The Shadow Brokers

The Shadow Brokers (TSB) is an unknown threat actor, responsible for the publication of exploits and vulnerabilities[1][2] (specifically targeting enterprise firewalls), tied to the Equation Group threat actor.[3][4] While the exact timeline is currently unfolding, reports suggest that preparation of the leak started at least in the beginning of August,[5] and that the initial publication occurred August 13, 2016, with a Tweet from the Twitter account, "@theshadowbrokerss", announcing a Pastebin page,[2] containing references and instructions for obtaining and decrypting the content of a file, supposedly containing tools and exploits used by Equation Group.

Publication and speculation about authenticity

The Pastebin-page[2] introduces a section titled "Equation Group Cyber Weapons Auction - Invitation", with the following content:

Equation Group Cyber Weapons Auction - Invitation

- ------------------------------------------------

!!! Attention government sponsors of cyber warfare and those who profit from it !!!!

How much you pay for enemies cyber weapons? Not malware you find in networks. Both sides, RAT + LP, full state sponsor tool set? We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files. .

The Pastebin-page includes various references for obtaining the file, "EQGRP-Auction-Files.zip". The zip-file contains seven files, two of which being GPG encrypted archives, listed "eqgrp-auction-file.tar.xz.gpg" and "eqgrp-free-file.tar.xz.gpg", respectively. The "eqgrp-free-file.tar.xz.gpg" archive is encrypted with the password: theequationgroup. The contents of this file is currently the only released material related to this publication. It is unknown whether or not the content of the "eqgrp-auction-file.tar.xz.gpg" file is authentic, as the password for decrypting the archive isn't made public.

The Pastebin-page continues with instructions for obtaining the password to the encrypted auction file:

Auction Instructions

- --------------------

We auction best files to highest bidder. Auction files better than stuxnet. Auction files better than free files we already give you. The party which sends most bitcoins to address: 19BY2XCgbDe6WtTVbTyzM9eR3LYr6VitWK before bidding stops is winner, we tell how to decrypt. Very important!!! When you send bitcoin you add additional output to transaction. You add OP_Return output. In Op_Return output you put your (bidder) contact info. We suggest use bitmessage or I2P-bote email address. No other information will be disclosed by us publicly. Do not believe unsigned messages. We will contact winner with decryption instructions. Winner can do with files as they please, we not release files to public.

The initial response to the publication was met with some skepticism,[6] as to whether or not the content actually would be "...many many Equation Group cyber weapons."[2]

Speculations and theories on motive and identity

NSA insider threat / whistleblower

James Bamford along with Matt Suiche speculated[7] that an insider, "possibly someone assigned to the [NSA’s] highly sensitive Tailored Access Operations", stole the hacking tools.[8][9]

Theory on ties to Russia

Edward Snowden stated on Twitter that "circumstantial evidence and conventional wisdom indicates Russian responsibility"[10] and that the leak "is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server"[11] summarizing that it looks like "somebody sending a message that an escalation in the attribution game could get messy fast".[12][13]

References

This article is issued from Wikipedia - version of the 10/21/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.