Hacking a The Equation Group server could have serious consequences for NSA operations and US foreign policy

Demonstration of the power of an unknown opponent

Turn to the NSA building. Photo by Gary Cameron / Reuters

On August 13, 2016, unknown persons released the open source code and exploits of The Equation Group and promised to publish other information received from the hacked server. The importance of this event is difficult to overestimate.

To begin with, The Equation Group is associated with the NSA and, presumably, participated in carrying out technically complex cyber attacks, such as infecting computers running uranium enrichment centrifuges in Iran. In 2010, the Stuxnet malware, which used the 0day vulnerability in Windows, disabled from 1000 to 5000 Siemens centrifuges due to a change in the speed of their rotation. As a result, the American-Israeli operation "Olympic Games" seriously slowed down Iran’s nuclear program and allegedly prevented an Israeli airstrike on Iranian nuclear facilities .

The malware used, later named Stuxnet , was detected in June 2010 by antivirus specialists from Belarus who had no idea what it was. The fact is that, by mistake of American or Israeli programmers, the virus continued to spread outside the affected area and began to disable Siemens' industrial facilities in other countries. Nobody bore responsibility for this.
')
In addition to Stuxnet, The Equation Group is credited with the authorship of several other highly sophisticated offensive cyber weapons and spyware, which were used to spy on foreign governments and commercial companies. These are Duqu and Flame tools, well-known in narrow circles of specialists. Like Stuxnet, these tools were thoroughly analyzed in the hacker division of the Global Research & Analysis Team (GReAT) of Kaspersky Lab, perhaps the best in the world in analyzing foreign offensive cyber weapons. Russian experts came to the conclusion and found evidence that these programs have common modules, modules and code fragments, that is, one or several author groups close to each other were engaged in development.

Assumptions that the United States are behind cyber attacks have been made repeatedly. And now the hacker group Shadow Brokers threatens to provide direct evidence of this.



Unknowns who call themselves the hacker group Shadow Brokers laid out several exploits and organized the weirdest auction in which the losing bets are not returned to the participants. The auction winner was promised to open all information stolen from The Equation Group servers.

All this would look rather suspicious and implausible if not for several circumstances.

First, the actual exploits are published - they are mentioned in the NSA spyware tools catalog, which was published by Edward Snowden in 2013. But Snowden never published these files, this is new information.

As shown by the first test results , the published exploits actually work.

Edward Snowden himself commented on this leak a dozen tweets yesterday. He made it clear that the hacking of The Equation Group did take place (that is, he believes in the veracity of Shadow Brokers). At the same time, Snowden has published several details on how the NSA spyware programs work, as well as cyber weapons that are being created in other countries. He said that targeted attacks are aimed at specific targets and remain undetected for several years. Information is collected through C2 servers, which in practice are called Counter Computer Network Exploitation or CCNE, or through a proxy ORB (proxy hops). Countries are trying to find out CCNE their opponents and explore their tools. Naturally, in such cases it is important not to betray the fact that the enemy’s weapons have been detected so that he can continue to use them, so you cannot remove malware from already infected systems.

Edward Snowden says the NSA is not unique in this regard. Absolutely the same is engaged in intelligence of other countries.

Knowing that the enemy is looking for and investigating the CCNE, the NSA hacker unit, known as the Office of Tailored Access Operations (TAO), is told not to leave the binaries of its programs on the CCNE servers, but “people are lazy,” and sometimes punctures happen, Snowden says.

Apparently, this is exactly what happened now. Edward Snowden says that the NSA’s CCNE servers had been cracked before, but now for the first time a public demonstration has taken place. Why did the enemy hold such a demonstration? Nobody knows. But Edward Snowden suspects that this action of Shadow Brokers is more like a diplomatic explanation related to the escalation of the conflict around the recent hacking of the US Democratic National Committee , after which 20,000 private emails of American politicians were published on Wikileaks, revealing the ugly underside of domestic political games.

