On Good Friday and ahead of the Easter holiday, the Shadow Brokers have dumped a new collection of files, containing what appears to be exploits and hacking tools targeting Microsoft's Windows OS and evidence the Equation Group had gained access to servers and targeted the SWIFT banking system of several banks across the world.
The tools were dumped via the Shadow Brokers Twitter account and were accompanied by a blog post, as the group did in the past.
Called "Lost in Translation," the blog post contains the usual indecipherable ramblings the Shadow Brokers have published in the past, and a link to a Yandex Disk file storage repo.
The password for these files is "Reeeeeeeeeeeeeee", and they've already been unzipped and hosted on GitHub by security researchers.
A list of all the files contained in the dump is available here, and it reveals the presence of 23 new hacking tools named such as ODDJOB, EASYBEE, EDUCATEDSCHOLAR, ENGLISHMANSDENTIST, ESKIMOROLL, ECLIPSEDWING, EMPHASISMINE, EMERALDTHREAD, ETERNALROMANCE, ETERNALSYNERGY, EWOKFRENZY, EXPLODINGCAN, ERRATICGOPHER, ESTEEMAUDIT, DOUBLEPULSAR, MOFCONFIG, FUZZBUNCH, and others.
Last year, the Shadow Brokers claimed to have stolen these files from a cyber-espionage group known as the Equation Group, which many security firms claim is the NSA. They put up the tools up for auction, but nobody was interested in paying the hefty price of 1 million Bitcoin (around $570 million at the time).
Last week, the Shadow Brokers dumped the password for the files they had put up for auction last summer. Missing from last week's dump were the Windows files they put up for individual auctions over the winter.
This dump contains three folders named Windows, Swift, and OddJob. The Windows folder contains several Windows hacking tools, albeit these are not the same tools that were put up for sale last December. The folder OddJob contains an eponymous implant that can be delivered to Windows operating systems. Details on this implant are scarce at the moment.
The folder claiming to hold SWIFT data contains SQL scripts that search for SWIFT-specific data inside databases, and text and Excel files hinting the Equation Group had hacked and gained access to several banks across the world, mainly in Middle Eastern countries such as Palestine, UAE, Kuwait, Qatar, and Yemen.
This folder is by far the most interesting of the three, as it alludes the Equation Group (NSA) had been infiltrating banks, and secretly keeping an eye on SWIFT transactions. The files included in the dump indicate the Equation Group had targeted and successfully infiltrated the SWIFT Service Bureau of the Middle East (EastNets), one of the SWIFT departments managing and monitoring SWIFT transactions across Middle East banks.
In a statement posted on its website, EastNets denied it had ever been compromised, even if the Shadow Brokers dump included a file with all the Bureau's compromised administrator accounts, some of which correspond to real-world employees.
As the tools were dumped two hours before this article's publication, we have very little information about their purpose except tweets from security researchers that have managed to figure out the role of some of these hacking tools:
This is really bad, in about an hour or so any attacker can download simple toolkit to hack into Microsoft based computers around the globe.— Hacker Fantastic (@hackerfantastic) April 14, 2017
It's so much worse than you could imagine, RDP and TerminalServices remote exploits combined with SMB/NBT. It's real IDDQD GOD MODE enabled.— Hacker Fantastic (@hackerfantastic) April 14, 2017
Remember: US negotiated front door access to SWIFT for terrorism purposes. No reason to hack (at least not for terrorism) it in 2013. https://t.co/HXMaW5pc2y— emptywheel (@emptywheel) April 14, 2017
This dump had serious value, even now (great 0days, ops notes, passwords, etc), so burning it is a very expensive signal.— the grugq (@thegrugq) April 14, 2017
This post will most likely be updated with new information as it becomes available.