caused a leak to the threat actors of the Equation Group, which had been tied to the NSA's Customized Access Operations unit.
Video The Shadow Brokers
Name and alias
Several news sources noted that the group's name probably refers to the character of the video game series Mass Effect . Matt Suiche quotes the following description of the character: "Shadow Broker is an individual at the head of a vast organization that trades information, always sells to the highest bidder Shadow Broker seems very competent in his trade: all secrets bought and sold never allow a Broker customer to gain significant profits, forcing customers to continue trading information to avoid being disadvantaged, allowing Brokers to remain in business. "
Maps The Shadow Brokers
History of leak
First leak: "Equation of Weapons Auction Group Cyber âââ ⬠<â ⬠<- Invites "
Although the exact date is unclear, reports indicate that leak preparation begins at least in early August, and early publication takes place August 13, 2016 with Tweets from Twitter account "@shadowbrokerss" which announces Pastebin and Repository GitHub pages containing references and instructions for obtaining and decrypting content files that should contain the tools and exploits used by the Equation Group.
Publications and speculation about authenticity
The Pastebin introduces the section titled "Equation Group Cyber ââWeapons Auction - Invitation", with the following content:
Persamaan Group Cyber ââ¬â¹Ã¢â¬â¹Weapons Auction - Invitation
- ------------------------------------------------
!!! The government sponsor's attention to cyber warfare and those who benefit from it !!!!
How much do you pay for enemy cyber weapons? Not the malware you find on the network. Both parties, RAT LP, the state government sponsorship tool complete? We found cyber weapons made by the creator of stuxnet, duqu, flame. Kaspersky calls the Equation Group. We follow EF Group traffic. We found a range of Equation Group resources. We hacked the Equation Group. We found many virtual weapons of Equation Group. You see the picture. We give you some Free Equation Group files, you see. Is this good evidence not? You enjoy !!! You are destroying things. You find a lot of distractions. You write many words. But not all, we auction off the best files..
The Pastebin includes various references to get the file, named "EQGRP-Auction-Files.zip". This zip file contains seven files, two of which are archived GPG encrypted "eqgrp-auction-file.tar.xz.gpg" and "eqgrp-free-file.tar.xz.gpg". The archive password "eqgrp-free-file.tar.xz.gpg" is revealed in the original Pastebin to be theequationgroup
. The archive password "eqgrp-auction-file.tar.xz" is revealed in the Medium entry then becomes CrDj "(; Va.*NdlnzB9M?@K2) # & gt; deB7mN
.
The Pastebin continues with instructions for obtaining passwords to encrypted auction files:
Auction Instructions
- --------------------
We auctioned the best files to the highest bidder. Auction files are better than stuxnet. The auction files are better than the free files we've given you. The party that sends most bitcoins to the address: 19BY2XCgbDe6WtTVbTyzM9eR3LYr6VitWK before bidding is a winner, we tell you how to decrypt. Very important!!! When you send bitcoins, you add additional output to the transaction. You added the OP_Return output. In the Op_Return output you enter your contact info (bidder). We recommend using a bitmessage or I2P-bote email address. No other information will be publicly disclosed by us. Do not believe unsigned messages. We will contact the winner with decryption instructions. Winners can do with the files as they please, we do not release files publicly.
The initial response to the publication met some skepticism, whether or not the actual content would be "... a lot of virtual weapons of the Equation Group."
Second leak: " Message # 5 - TrickOrTreat "
This publication, commissioned on October 31, 2016, contains a list of servers, supposedly compromised by the Equation Group as well as references to seven suspected covert devices (DEWDROP, INCISION, JACKLADDER, ORANGUTAN, PATCHICILLIN, RETICULUM, SIDETRACK AND STOCSURGEON) are also used by threat actors.
Link to message
Tautkan ke materi (Kata Sandi = payus)
Kebocoran ketiga: " Pesan # 6 - BLACK FRIDAY/CYBER MONDAY SALE "
Message # 6 reads as follows:
TheShadowBrokers is trying the auction. People do not like. TheShadowBrokers is trying crowdfunding. People do not like. Now TheShadowBrokers is trying direct sales. Be checking ListOfWarez. If you like, you send TheShadowBrokers email with the name Warez you want to make a purchase. TheShadowBrokers emails you back bitcoin address. You make a payment. TheShadowBrokers sent you a password decryption email. If you do not like this transaction method, you find TheShadowBrokers in the underground market and make transactions with escrow. Files as they are always signed.
