In a farewell message
posted Thursday morning, group members said they were deleting their
accounts and making an exit after their offers to release their entire
cache of NSA hacking tools in exchange for a whopping 10,000 bitcoins
(currently valued at more than $8.2 million) were rebuffed. While they
said they would still make good on the offer should the sum be
transferred into their electronic wallet, they said there would be no
more communications.
"Despite theories, it always being about
bitcoins for TheShadowBrokers," Thursday's post, which wasn't available
as this article was going live, stated. "Free dumps and bullshit
political talk was being for marketing attention. There being no
bitcoins in free dumps and giveaways. You are being disappointed? Nobody
is being more disappointed than TheShadowBrokers."
The post included 61 Windows-formatted
binary files, including executables, dynamic link libraries, and device
drivers. While, according to this analysis, 43 of them were detected by antivirus products from Kaspersky Lab, which in 2015 published a detailed technical expose into the NSA-tied Equation Group, only one of them
had previously been uploaded to the Virus Total malware scanning
service. And even then, Virus Total showed that the sample was detected
by only 32 of 58 AV products even though it had been uploaded to the
service in 2009. After being loaded into Virus Total on Thursday, a second file included in the farewell post was detected by only 12 of the 58 products.
Parting insult
Malware experts are still analyzing the files,
but early indications are that, as was the case with earlier Shadow
Brokers dumps, they belonged to the Tailored Access Operations, the
NSA's elite hacking unit responsible for breaking into the computers and
networks of US adversaries. And given evidence the files remained
undetected by many of the world's most widely used malware defenses,
Thursday's farewell message may have been little more than a parting
insult, particularly if the group has origins in the Russian government,
as members of the intelligence community have speculated.
"This farewell message is kind of a burn-it-to-the-ground moment," Jake Williams, a malware expert and founder of Rendition Infosec,
told Ars. "Russian ties make sense given the inauguration [of Donald
Trump] happens in a short time [from now]. If that narrative is correct
and Shadow Brokers is Russian, they wouldn't be able to release those
tools after Trump takes office. If you roll with that narrative, [the
burn-it-to-the-ground theory] certainly works."
Under such theories, Russian hackers attempted
to sway the 2016 presidential election in favor of Trump in hopes his
policies would be more favorable to Russia than Hillary Clinton's. Once
Trump takes office, Russian hackers would want to prevent any blowback
from hitting the new president. Thursday's farewell message came within
hours of a new dispatch from Guccifer 2.0,
the online persona that leaked hacked Democratic e-mails that the US
intelligence community said was a front for Russian operatives. In the
post, Guccifer 2.0 strenuously rejected the accusation that he was
Russian and claimed evidence to the contrary was false.
Thursday's dump came several days after Shadow Brokers members published screenshots of what they claimed were NSA-developed exploits for Windows systems.
While the absence of the actual files themselves made analysis
impossible, the screenshots and the file names suggested the cache may
have included a backdoor made possible by a currently unpatched
vulnerability in the Windows implementation of the Server Message Block
protocol.
Other tools appeared to provide:
bypasses for antivirus programs from at least a dozen providers, including Kaspersky, Symantec, McAfee, and Trend Micro
a streamlined way to surgically remove entries from event logs used to forensically investigate breached computers and networks
hacks for a Windows-based e-mail client known as WorldTouch
capabilities for gaining administrator privileges or dumping passwords on Window machines.
A Kaspersky Lab representative issued the following statement:
"At Kaspersky Lab, we have checked
a copy of the archive from the latest Shadow Brokers post and performed
a quick analysis. Most of the samples in the archive are EquationDrug
plugins, GrayFish modules and EquationVector modules. These three are
known malware platforms used by the Equation group, which we described
in February 2015. From the list of 61 files provided, our products
already detect 44 of them. We are updating our products to detect all
further samples.
The full text of the Shadow Broker's farewell post read:
So long, farewell peoples.
TheShadowBrokers is going dark, making exit. Continuing is being much
risk and bullshit, not many bitcoins. TheShadowBrokers is deleting
accounts and moving on so don’t be trying communications. Despite
theories, it always being about bitcoins for TheShadowBrokers. Free
dumps and bullshit political talk was being for marketing attention.
There being no bitcoins in free dumps and giveaways. You are being
disappointed? Nobody is being more disappointed than TheShadowBrokers.
But TheShadowBrokers is leaving door open. You having TheShadowBrokers
public bitcoin address 19BY2XCgbDe6WtTVbTyzM9eR3LYr6VitWK
TheShadowBrokers offer is still being good, no expiration. If
TheShadowBrokers receiving 10,000 btc in bitcoin address then coming out
of hiding and dumping password for Linux + Windows. Before go,
TheShadowBrokers dropped Equation Group Windows Warez onto system with
Kaspersky security product. 58 files popped Kaspersky alert for
equationdrug.generic and equationdrug.k TheShadowBrokers is giving you
popped files and including corresponding LP files. Password is
FuckTheWorld Is being final fuck you, you should have been believing
TheShadowBrokers.
Files included with the post carried the following names:
Of interest to researchers looking for clues
about the people behind Shadow Brokers, Images included with the file
dump showed the files were included on a Drive D that was most likely a
USB drive, given an accompanying icon. The folder was titled DSZOPSDISK,
a string that also matches a folder name from a previous exploit dump.
The evidence "lends credibility to the argument the leak came from an
insider who stole, and subsequently lost control of, a USB stick, rather
than a direct hack of the NSA," independent researcher Matt Tait, who
posts under the Twitter handle Pwn All The Things, told Ars. As Tait also observed,
the computer the drive was attached to appeared to be running Kaspersky
AV and VMware tools, had no connected network or sound card, and was
configured to show dates in the dd/mm/yyyy format. The files were signed
by the same cryptographic key used to sign previous Shadow Broker
dumps.
One theory floated by intelligence officers and reported by The New York Times
is that the Shadow Brokers leaks were carried out by Russian operatives
as a warning to the US not to publicly escalate blame of President
Vladimir Putin for hacks on the Democratic National Committee. NSA
leaker Edward Snowden and a host of others have also speculated that
Russia is behind the Shadow Brokers as well. There's no definitive proof
of Russian involvement, but the timing of Thursday's farewell and the
potentially damaging leaks that accompanied it—coming eight days before
the inauguration of President-elect Donald Trump—give the unescapable
impression of a link.
"They may not be Russian," Williams said of
the Shadow Brokers members. "But it is inexplicable they would release
the dump without understanding the timing and how it would be read.
Anyone smart enough to steal these tools understands the conclusion that
will be drawn by most."
Comments
Post a Comment