Security researchers have uncovered a "strong connection" between a mysterious data dump and a group of hackers known as the Equation Group who are believed to be working for the United States National Security Agency (NSA). This connection indicates that the data dump does indeed containing information that belonged to the Equation Group.
The story started on August 13th when a group of hackers known as "The Shadow Brokers" published a message on Pastebin with links to a supposed data dump containing information and tools that belong to Equation Group:
"How much you pay for enemies cyber weapons? Not malware you find in networks. Both sides, RAT + LP, full state sponsor tool set? We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files."
This data dump included two encrypted files that supposedly contained the stolen data. The Shadow Brokers were giving away the first file for free along with the key to unlock it. The password to the other file, though, will only be given to the winner of an announced auction.
We auction best files to highest bidder. Auction files better than stuxnet. Auction files better than free files we already give you. The party which sends most bitcoins to address: 19BY2XCgbDe6WtTVbTyzM9eR3LYr6VitWK before bidding stops is winner, we tell how to decrypt. Very important!!! When you send bitcoin you add additional output to transaction. You add OP_Return output. In Op_Return output you put your (bidder) contact info. We suggest use bitmessage or I2P-bote email address. No other information will be disclosed by us publicly. Do not believe unsigned messages. We will contact winner with decryption instructions. Winner can do with files as they please, we not release files to public.
To truly understand this story, some background information is needed on the Equation Group.
First detected by Kaspersky Lab back in 2015, Equation Group is a threat actor believed to be working for the NSA. It has leveraged malware campaigns, watering holes, and compromised removable media to conduct cyber espionage against foreign targets presumably on behalf of the United States and Israel.
Equation Group is widely regarded as one of the most sophisticated threat actors in existence today. As such, many have questioned whether the dump--as well as the related auction of some of the leak's "best files" is just a hoax.
Researchers at Kaspersky Lab may have just put those rumors to rest.
On 16 August, analysts at the Moscow-based security firm analyzed 300MBs of firewall exploits, tools, and scripts included in an archive to which The Shadow Brokers freely provided a password. They found that in 347 instances, those files used a subtract operation with the constant 0x61C88647 in their implementation of the RC5 and RC6 encryption algorithms. That's something unique to the Equation Group, which leads Kaspersky's researchers to suspect the dump is legitimate.
As they explain in a blog post:
"Comparing the older, known Equation RC6 code and the code used in most of the binaries from the new leak we observe that they are functionally identical and share rare specific traits in their implementation. In case you’re wondering, this specific RC6 implementation has only been seen before with Equation group malware. There are more than 300 files in the Shadowbrokers’ archive which implement this specific variation of RC6 in 24 different forms. The chances of all these being faked or engineered is highly unlikely. This code similarity makes us believe with a high degree of confidence that the tools from the ShadowBrokers leak are related to the malware from the Equation group. While the ShadowBrokers claimed the data was related to the Equation group, they did not provide any technical evidence of these claims. The highly specific crypto implementation above confirms these allegations."
So who could have hacked one of the most sophisticated cyber espionage groups on the planet?
Cryptography expert Bruce Schneier believes it was Russia, as does NSA whistleblower Edward Snowden, who said in a series of tweets on 16 August that Russia had likely retaliating against accusations it had hacked the United States Democratic National Committee and stolen opposition research on U.S. Republican presidential candidate Donald Trump:
"Circumstantial evidence and conventional wisdom indicates Russian responsibility. Here's why that is significant: This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server. That could have significant foreign policy consequences. Particularly if any of those operations targeted US allies. Particularly if any of those operations targeted elections. Accordingly, this may be an effort to influence the calculus of decision-makers wondering how sharply to respond to the DNC hacks. TL;DR: This leak looks like a somebody sending a message that an escalation in the attribution game could get messy fast."
Russia has not responded to Schneier's or Snowden's comments.
As of this writing, the Bitcoin wallet associated with the auction has received a total of BTC 1.64237, or USD 937.58, spread across over 25 transactions.
That number is expected to rise over the coming days and weeks, with the auction's official end-date currently unknown.