NSA tools are now sold by the piece

One of the NSA exploits allows you to extract encryption keys and VPN passwords from Cisco devices. Screenshot : Maxim Zaitsev

The Shadow Brokers group gained fame in August 2016 when it posted a set of exploits and other NSA tools for everyone to see . Representatives of The Shadow Brokers explained that they had studied the report of the hacker department of GReAT (Global Research & Analysis Team) of Kaspersky Lab, dedicated to the activities of the Equation Group, which is behind the most sophisticated malware samples, such as Stuxnet, Duqu, Flame. Russian experts analyzed the source code and found evidence that all these programs for industrial sabotage and intelligence operations were written by one group of programmers or several groups that worked together.

But hackers from Kaspersky Lab could not break the law and hack the enemy. At least, they could not do it openly and on their own behalf, since such actions violate a number of laws and international agreements.
')
All this was done by the anonymous group The Shadow Brokers. She tracked the traffic to the Equation Group and found out that the Equation Group is probably coordinated by the US National Security Agency.



As in the case of the "Russian trace" in the hacking of the mailboxes of American politicians, there is legally no evidence of their involvement. Roughly speaking, there is no NSA digital signature in these exploits. That is, formally, we cannot directly blame the NSA, but it is absolutely clear to specialists that no one else has so many resources to create such advanced tools and have at their disposal a number of 0day vulnerabilities, which are no longer known to anyone. Just by the method of elimination - no one except the NSA can be.

After that publication, Cisco and other companies rushed to close the 0day vulnerabilities , which are now known to all.


Kaspersky Lab quickly prepared a report with evidence that these exploits are definitely related to other Equation Group tools (Stuxnet and others).

Hacking the NSA is, of course, the greatest achievement. In fact, this is the height of hacker skill. After this, you can rest on your laurels all your life, telling your children and grandchildren about your exploits. Well, get a state award, of course, albeit formally on another occasion.

After the crowdfunding auction about The Shadow Brokers, nothing was heard. It seemed the guys did their job and left. Probably the crowdfunding auction for exploits was just a cover, like the Romanian hacker Guccifer, who took responsibility for hacking the mailboxes of American politicians. Professional killers also fake an apartment robbery in order not to give out the true motives of a contract killing. So, having collected a couple of bitcoins , in October, The Shadow Brokers disappeared from sight and stopped communicating online.

But on December 13, someone named Boceffus Cleetus posted a message on the Medium blogging platform that exploits are still on sale. This man with an avatar of the US flag with swastikas instead of stars confesses his love for fascism, calls himself not a security expert, but a “ZeroNet enthusiast”. He says he accidentally discovered a site on the anonymous decentralized ZeroNet network, where NSA exploits are still being sold.

ZeroNet is a distributed network that does not depend on centralized hosting. Your device runs a Python server that connects to the same user as you, and listens on port 43110 at 127.0.0.1, where you must go in with your browser. Bittorrent, Bitcoin and DHT technologies are used under the hood. How ZeroNet works, how to connect to sites and publish your content in a distributed network - see the article on Habré .

So, a certain Boceffus Cleetus called theshadowbrokers.bit website address (link through zero-proxy), where NSA exploits are still on sale. This time they are not sold as a package, but separately.



The site published an explanation on behalf of The Shadow Brokers. They write that they tried crowdfunding, but the people did not show much activity. Therefore, they will now sell exploits directly.

The catalog on the site lists all the products with the marks "tab" (implant), "trojan" or "exploit". The cost varies from 1 to 100 bitcoins. The entire package can be purchased at a discount of 1000 BTC (approximately $ 770,000).

To make a purchase, you need to send a message with the name of the warez for purchase. In response, they will write a Bitcoin address to which the money should be transferred. After completing the transaction, The Shadow Brokers sends a link to download the file and a password to decrypt the archive.

The site published screenshots of all files from the archive with the NSA exploits. The screenshots file is signed with the real signature of The Shadow Brokers from the same PGP key that they used before. All the files when sending they also promise to sign with their signature.

Contact information for sending messages indicating the desired warez and wallet are as follows:

ZeroMail: theshadowbrokers@zeroid.bit
BitMessage: BM-NBvAHfp5Y6wBykgbirVLndZtEFCYGht8
Bitcoin: 19BY2XCgbDe6WtTVbTyzM9eR3LYr6VitWK

While it is not clear what it all means, but the user of Boceffus Cleetus is calling for a “donate” on the “New American Empire” on his bitcoin wallet.