Hackers expose apparent NSA cyber espionage operations

Hackers expose apparent NSA cyber espionage operations
© Getty Images

The hacker or hackers who stole National Security Agency-built cyber tools have dumped new files in what appears to be yet another change of plans in monetizing the heist. 

The new files provide some insight into the network infrastructure of the NSA-affiliated hacking team called The Equation Group.

This is the second dump of files that came from the group The ShadowBrokers, who in August released sample files containing previously unknown hacking techniques used to circumvent popular security hardware. The August files also contained a tracking code used by the NSA that matched previously unreleased Edward Snowden documents, appearing to confirm the breach’s provenance. 

In August, the group offered the complete cache of documents for auction. Not seeing the bidding totals they wanted, the group changed to a crowdfunding approach, saying it would release all files publicly if enough people donated money to a bitcoin address. 


“Ok peoples theshadowbrokers is promising you a trick or treating, here it is,” the group wrote in a message accompanying the latest files. It labeled the folder containing the breached documents “trickortreat” and password protected it with the login “payus.”

The latest leaks contain yet another change in business model: a direct appeal to the United States to purchase the remaining files from the group. 

“How bad do you want it to get? When you are ready to make the bleeding stop, payus, so we can move onto the next game. The game where you try to catch us cashing out! Swag us out!” wrote the Brokers in their latest release. 

The newly released files are separated info folders titled with domain names and internet addresses – what appear to be the staging servers used as intermediaries for covert network attacks. Timestamps in the files appear to date these servers between six and eight years old. 

The staging servers appear to have been hacked server from government agencies, such as those at the counselor’s office of the Chinese state council, universities, like ones at the King Abdulaziz City for Science and Technology in Saudi Arabia and the Fatima Jinnah Medical University in Pakistan, and more. 

Anyone with old enough server logs could check to see if they were accessed from the staging servers, revealing to they had been attacked. The ShadowBrokers have struggled to generate much interest in their wares since announcing they had stolen the NSA files. While the files appear to be authentic, the Brokers' bizarre behavior undermined confidence that the sale would be authentic. Their communications, written in what appeared to be deliberately broken English, contained strange political rants and, once, a racist comedy script about former President Bill ClintonWilliam (Bill) Jefferson ClintonBill Clinton expected to be released from hospital on Sunday Democratic incumbents bolster fundraising advantage in key Senate races Biden giving stiff-arm to press interviews MORE's controversial airplane meeting with Attorney General Loretta Lynch. 

The original auction also seemed suspicious. It required all bidders to pay the Brokers, with whoever sent the Brokers the most money receiving the NSA files — no refunds to losers. It had no firm end date and would have continued until the Brokers' choosing.

In the message accompanying the latest file dump, the brokers included a plea for Americans to disrupt the Nov. 8 elections. 

“On November 8th, instead of not voting, maybe be stopping the vote all together? Maybe being grinch who stopped election from coming? Maybe hacking election is being the best idea? #hackelection2016. If peoples is not being hackers, then #disruptelection2016, #disruptcorruption2016. Maybe peoples not be going to work, be finding local polling places and protesting, blocking , disrupting , smashing equipment, tearing up ballots?” the group wrote. 

Update Mon, 3:13