Threat Intelligence

Who Hacked the NSA-linked Hacking Unit Equation Group, and why?

August 18, 2016 by Pierluigi Paganini

Someone hacked the Equation Group arsenal

The militarization of the cyberspace is in the middle of a heated debate, what will happen if a government-built malware or a cyber weapon will run out of control. These powerful tools can go into the wrong hands with unpredictable consequences.

The news reported by the media this week is disconcerting, an unknown group of hackers has hacked into the “Equation Group‘s” arsenal.

In February 2015, the security researchers at Kaspersky discovered the espionage operations of a hacking group operating since 2001 that targeted practically every industry with sophisticated zero-day exploits and implants.

According to a report published by Kaspersky Lab, the hacker group, dubbed the Equation Group, combined sophisticated and complex Tactics, Techniques, and Procedures.

The experts from the security firm confirmed that the arsenal of the ATP group includes sophisticated hacking tools that requested a significant effort for their development.

The experts at Kaspersky speculated that the Equation Group had interacted with operators behind the Stuxnet and Flame malware. The analysis of the numerous cyber espionage campaigns detected over the years by Kaspersky lead the experts into believing that the National Security Agency (NSA) could be linked to the Equation Group.

“There are solid links indicating that the Equation Group has interacted with other powerful groups, such as the Stuxnet and Flame operators—generally from a position of superiority,” stated the report released at by Kaspersky during the company’s Security Analyst Summit in Cancun, Mexico.

Figure 1 – Equation Group victims map from Kaspersky Lab Report

The researchers explained that the Equation Group is a “threat actor that surpasses anything known regarding complexity and sophistication of techniques.”

Now a hacker collective that is calling itself “The Shadow Brokers,” is asking for 1 Million Bitcoins (roughly $578 Million) in an auction to release the hacking tools and exploits and more files belonging to the arsenal of the Equation Group.

The ShadowBrokers provided the links to two distinct PGP-encrypted archives, the first one offered for free as a proof of the hack (its passphrase is ‘auctioned’), for the second one, the group requested 1 million Bitcoin.

Experts who have already examined the leaked data dump believe it could be legitimate.

I haven’t tested the exploits, but they definitely look like legitimate exploits,” Matt Suiche, founder of UAE-based cyber security firm Comae Technologies, told the Daily Dot.

Below the opinion of the notorious The Grugq provided to Motherboard

“If this is a hoax, the perpetrators put a huge amount of effort in,” security researcher The Grugq told Motherboard. “The proof files look pretty legit, and they are exactly the sorts of exploits you would expect a group that targets communications infrastructure to deploy and use.”

The data dump included exploits and hacking tools that The Shadow Brokers published on their Github and Tumblr, but the accounts were promptly suspended.

The huge trove of files contains installation scripts, configurations for command-and-control (C&C) servers, and multiple exploits designed to compromise network appliances manufactured by IT giants like Cisco, Fortinet, and Juniper.

Documents leaked by the hackers also related to some of the hacking tools that were presented in the secret document disclosed by Edward Snowden, including “BANANAGLEE” and “EPICBANANA.”

No doubts, if the Equation Group hack was confirmed, such as its link to the NSA, this is a very serious problem for IT industry worldwide.

Analyzing the leaked data dump. Are the tools legitimate?

The ShadowBrokers hackers have hacked the NSA-linked unit known as the Equation Group and leaked online a data dump containing exploits and hacking tools.

The intent is clear; they want to send a message to the Equation Group, so to the entire US Intelligence.

The first question to answer is:

“Are the tools the same the Equation Group used to hack systems worldwide?”

The experts who have already analyzed the tools included in the archive believe that they belong to the NSA hacking unit.

The experts from Kaspersky Lab published a detailed analysis of the hacking material leaked by The ShadowBrokers suggesting that the material belongs to the arsenal of the Equation Group.

The first archive leaked by the hackers contains roughly 300MBs of data, including firewall exploits, hacking tools, and scripts with cryptonyms like BANANAUSURPER, BLATSTING, and BUZZDIRECTION.

The security researchers Mustafa Al-Bassam published a post that aims to be a comprehensive list of all the exploits, implants, and tools for hacking firewalls (“Firewall Operations”) included in the dump.

Reading the description of the tools provided in the post, it is possible to note that the Equation Group’s hackers targeted products made by principal IT manufacturers, including Cisco, Fortigate, Juniper, TOPSEC, and Watchguard.

Almost any file included in the archive is at least three years old, the newest timestamp dating to October 2013. A possible explanation is that the NSA has deployed its hacking infrastructure after Snowden disclosed the secret material stolen during its service.

The researchers at Kaspersky started their analysis of the leaked data from the newly released files trying to find evidence of connections with hacking tools used by the Equation Group. The experts analyzed hacking tools such as EQUATIONDRUGDOUBLEFANTASYGRAYFISH, and FANNY.

“While we cannot surmise the attacker’s identity or motivation nor where or how this pilfered trove came to be, we can state that several hundred tools from the leak share a strong connection with our previous findings from the Equation group.” reported the analysis published by Kaspersky.

The researchers have found more than 300 files found in the data dump share a common implementation of RC5 and RC6 encryption algorithms largely used by the alleged NSA-linked hacking unit.

