A hacking group called The Shadow Brokers has claimed to have hacked a group linked to the National Security Agency (NSA) and is asking for 1 million bitcoins ($568 million) to return files after having dumped some of the files, according to Motherboard.
The Shadow Brokers claims to have hacked a group called Equation Group, whose level of sophistication has led some researchers to believe it is NSA related.
The Shadow Brokers claimed they stole some of the Equation Group’s hacking tools. They publicized the dump on Saturday and tweeted a link to their manifesto against government sponsors of cyber warfare.
The hackers wrote on Pastebin in its posting three days ago:
Attention government sponsors of cyber warfare and those who profit from it!!!! How much you pay for enemies cyber weapons? […] We find cyber weapons made by creators of stuxnet, duqu, flame. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files.
The posting also appeared on GitHub and Tumblr, according to Motherboard, but both sites have apparently disabled the postings.
Kaspersky Labs, a Russia-based security group, last year documented 500 infections by Equation Group in at least 42 countries, with Iran, Russia, Pakistan, Afghanistan, India, Syria, and Mali topping the list, according to arstechnica.
Because of a self-destruct mechanism built into the malware, the Kapersky researchers suspected it was a small percentage of the total, and that the actual number of victims likely reached into the tens of thousands.
Kaspersky researchers concluded that Equation Group is probably the world’s most sophisticated computer attack group, with skills and resources rivaling the groups that developed the Flame espionage malware and Stuxnet.
Kaspersky researchers stopped short of saying Equation Group was the handiwork of the NSA—but they offered evidence implicating the spy agency.
The dumped files contained configurations for command and control servers, installation scripts, and exploits targeted to specific routers and firewalls. The names of some of the tools correspond with those used in Snowden documents, such as “EPICBANANA” or “BANANAGLEE.”
The Grugq, a security researcher, told Motherboard that if the dump is a hoax, the perpetrators put a “huge amount” of effort into it. The Grugq said the files look legitimate.
Security researcher Claudio Guarnieri said the files could be from a hacked NSA server. He said more analysis is needed.
The most recent file is has a June 2013 date, but the hackers could have tampered with the dates. Dmitri Alperovitch, the co-founder of security firm CrowdStrike, said the leakers were probably sitting on the information for years, waiting for an opportune time to release it.
Matt Tait, a former British intelligence officer, tweeted that the data could be from an old “counter-hack.”
Alex Gostev, a Kaspersky researcher, tweeted there is nothing from Equation, only names from an ANT catalog.
At the time of this report, the bitcoin wallet address that Motherboard identified as the address where the hackers accept auction offers, had 1.62303067 BTC Tuesday morning.
Featured image from Shutterstock. Story image from Facebook via arstechnica.