Mysterious Group Hacks The NSA

Tyler Durden's picture

The latest hack revealed over the weekend has nothing to do with the Democratic Party or George Soros, and instead a mysterious hacker group by the name “The Shadow Brokers” claims to have hacked the Equation Group - a government cyberattack hacking group associated with the NSA, and released a bunch of the organization's hacking tools. The hackers are also asking for 1 million bitcoin (around $568 million) in an auction to release more files.

“Attention government sponsors of cyber warfare and those who profit from it!!!!” the hackers wrote in a manifesto posted on Pastebin, on GitHub, and on a dedicated Tumblr.

How much you pay for enemies cyber weapons? Not malware you find in networks. Both sides, RAT + LP, full state sponsor tool set? We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files.

In February 2015, Ars Technical dubbed The Equation Group "the most advanced hacking operation ever uncovered." According to Kasperky, the "Equation Group" is a threat actor that surpasses anything known in terms of complexity and sophistication of techniques, and that has been active for almost two decades."  While Kaspersky Lab stopped short of saying it’s the NSA, its researchers laid out extensive evidence pointing to the American spy agency, including a long series of codenames used by the Equation Group and found in top secret NSA documents released by Edward Snowden. The Equation Group, according to Kaspersky Lab, targeted the same victims as the group behind Stuxnet, which is widely believed to have been a joint US-Israeli operation targeting Iran’s nuclear program, and also used two of the same zero-day exploits.


The global "victims" of the Equation Group are laid out in the map below: it is no secret that the group is not particularly enthused by either Iran or Russia.

It is this secretive hacker collective that the "Shadow Brokers" claimed to have hacked, and allegely stole some of its hacking tools. They publicized the dump on Saturday, tweeting a link to the manifesto to a series of media companies.

According to Motherboard, the dumped files mostly contain installation scripts, configurations for command and control servers, and exploits targeted to specific routers and firewalls. The names of some of the tools correspond with names used in Snowden documents, such as “BANANAGLEE” or “EPICBANANA.” The hackers have released 60% of the files they claimed to have taken from the Equation Group. The Shadow Brokers said they would release the remaining data to the highest bidder in a Bitcoin auction (they’ve received three bids so far). If they received an extraordinary 1,000,000 Bitcoins, worth roughly $560 million, they would release all the files.


A review of the files revealed what appear to be vulnerabilities and exploits for some widely-used firewalls — network security technologies that aim to block digital snoops from entering. Suiche posted a handy rundown of the products affected. He said at the very least the exploits for the Cisco products included “real code” designed specifically to take control of the firewalls. “It’s not automatically generated or something like that.”

Alongside those alleged exploits were implants — malware that is covertly dropped on the network once the firewall and other security mechanisms have been bypassed. There were also some scripts and basic instructions for the malware’s usage.

While it was initially unclear if the data is legitimate, some security experts agree that it likely is. 

“The code in the dump seems legitimate, especially the Cisco exploits … and those exploits were not public before,” said Matt Suiche, founder of UAE based cybersecurity start-up Comae Technologies. “The content seems legit.”

“If this is a hoax, the perpetrators put a huge amount of effort in,” the security researcher known as The Grugq told Motherboard. “The proof files look pretty legit, and they are exactly the sorts of exploits you would expect a group that targets communications infrastructure to deploy and use.” Claudio Guarnieri, an independent security researcher who’s investigated other hacking operations by the Western intelligence agencies, said that the files might be from a hacked NSA server used in an operation. He also cautioned that this is a preliminary analysis and that more analysis is needed.

The most recent file is dated June 2013, though the hackers could have tampered with the dates. Dmitri Alperovitch, the co-founder of security firm CrowdStrike, theorized that “the leakers were probably sitting on this information for years, waiting for the most opportune time to release.” CrowdStrike is best known for immediately 'concluding' that all recent hacks of Democratic-linked servers have been under the guidance of the Kremlin.

A Kaspersky Lab researcher declined to comment. Another Kaspersky Lab researcher noted on Twitter that there is “nothing” in the dumped files that links them to the Equation Group, but some of their names are from the ANT Catalog, an NSA hacking toolset published by Der Spiegel in late 2013. It’s worth noting that while the files dumped by The Shadow Brokers might not have a direct connection with the Equation Group, they could come from a different operation that those seen by Kaspersky Lab.

The Shadow Broker claimed to have gotten the files by following Equation Group “traffic,” hacking the group and finding its “cyber weapons.” (The hackers did not respond to a request for comment, and neither did the NSA.)

As Motherboard concludes, while the motives behind this dump are unclear, if legitimate, this could be one of the most shocking hacks ever.

As of Monday afternoon, the Bitcoin wallet where the hackers accept auction offers has received three offers so far; it has a long way to go to reach 1 million. If this hack is confirmed to be indeed of an NSA-related organization, we assume much more leaks will follow, even if the payment will ultimately take place behind the scenes.

As for the origins of the new "mysterious" hacker group, speculation is already rife that Russians are (again) behind it. However, as Forbes notes, whatever the alleged hack’s origins, the NSA does have something to worry about: Someone is out to embarrass the agency and might have the tools to do just that at a particularly heated time in US politics. The agency should, of course, have a response plan. Snowden managed what the Shadow Brokers are shooting for on a far greater scale.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
N0TaREALmerican's picture
N0TaREALmerican (not verified) Aug 15, 2016 3:51 PM

Maybe the NSA hacked the NSA and doesn't know it.

Muddy1's picture

And a big F U to NSA!!!!!!!!!  Hope the hackers did it without K Y jelly!!!!!  How does it feel NSA?

nibiru's picture

Next elections, vote according to who has better hackers on his/her side!

