Shadow Brokers launch auction for Equation Group hacking cache

Whether the auction is truly placing the NSA-tied Equation Group's exploit tools for sale or whether this is an elaborate hoax is still unknown.
Written by Charlie Osborne, Contributing Writer
'Equation Group'

The Shadow Brokers have caught the eye of security professionals following the launch of an apparent "auction" where NSA exploits and software is up for grabs.

This week, the alleged hacking group said that they managed to steal a cache of exploits used by Equation, believed to have ties to the US National Security Agency (NSA).

Kaspersky calls the Equation Group one of the most sophisticated and dangerous threat actors in existence. Dubbed the "ancestor" of Stuxnet and Flame, the Equation Group uses expensive and unique exploits, zero-day vulnerabilities and a range of surveillance techniques to compromise their target's systems.

The threat actor's toolkit, which includes custom hacking tools such as EquationLaser, EquationDrug, DoubleFantasy, TripleFantasy, Fanny and GrayFish, are all able to perform a variety of functions including breaking into air-gapped systems and manipulating hard drives at the root level.

Despite the complexity and obvious funds being poured into the development of such advanced tools, the previously-unknown Shadow Brokers have reportedly been able to take all of these resources -- and are willing to sell them on to make some money.

In a Pastebin dump and on GitHub, Tumblr, Reddit, Imgur and Twitter, the group sent out an open "invitation" for interested bidders to bid for the full selection of Equation Group hacking tools.

In order to "prove" that the group had managed to steal Equation tools, archived files are available for download including a taster of some tools and exploits. However, to access the full set, a password is needed to remove encryption -- and that is where the auction comes in.

Screenshot via Twitter

"This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files," the hackers say.

The group posted a number of screenshots of the package, some of which have now been removed.

Those wishing to get their hands on these files are taking a risk. It may all be a massive hoax, and there is no way to tell if any additional files will be released. The group has demanded that bidders send Bitcoin to a wallet address, and in return, the highest bidder will be given decryption instructions.

It won't be cheap, either. The auctioneers want to raise one million Bitcoins -- over 5 percent of those in circulation -- which equates to $567,130,000.

In addition, losing bidders will not get their money back in the "auction," which has no time limit, and there is nothing stopping the Shadow Brokers from bidding up the price themselves. There is also no way to verify that the "winner" receives the files they were promised.

However, if the target funds are raised, the group 'promises' to dump more Equation files for free.

Researchers from RiskBased Security say the Equation Group teaser data "includes a significant trove of exploits designed to compromise firewalls," and upon a cursory examination, it does seem that some of the exploits in the sample are legitimate.

The team noted, for example, that one exploit called "ESPL: ESCALATEPLOWMAN" contains a reference to an IP address linked to the US Department of Defense (DoD).

As noted by Matt Suiche, CEO of security firm Comae Technologies, many of the exploits have a 2013 timestamp and include tools for use against Cisco, Juniper, Topsec and Fortigate products.

In addition, one exploit dubbed Banana Glee "is particularly interesting because it allows references to the JETPLOW explanation from the 2014 NSA's Tailored Access Operations (TAO) catalog," according to the researcher.

There is no evidence to suggest the NSA itself was compromised, as the toolkit could have come from a bad deployment or third party. It is also not known if the files beyond the teaser have any worth.

Should the auction prove to be legitimate, however, this could be a crippling blow to the NSA and may put dangerous tools into even more hands -- or, alternatively, the auction is simply an elaborate hoax designed to make some serious money from risk takers eager to get their hands on sophisticated hacking tools.

At the time of writing, the auction has raised 0.12BTC, roughly $68.

The 10 step guide to using Tor to protect your privacy

Editorial standards