“Indirect evidence and common sense point to Russia's involvement,” writes Edward Snowden. “And that's why this is important: this leak is probably a warning that someone can prove the US guilt for any attack from this particular CCNE server.”


“This could have serious implications for foreign policy. Especially if any of these operations were directed against the US allies. Especially if it was related to the elections. ”

Thus, according to Snowden, the actions of the Shadow Brokers are a kind of preemptive strike to influence the actions of the adversary, who is now speculating how to react to the hacking of the US Democratic National Committee. In particular, someone warns Americans that the escalation of the conflict will be inappropriate here, because he has all the trump cards.

Snowden added that the scarce data available indicates that an unknown hacker did gain access to this NSA server, but lost access in June 2013. Probably the NSA just stopped using it at that moment.

Some experts are also inclined to believe that the breaking of The Equation Group is not a fake. This is evidenced by the independent trader of exploits and 0day-vulnerabilities of The Grugq, independent security specialist Claudio Guarnieri (Claudio Guarnieri), who has long been engaged in the analysis of hacker operations conducted by Western intelligence services. Dmitry Alperovich (Dmitri Alperovitch) from CrowdStrike agrees with him. He believes that hackers "have been sitting on this information for years, waiting for the best moment to publish."

“Definitely, everything looks real,” said Bruce Schneier, one of the well-known information security experts. “The question is, why did someone steal it in 2013 and publish it this week?”

The analysis of the published source codes was published yesterday by the specialists of the GReAT division of Kaspersky Lab. They compared the published files with previously known samples of malware belonging to The Equation Group - and found strong similarities between them. In particular, The Equation Group uses a specific implementation of the RC5 / RC6 cipher, where the encryption library performs a subtraction operation with the constant 0x61C88647 , whereas the traditional universally used RC5 / RC6 code uses another constant 0x9E3779B9 , i.e., -0x61C88647 . Since addition is performed faster by subtraction on some equipment, it is more efficient to store the constant in a negative value in order to add it rather than subtract.



The comparison found hundreds of similar code fragments between old samples and files published by Shadow Brokers.



If Snowden is right and Shadow Brokers’s actions are more “diplomatic” in nature, then the announced “auction” with strange conditions is just a sham. It is needed only for the sake of PR, so that the story is picked up in the media and replicated as widely as possible. All references to the "auction" they duplicate on their twitter . Recall, Shadow Brokers promised to give information to the winner of the auction, who will pay an unreal amount of 1 million (!) Bitcoins, that is, more than half a billion dollars. At the moment, there are 15 bets in their wallet totaling 1.629 BTC. The maximum bid is 1.5 BTC.

The Equation Group exploit repository was removed from Github. The reason is not because the malware code has been published there, because the state-owned exploits of the same The Hacking Team have been lying on Github for a long time and do not cause complaints. Github calls the reason for trying to make a profit on the sale of stolen code, which contradicts the terms of the Github user agreement. Files are also deleted from the Tumblr media service. However, exploits are still available from several other sources:

" Magnet:? Xt = urn: btih: 40a5f1514514fb67943f137f7fde0a7b5e991f76 & tr = http: //diftracker.i2p/announce.php
» Http://dfiles.ru/files/9z6hk3gp9
» Https://mega.nz/#!zEAU1AQL!oWJ63n-D6lCuCQ4AY0Cv_405hX8kn7MEsa1iLH5UjKU
" Http://95.183.9.51/
Free Files (Proof): eqgrp-free-file.tar.xz.gpg
sha256sum = b5961eee7cb3eca209b92436ed7bdd74e025bf615b90c408829156d128c7a169
gpg --decrypt --output eqgrp-free-file.tar.xz eqgrp-free-file.tar.xz.gpg
Archive password: theequationgroup

WikiLeaks has promised to upload files in the near future.

The press service of the NSA declined to comment .