Yet again, a group known as The Shadow Brokers is in the news, with yet another leak from what is widely accepted as the NSA (Equation Group¹ in APT terms). This release is, to many, the most important release of this leaked stolen material from the most elite and secretive hacking operation in the world.

This is a collection of a few notes on this highly unusual operation. If you haven’t read this excellent overview of the most recent release by Dan Goodin, you should do that now.

The Shadow Brokers have released material on five occasions²:

A group of files were uploaded to Github (and quickly removed), including a file (“eqgrp-auction-file.tar.xz.gpg”) containing exploits and implants for Linux and similar operating systems, and a file (“eqgrp-free-file.tar.xz.gpg” with a password of theequationgroup) containing exploits and implants for a variety of networking equipment; the latter used as a sample.

A second, smaller sample file named “trickortreat.tar.xz.gpg” with a password of payus.

In what was purported at the time to be their final message, Shadow Brokers released a new file, “equation_drug.tar.xz.gpg” that included files that had been identified by Kaspersky AntiVirus as being Trojan.Win32.EquationDrug.

In a only somewhat surprising move, they posted a rambling treatise on US politics and Donald Trump, which included the password (CrDj"(;Va.*NdlnzB9M?@K2)#>deB7mN) for “eqgrp-auction-file.tar.xz.gpg” – the file they tried and failed to sell when they started. This contain the Linux exploits and implants that had been promised, though much of the content was rather old and of little interest.

Perhaps the most exciting release, as it included the Windows exploits and the Equation Group’s equivalent of Metasploit called FuzzBunch – but the story doesn’t end there, there was a big surprise included. The three files are “windows.tar.xz.gpg”, “odd.tar.xz.gpg”, and “swift.tar.xz.gpg” – with the last containing an unexpected surprise.

I know a few NSA contractors/providers being really upset to see some of their gold exploits being publicly exposed/killed. #ShadowBrokers

— Chaouki Bekrar (@cBekrar) April 14, 2017

As the community works to analyze the latest dump, going through the exploits trying to identify what they are, and if they are known some very interesting things have been found. ETERNALBLUE appears to be an 0day against Windows XP, Vista, 2003, 2008, 2008R2, and Windows 7 (it’s being reported that Windows 10 is vulnerable as well³) – one can imagine that there is panic in Redmond as Microsoft works to analyze it and prepare a patch. This is just one exploit, there’s also ETERNALCHAMPION, EASYBEE, EASYPI, ECLIPSEDWING, EDUCATEDSCHOLAR, EMERALDTHREAD, EMPHASISMINE, ENGLISHMANSDENTIST, ERRATICGOPHER, ESKIMOROLL, ESTEEMAUDIT, ETERNALROMANCE, ETERNALSYNERGY, EWOKFRENZY, EXPLODINGCAN, and ZIPPYBEER – there’s a lot of work to be done to fully understand the impact and figure out what needs to be fixed. A number of versions of Windows targeted by these exploits are not supported, such as Windows XP, Windows 2003, and Vista – meaning that there’s no patch coming, these systems will remain vulnerable forever.

What’s clear here is, there is some real value in the exploits that have been released (estimated at $2M or more) – and are likely very important to NSA intelligence operations (or at least they would have been till they learned that they had been compromised).

As a security person – best interest to review/investigate SB dump to validate TTPs, but still feel dirty doing it.

Sad day for IC imo.

— Dave Kennedy (ReL1K) (@HackingDave) April 14, 2017

As NSA doesn’t talk about anything if it can be avoided, it’s unlikely that we will ever know what the impact is to their operations. We will likely see just how effective these exploits are though, as criminals work to leverage these exploits in exploit-kits and the like – you can be sure, just because these exploits are known, this certainly isn’t the last we’ll see of them.

While it was known that they had various Windows exploits, they dropped something that is of less interest from a technical perspective, though fascinating from an operational perspective: there’s a collection of operator’s notes relating to attacks on SWIFT. These files include detailed system configurations, passwords, and step by step notes of what was done on the devices that were attacked.

Matt Suiche has done a great job of documenting what’s exposed by this cache, so I won’t repeat that here. If you want a better understanding of how they work, and what they’ve done, I highly suggest reading it.

Their collection is just that, a collection. A variety of different things pulled together over the years from different sources.

— the grugq (@thegrugq) April 14, 2017

There’s been a great deal of debate about the source of these files, some have suggested that it was an insider, possibly even Harold Thomas Martin, though an insider makes little sense. The data is most likely from a jump-server – a server that NSA operators would push their files to, and connect to targets from. This would explain the type of files and documentation found – and would explain the files that aren’t included, such as source code, training material, and similar files that an insider would have access to, but wouldn’t be stored on a server outside of their network.

One likely scenarios is that a jump-server was captured by another intelligence agency, and the leaks and bizarre rants were part of a political play – though their choices of how to release information has greatly reduced their effectiveness. The SWIFT files could have been positioned as a WikiLeaks-styled bombshell, though was dropped quietly without the fanfare to make news outside of the normal technology publications – while the exploits have a substantial impact, they are of little interest to most people outside of the industry, the SWIFT work on the other hand, could be of much larger significance.

The level of detail about targets, and details from operator logs should allow the NSA to narrow the possible sources; I’m hoping that at some point there’s an official statement about who they believe is releasing these files – though the odds of that happening don’t seem good.