‘Shadow Brokers’ Reveal List Of Servers Hacked By The NSA; China, Japan, And Korea The Top 3 Targeted Countries; 49 Total Countries, Including: China, Japan, Germany, Korea, India, Italy, Mexico, Spain, Taiwan, & Russia
Swati Khandelwal writes in the October 31, 2016 edition of The Hacker News, that the hacker group calling itself The Shadow Brokers, — the same group who previously claimed to have leaked a portion of tools NSA uses to hack into foreign targets — published [on Oct. 31] a list of foreign servers that the agency has reportedly successfully hacked into.
Ms. Khandelwal writes that “the data dump reportedly contains 306 domain names, and 352 IP addresses which are hosted in at least 49 countries — with 32 of the domains being run by educational institutes in China and Taiwan.” She adds that “a few of the domains were based in Russia; and, at least nine of the domains include .gov websites.” “The top 10 countries include: China, Japan, Korea, Spain, Germany, India, Taiwan, Mexico, Italy, and Russia.
Targeted Systems — Solaris, Unix, Linux, & FreeBSD
“Most of the affected servers were running Solaris, Oracle-owned, Unix-based operating system; while some, were running FreeBSD, or Linux,” the Hacker News reported. “Each of the compromised servers were reportedly targets of INFORMATION and PITCHIMPAIR, code-names given for cyber-spy hacking programs.”
Ms. Khandelwal adds that “the data dump also contains references to a list of previously undisclosed [NSA] Equation Group tools, including: Dewdrop, Incision, Jack Ladder, Reticulum, Patchicllin, Sidetrack, and Stoicsurgeon.” Ms. Khandelwal speculates that “the tools mentioned above could be hacking implants, tools, or exploits used by the NSA.”
Security researcher Mustafa al-Bassam, an ex-member of Lulzec and the Anonymous Hacking Collective, told The Hacker News that “the NSA likely compromised all the servers between 2000 and 2010.” Dan Goodin, writing on the October 31, 2016 edition of the Ars Technica, notes that “timestamps included in the leak indicate the servers were targeted between August 22, 2000, and August 18, 2010.”
The cyber security firm, Hacker House stated that “if this data is to be believed, it may contain a list of computers which were targeted during this time period. A brief Shodan scan of these hosts indicates that some of the affected hosts are still active and running the identified software. These hosts may still contain forensic artifacts of the Equation Group, APT group, and should be subject to incident response handling procedures.”
If true, the above is a very damaging leak; and, could set back highly lucrative intelligence collection sources and methods — which cannot be easily replaced. It also shows the adversary what specific areas that the U.S. targets for breaching their networks; and, gives them ideas about how they might go about targeting the U.S. and others. We will also have to consider the possibility that the adversary knew of this penetration/breach before we thought they did and, implanted bad/deceptive data that we may consider authentic — but is in fact — purposely, but cleverly wrong. We will have to assume the worst case scenario here and consider all of these implants as no longer useful — against these specific targets, and perhaps others as well. How soon we can conceive of a new method, technique, and source is a key question; and, the answer may not be good news for the United States. V/R, RCP