While the Shadow Brokers’ most recent stunt of leaking an old list of supposed NSA staging server may reveal tactics, tools and procedures once used by some of the country’s most elite hackers, the newly released evidence can be easily disputed, experts say.
Shortly after Monday’s leak, some in the digital forensics community began cross examining the IPs and domains for clues. If legitimate, the 306 domains and 352 IP addresses could offer insight into what computers a group linked to NSA may have effectively targeted between 2000 and 2010.
Computers in a total of 49 countries across the globe were apparently targeted for intrusion, according to the leaked documents. Among the laundry list of owned networks is state-owned Chinese media empire Xinhua news agency, Moscow-based Keldysh Institute of Applied Mathematics and intergovernmental scientific research organization the Joint Institute for Nuclear Research.
More broadly, the materials leaked by the Shadow Brokers in recent weeks — which also includes a trove of source code used to construct alleged NSA cyber weapons — has shone a light on methods that may be applicable to “other, similar actors, including foreign, hostile governments that may be targeting U.S. businesses,” said Travis Farral, Director of Security Strategy at Anomali.
“Examining the types of systems involved and determining commonalities amongst them may yield clues into why these specific systems were used, how they may have been compromised and even what their role may have been in subsequent attacks,” he added.
Monday’s revelation offers little detail concerning how the supposed computer infections originally occurred. Eight exploits are briefly mentioned in the dump, including those under the codenames incision, jackladder, stoicsurgeon, orangutan and patchicillin.
Notably, the vast majority of affected IPs were running older versions of the Sun Solaris Unix-based operating system during the time of the compromises. The Solaris operating system, developed by Sun Microsystems, was especially popular in the late 1990s and early-to-mid 2000s.
Cybersecurity sales engineers and consultants who spoke with CyberScoop say that they have yet to encounter a single customer who has asked about the latest Shadow Brokers dump and how it may affect their own organization.
“We do not expect any increase in DFIR [Digital Forensics and Incident Response] consulting demand as a result of this dump,” said Cylance Director of Consulting Scott Schefermann.
Examining new information that could be tied to old breaches is fairly common, but becomes difficult further out from the time of breach because of the way enterprises store and retain data. Farral told CyberScoop that to look for a possible correlation with internal logs would be extremely difficult because very few private organizations hang on for data that long.
“The general take on this is that the data is only interesting from a purely historical perspective,” said Schefermann, “even if you did have network logs that are 10 years old, and even if you did find connections to or from those domains, you wouldn’t be able to say [that] ‘the NSA was targeting my organization because I’ve seen this domain’ in my history.”
Compromised hosts, like those listed in the dump, are used by nation states and hackers alike, explained Cylance Chief Research Officer Jon Miller. A staging server can be used by a hacker to prepare a cyberattack and to obfuscate attribution. When malware is deployed from an infected, outside computer, it can make tracking an attacker more difficult and evidence less conclusive because, as Miller described, multiple actors could be leveraging the broken device.
“Just because it was used at one time by one group doesn’t mean that’s the only hacking activity it supported. Odds are numerous other attackers used it as well,” said Miller, “using this evidence as attribution against the Equation Group is not certain.”
“There may still be valuable research implications for this data set that prove interesting and meaningful — especially around which of the mentioned tools was the original Solaris exploit and whether that exploit is yet known or patched. But by and large, this particular dump is about a 1 of out 10 in terms of actionable intelligence data,” Schefermann told CyberScoop.
The real story, Miller said, is the leaks are “very likely an act of cyberwar.”
“[It] is the first time in history that rival cyberwarfare actors have taken to the public domain to release TTPs in an attempt to hobble a competitor,” said Miller, “[though] the fact that the data they’re releasing now is over ten years old suggests that’s all the data they got.”
Other experts who spoke with CyberScoop say they also believe it is the first case of nation-state hackers purposely leaking tools once used by a rival intelligence group.
“I believe this is the first time we have seen such a leak,” Brian Martin, director of vulnerability intelligence at Risk Based Security, previously said, “you have an APT that is rumored to have been compromising systems for many years, who had some of their older exploits leaked, now has hundreds of their compromised machines leaked as well.”