The Shadow Brokers have returned and are trying to spook the U.S. government this Halloween. The hackers, who’d previously claimed to have leaked a portion of the National Security Agency’s digital arsenal, today published files that experts believe show which foreign servers were compromised by the NSA to expand its espionage operations.
FORBES looked at the data, seeing servers that appeared to belong to the Chinese government. There were nine .gov sites were on the target list, five in China. There was an apparent penchant for Asian machines in general. A large proportion – as many as 32 – of the 306 domain names listed were run by educational institutes in China and Taiwan. Just a handful were based in Russia.
Security experts noted many of the servers ran Solaris, a Unix-based operating system now owned by Oracle. The timestamps on the servers dated from between 2000 and 2010, making the leaked data old. Many should now be clean of infection, but Matthew Hickey, director of Hacker House, checked the listed servers and found some were still running old, possibly-vulnerable systems. “Some are now updated but a few are still the same platform which indicates its probably not fake,” he told FORBES.
When the Shadow Brokers crew first emerged, in August this year, they leaked files belonging to the so-called Equation Group, which many had deemed to be an NSA operation. They also organized what many considered a joke auction for 1 million Bitcoins, worth roughly $560 million at the time, to release more information. Russian security firm Kaspersky Lab first revealed the Equation Group’s activities in February 2015.
“My opinion is that this leak is a snippet to show that the auction files contain a Solaris implant/exploit,” added Hickey. He and others believe the hacked systems were “staging servers” – computers used to host malware and retrieve data. “It’s practically a smoking gun that the US, if the leaks are true, is masking its attacks through those countries to make attribution harder.”
The NSA had not responded to a request for comment at the time of publication.
Today, the Shadow Brokers didn’t leak any exploit code as they did in August, only a list of allegedly hacked servers. They continued to espouse their anti-American rhetoric, however, in a diatribe accompanying the leak. They paid particular attention to the upcoming election (the following is verbatim, grammatical mistakes theirs): “USSA elections is coming! 60% of Amerikansky never voting. Best scenario is meaning half of remaining red or blue fanatics or 20% of the most fanatical is picking USSA government? A great power. A free country. A good-doer.
“TheShadowBrokers is having suggestion. On November 8th, instead of not voting, maybe be stopping the vote all together? Maybe being grinch who stopped election from coming? Maybe hacking election is being the best idea? #hackelection2016.
“Remembering Iran elections? Rembering stuxnet? Maybe is not Russia hacking election, maybe is being payback from Iran?” Stuxnet was a piece of malware, reportedly developed by the U.S and Israel. It targeted a uranium enrichment plant in Iran, setting back the operation by at least two years.
The Shadow Brokers signed off: “How bad do you want it to get? When you are ready to make the bleeding stop, payus, so we can move onto the next game. The game where you try to catch us cashing out! Swag us out!”
The latest leak, and other recent online communications of the Shadow Brokers, came after the arrest of Harold T. Martin III, a former Booz Allen Hamilton employee accused of stealing as much as 50TB of data from the NSA. Some publications, including the New York Times, reported Martin may have been linked to the Shadow Brokers leaks. But, as Martin was arrested in late August and is currently in custody, there remain strong doubts over his link to the group.