Shadow Brokers leak list of supposed NSA controlled computers in China, Russia

A mysterious group of hackers calling themselves the Shadow Brokers are claiming to have once again published secrets belonging to the National Security Agency. In a message posted to Medium, it appears the Shadow Brokers may have shared the domains and IP addresses of numerous infected computer networks once used as staging servers by the spy agency.

These staging servers — which include computers owned by international universities and overseas telecommunications companies, according to analysis conducted by a freelance security researcher — may have been leveraged to launch clandestine cyber operations. Using infected, unrelated, outside networks to launch specific attacks can help with obfuscating attribution.

The Shadow Brokers claim that the 306 domains and 352 IP addresses revealed in the dump belong to the Equation Group, an elite hacking squad widely believed to be fielded from within the NSA. Timestamps on the servers, however, dating between 2000 and 2010, suggest the leaked intelligence is old.

“I believe this is the first time we have seen such a leak. You have an APT that is rumored to have been compromising systems for many years, who had some of their older exploits leaked, now has hundreds of their compromised machines leaked as well. This is a real treasure trove of information for many companies, especially those in the DFIR space,” said Brian Martin, director of vulnerability intelligence at Risk Based Security. 

“This may have a wide variety of fallout as companies and foreign governments use it to potentially determine if they were hacked, how long ago, or if those machines were used to launch attacks against them. We may not hear much, if anything, but those investigations will certainly happen,” said Martin.

Computers in a total of 49 countries across the globe were apparently targeted for intrusion by the NSA, according to the unconfirmed documents. Among the laundry list of owned networks is state-owned Chinese media empire Xinhua news agency, Moscow-based Keldysh Institute of Applied Mathematics and intergovernmental scientific research organization the Joint Institute for Nuclear Research.

The group’s latest release comes while former NSA contractor Harold Martin sits in a Maryland detention center after being arrested on Aug. 27 for stealing an immense trove of classified material.

According to The Washington Post, Martin is one of the prime suspects behind the Shadow Brokers case. A direct connection between Martin and the mysterious group remains unclear. Martin allegedly stole more than 50 terabytes worth of data over the course of two decades while working for the nation’s most secretive spy organizations, including both the NSA and Office of the Director of National Intelligence, or ODNI.

Prior to Monday, the group’s last message came earlier this month when the group announced it would abandon plans to auction of a stash of cyberweapons tied to the Equation Group. Instead, the Shadow Brokers are now advertising a crowdsourced fundraising dynamic, where the code behind the tools will be openly published if they reach a monetary goal of roughly $7,070,300 in bitcoin.

“As always, this information must be taken with a grain of salt. While the Shadow Brokers previous leaks have checked out, this is also the kind of leak that is much easier to inject false information into,” Risk Based Security’s Martin told CyberScoop.