The Shadow Brokers (TSB) are back, and they’ve released the password for the rest of the hacking tools they claim to have stolen from the NSA last year.
TSB is a mysterious group that appeared in the summer of 2016 when they dumped on GitHub and other sites a trove of files they claim to have stolen from the Equation Group, a codename given to a cyber-espionage group many cyber-security experts believe to be the NSA.
Shadow Brokers dump password nobody wanted to buy
In their original announcement, the group dumped a collection of free files so that cyber-security experts can validate the veracity of their claims.
In addition, the group also released a second set of files, which were encrypted with a password the group promised to provide to the winner of online bidding war.
As no one stepped forward, the group started selling some of these tools individually last December but eventually called it quits in January, announcing their retirement just ahead of President Trump’s inauguration.
Shadow Brokers are unhappy with Trump
Now, the group is back, and the reason why, according to a post published on their Medium blog, is because of Trump’s political moves, which appear to have angered the group. The reasons, as listed by the Shadow Brokers, are below, in original:
#2 — Backtracked on Obamacare
#3 — Attacked the Freedom Causcus (TheMovement)
#4 — Removed Bannon from the NSC
#5 — Increased U.S. involvement in a foreign war (Syria Strike)
The politically-charged message ends with the password for the rest of the supposed NSA hacking tools they group released last summer.
Password works. Decrypts a whole new set of hacking tools
The first cache of NSA hacking tools contained quite a lot of material, such as zero-day exploits and tools to bypass firewalls (Cisco, Fortinet, Juniper, and TOPSEC), a toolkit to extract VPN keys, backdoors for Linux systems, and several Windows exploits.
This second cache is quite fresh, and security researchers haven’t had the time to search it in its entirety. As of now, we know of the following findings:
> A list of servers belonging to companies and universities from around the world, which the NSA allegedly hacked and used as staging points for deploying malware and launching attacks. (source, source)
> The same list, but only the IPs (source)
> A list of usernames and passwords used for tools and backdoor acconts (source)
> The TOAST framework used to clean server logs and delete the NSA’s tracks. (source)
> Many tools for hacking *NIX systems, especially Solaris. (source, source)
> A tool called ELECTRICSLIDE that impersonates a Chinese browser with fake Accept-Language. (source)
> A new tool named PITCHIMPAIR used to hack into servers. (source)
> An implant called SIDETRACK, used with PITCHIMPAIR. (source)
If you’d like to have a look at the tools, a security researcher that goes by x0rz is hosting the second batch of files, already decompressed, in a GitHub repo. This post will most likely be updated with new information as it becomes available.