AlaricBalth's picture

The name Equation Group was chosen because of the group's predilection for strong encryption methods in their operations.


Muddy1's picture

"The hackers are also asking for 1 million bitcoin (around $568 million) in an auction to release more files."

The Iranians were paid off now this group wants to have a pay day!!!!!!!!!

Jim Sampson's picture

John McAfee looks better every single day.

Automatic Choke's picture

beat them all...unplug the network cable.

jcaz's picture

Lemme guess-  now the NSA will say that all they took were Hillary's emails......

LowerSlowerDelaware_LSD's picture
LowerSlowerDelaware_LSD (not verified) jcaz Aug 15, 2016 5:23 PM

So the hackers want NSA to pay them in NSA generated "currency," Bitcoin. 

Not... very... bright...

Like all of the other recent Bitcoin hacks, NSA will simply hack them back.

HowdyDoody's picture

I bet the geniuses at the NSA didn't see these events coming: i) Syria has offered Russia a permanent airbase at Hymeim and ii) Russia is flying long range strategic Tu-22M3 bombers out of an Iranian airbase north of Hamadan to bomb the shit out of US proxies in Syria. Shorter range = more bombs per sortie.

Way to go, Barry! Russia is so totally isolated.

Bob's picture

Well, they are aiming for the stars: $1,000,000!  Or bitcoins. 

Why does Dr. Evil come to mind here?

Oh, well. I guess they know best.  Surely $1M or 1M bitcoins compensates for making themselves some of the most wanted men in the world.

The Gun Is Good's picture

LOL!  Hackers' lingo sounds like our Boris A.

NidStyles's picture

This is only going to end one way.


With a Hellfire missile strike from a drone. If it doesn't then it was someone on the inside extorting from the public coffers.

Number 156's picture

All your base are belong to us!

Come On Puu See's picture


LadiesLoveCoolJames's picture

It sounds like a skinny Vietnamese boy trying to trick out his little sister to a bunch of GI Joe's.

Come On Puu See's picture


BarkingCat's picture

Actually they sound like Chinks

Tompooz's picture

They sound like oligarchs-in-spe : Russian born Israeli's

leftcoastfool's picture

Maybe Boris is hacker on side, no?

logicalman's picture

If you make the establishment look stupid, they are bound to come after you.

Can't have everyone knowing how stupid the establishment really are.

The only thing holding the system together is most people's belief that 'the establisment knows better'


token's picture

It's NOT $1M or Bitcoins. It's 1M Btc you idiot.  1M BTC = $568M... Damn, is you dumb!



Sam.Spade's picture

If you think the NSA creates Bitcoin, you know nothing about cryptocurrencies.

Yes, they may be able to track it's use, but that's about all.

HopefulCynic's picture

Mot if you tumble it and use several anonymous wallets.

Sam.Spade's picture

The operative word in my post was 'may'.  How do you know that the mixers you use are not NSA honeypots?  Or that they haven't tracked your IP address when you bought the coins to begin with?  Ditto for when you spend them.

Bitcoin anonymity is very complex.  The NSA can't 'print' Bitcoin, but they MIGHT be able to track them.

logicalman's picture

I suppose they should demand gold.

Put it somewhere secret for pick-up and agree that no one will look?

I'm not a huge fan of BitCoin, but it seems like there's a better chance you'll get away with doing a runner than you would with anything else.

Can't be too lacking in luminosity if they have pulled this off.



ACES FULL's picture

They want ransom from NSA? Uh oh,somebody is gonna be liberated and democratized shortly.

SwiffFiffteh's picture

I see you know nothing about Bitcoin.

JustUsChickensHere's picture

Bitcoin hacks?  No hacks of Bitcoin itself that I know of.

Hacks of insecure brokerages, companies, and individuals .... sure happens all the time. That happens with USD as well - and every other currency too.

hxc's picture

Yeah. Hackers stole em so the NSA don't got em no more! Nevermind the State Dept cache cuz it's already old news that the emails are gone. I'd bet at least sixty percent of the average idiots called the general population would believe that.

Troll Magnet's picture

Get off the grid? What are you, an extremist?

logicalman's picture

I've been on-line since 1992.

I always assumed that if I could access another computer anywhere in the world, back in the days of Telnet and before Netscape, that someone with another computer, if they knew more about its internal workings than I, could access my computer.

I've always used this as a guide to on-line activity.

Just because you're paranoid.........

knukles's picture

Hah!  Good timing and memory.

847328_3527's picture

The hackers claim they also have Top Secret photos of Hillary's "thigh gap" they will release for free as a bonus!

Muddy1's picture

I'll pay them NOT to release those photo's.  That just makes me sick to think about the possibility photos like that might exist.

wombats's picture

Agree.  Makes up for the disgusting Hillary thought.

Proofreder's picture

Aaaahhhhhhhhh, sigh.

Much better.

NoPension's picture

Added that to the homescreen. The old lady can piss off.

Bob's picture

Rest assured that no such thing exists. 

Thigh gap,after all.

Richard Chesler's picture

It's all noise until they leak crooked Hillary's emails.

That being said Cunt Pelosi had to change her cell number due to obscene calls, lol


oddjob's picture

I'd like to see a word cloud of those calls.

Umh's picture


nibiru's picture

With Obama still in office maybe, we should ask for sth.


If it is so easy to get stuff done by Obozo it will probably be even easier with Clinton in power. I hope for a reasonable pricing. Let's basically crowdsource a tax reduction! Yes, I know she is corrupt but it is going to be cheaper than waiting for another 4 years if she gets elected! Also, I don't want the US to become another Zimbabwe or Japan!