This leak contains 60 folders that are named as references for tools that are likely to be used by the Equation Group. Leakage does not contain executable files, but a screenshot of the file structure of the tool. While leaks can be false, the overall cohesion between leaks and previous and future references as well as the work required to fabricate such fabrication, credifies the theory that the tools referenced are genuine.
Fourth_leak: _. 4Don.27t_Forget_Your_Base.22 "> Fourth leak:" Do not Forget Your Base "
On April 8, 2017, the Medium account used by The Shadow Brokers posted a new update. This post reveals passwords for encrypted files released last year to CrDj "(; Va.*NdlnzB9M?@K2) # & gt; deB7mN
.The files allegedly reveal more NSA hacking tools. This post explicitly states that the post was partly in response to President Trump's attack on the Syrian airfield, which is also used by Russian forces.
The decrypted file, eqgrp-auction-file.tar.xz, contains a collection of tools primarily to sacrifice a Linux/Unix-based environment.
Fifth leak: "Lost in Translation"
On April 14, 2017, the Twitter account used by The Shadow Brokers posted a tweet with a link to Chainchain Steem. Here, messages with links to leaked files are encrypted with the Reeeeeeeeeeeeeee
password.
The overall content is based around three folders: "oddjob", "swift" and "windows". The fifth leak is recommended to be "... the most destructive release" and CNN quotes Matthew Hickey as saying, "This is quite possibly the most destructive thing I have seen in recent years."
The leak includes, among other things, tools and exploits with code names: DANDERSPIRITZ, ODDJOB, FUZZBUNCH, DARKPULSAR, ETERNALSYNERGY, ETERNALROMANCE, ETERNALBLUE, EXPLODINGCAN, and EWOKFRENZY.
Some exploits targeting the Windows operating system have been patched in the Microsoft Security Bulletin on March 14, 2017, one month before the leak occurred. Some have speculated that Microsoft may have been informed of the release of exploits.
ETERNALBLUE
More than 200,000 machines were infected with tools from this leak in the first two weeks and in May 2017 the main WannaCry ransomware attack used ETERNALBLUE attacks on Server Message Block (SMB) to spread itself. The exploit was also used to help carry out the 2017 cyber attack on 27 June 2017.
ETERNALBLUE contains a shellcode kernel to load a non-persistent DoublePulsar backdoor. It is possible to install PEDDLECHEAP payload which will then be accessed by attackers using DanderSpritz Listening Post (LP) software.
Speculation and theory about motives and identity
NSA insider threat/whistleblower
James Bamford along with Matt Suiche speculated that the insider, "perhaps someone assigned to the highly sensitive Access Special Operations" [NSA], steals hacking tools. In October 2016, The Washington Post reported that Harold T. Martin III, a former contractor for Booz Allen Hamilton accused of stealing about 50 terabytes of data from the National Security Agency (NSA), was the prime suspect. The Shadow Brokers continued to post messages that were signed cryptographically and interviewed by the media when Martin was arrested.
The theory of relations to Russia
Edward Snowden stated on Twitter on August 16, 2016 that "indirect evidence and conventional wisdom demonstrate Russia's responsibility" and that the leak "may be a warning that a person can prove US responsibility for any attacks originating from this malware server" summarizes that it is visible such as "someone sends a message that escalation in the game of attribution can be a mess quickly".
The New York Times put the incident in the context of cyber attacks of the Democratic National Committee and hacking of Podesta emails. When US intelligence agencies are considering a counterattack, Shadow Brokers code releases should be seen as a warning: "Retaliation for the DNC, and there are more secrets, from the State Department's hacking, the White House and the Pentagon, it may also spill. seniors compare it to the scene at The Godfather where the favorite horse's head is left in bed, as a warning. "
References
External links
- General ledger from the auction address in blockchain.info
- The various scenarios about who is behind The Shadow Brokers leak
- A list of firewall exploits contained in The Shadow Brokers leak
Source of the article : Wikipedia