“There are more than 300 files in the Shadow Brokers’ archive which implement this specific variation of RC6 in 24 other forms,” reported Kaspersky. “The chances of all these being fakes or engineered is highly unlikely.”

“The code similarity makes us believe with a high degree of confidence that the tools from the Shadow Brokers’ leak are related to the malware from the Equation group.”

The following image reports the comparison of the old Equation group malware code and the RC6 code found in the archive leaked by the ShadowBrokers. The two pieces of software evidently use the same function and constraints; the same coders developed them.

Figure 2 – Comparison of the old Equation group malware code and the RC6 code found in the archive leaked by the ShadowBrokers (Kaspersky Lab Report)

The popular Italian researchers Claudio Guarnieri hypothesized The Shadow Brokers group may have hacked a “listening post” (LP), that is a component of the overall surveillance infrastructure used to control the Equation Group’ implants.

Figure 3 – Claudio Guarnieri Tweets

Further evidence was collected by journalists at the Washington Post that citing two former-NSA Tailored Access Operations hackers confirmed that the tools are the same used by the NSA Equation Group.

“Without a doubt, they’re the keys to the kingdom,” explained one the former TAO employee, who spoke on the condition of anonymity. “The stuff you’re talking about would undermine the security of a lot of major government and corporate networks both here and abroad.”

“From what I saw, there was no doubt in my mind that it was legitimate.” said a second former TAO hacker.

The NSA Tailored Access Operations (TAO) is the hacking division inside the NSA Agency; its existence was confirmed in December 2013 by the German Der Spiegel. According to the German Newspaper, the TAO planted backdoors to access computers, hard drives, routers, and other devices from principal vendors.

The vast majority of the tools present in the leaked archive is coded in Python; they were developed to target firewalls and network equipment widely used by a wide range of targets, including IT giants and government agencies.

The expert Mustafa Al-Bassam confirmed that some of the hacking tools designed to breach firewalls and included in the leaked data dump allow remote code execution attack. Hackers could use them to bypass a firewall remotely, access the target network, deliver a malicious code and spy on its users.

The archive also includes a set of tools that allows the Equation Group to send malicious files to the target systems.

Of course, security experts worldwide are analyzing the hacking tools in the data dump to confirm their efficacy.

The security researcher XORcat has tested the EXTRABACON exploit. The EXTRABACON is a remote code execution exploit that works against Cisco Adaptive Security Appliance (ASA) devices affecting ASA versions 802, 803, 804, 805, 821, 822, 823, 824, 825, 831, 832, 841, 842, 843, 844.

The expert confirmed that the exploit in the leaked archive works and allows an attacker to access a CISCO firewall without providing valid credentials.

Joseph Cox from Motherboard reported that the security researcher Kevin Beaumont has successfully tested an exploit for Fortinet firewalls.

Figure 4 – Security Expert Kevin Beaumont successfully tested the Fortinet Exploit

Both Cisco and Fortinet have issued warnings and fixes for vulnerabilities exploited by the hacking tools exposed by the Shadow Brokers.

Who is behind the Equation Group hack?

The public auction of stolen NSA exploits and hacking tools may be the response of the Russian Government to the US Government that is blaming it for the DNC hack.

This is the opinion of several intelligence and cyber security experts, including the popular whistleblower Edward Snowden. The former NSA consultant speculates that the hack of the Equation Group arsenal may be a warning to the US Government that blaming Russia for the hack of the DNC could have dramatic consequences.

Snowden expressed its opinion with a series of message on Twitter:

Figure 5. Snowden Tweets on the NSA hack

Snowden has a clear opinion about the hack of the Equation Group; this is a clear message of the Kremlin to Washington. The Russian cyber units are saying to the adversary that they have a deep knowledge of the NSA arsenal and can detect any attacks they would launch, even if they try to cover their activity with sophisticated tools.

“This leak looks like a somebody sending a message that an escalation in the attribution game could get messy fast,” Said Snowden. “This leak is likely a warning that someone can prove U.S. responsibility for any attacks that originated from this malware server.”

Snowden believes that hackers compromised a staging server used by the Equation Group used to coordinate the attacks, it was not so difficult for the skilled Russian hackers.

The former NSA consultant added that the attackers lost the access to the NSA server in June 2013, just after he started disclosing the secret documents stolen from the US Intelligence Agency, likely because the NSA might have changed his hacking infrastructure as a security precaution in reaction to his leak.

The real element of innovation in this hack is the public disclosure of the hacking tools and other stolen data; it is a sort of public warning.

“This leak is likely a warning that someone can prove U.S. responsibility for any attacks that originated from this malware server,” Snowden writes. “That could have significant foreign policy consequences. Particularly if any of those operations targeted U.S. allies. Particularly if any of those operations targeted elections.”

What will happen now?

Will the NSA reply to the alleged Russian hack?

It is difficult to predict what will happen the short period. Both Governments will continue to invest searching in designing even more sophisticated hacking tools. The leakage of the data dump is a severe warning to the US and everybody. Nothing is totally secure; we are all potentially exposed to cyber attack, also the most dreaded intelligence agencies.

Back to the case, intelligence experts believe that now that the Russia had access to the NSA TAO infrastructure, it could expose attacks that the NSA launched against other governments across the years triggering several diplomatic crises.


Posted: August 18, 2016
Pierluigi Paganini
View Profile

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.