6. Viral Outbreaks

NSA Hack: Shadow Brokers No Joke; But Who Are They?

Aug. 18, 2016
The group responsible for leaking NSA cyber weapons sound like crazy Russian super villains, but there's something strangely familiar about their message.

"How much you pay for enemies cyber weapons?"

That was the question the now infamous hacker group “The Shadow Brokers” asked the Internet on Aug. 13 after dumping 300 MB of exploit and malware files—that could infiltrate some of the world’s most widely used network equipment and firewalls—stolen from the Equation Group, a cyber warfare platoon linked to the NSA.

Read the whole crazy/brilliant manifesto here.

Why should you care?

The Russian-based anti-virus firm Kaspersky Lab calls the Equation Group “a threat actor that surpasses anything known in terms of complexity and sophistication of techniques.”

And somehow these Shadow Brokers obtained at least some of their sophisticated cyber arsenal, which in the past includes flame, duqu, and stuxnet.

“Without a doubt, they’re the keys to the kingdom,” a former NSA hacker, speaking on the condition of anonymity, told the Washington Post. “The stuff you’re talking about would undermine the security of a lot of major government and corporate networks both here and abroad.”

"You break many things. You find many intrusions. You write many words. But not all, we are auction the best files."

Those best files, the brokers tease, are “better than stuxnet,” the (allegedly) U.S./Israeli-created malware that ravaged Iran’s nuclear enrichment facility’s centrifuge and accidentally broke free of containment.

And if the bidding war raises 1 million bitcoin ($550 million U.S.), more harmful files—supposedly on par with the current leak—will be made public.

At this point, the unreleased files could contain an Oregon Trail emulator or a CryptoLocker weapon that could cripple the world’s financial system.

"Equation Group not know what lost. We want Equation Group to bid so we keep secret. You bid against Equation Group, win and find out or bid pump price up, piss them off, everyone wins."

So who are these guys?

Many assume them to be Russian because evidently society has finally caught up to pandering ’80s movie tropes. It is possible that the Shadow Brokers are huge fans of Ivan Drago, as the syntax and vocabulary indicate.

On Aug. 16, NSA whistle-blower Edward Snowden tweeted, “Circumstantial evidence and conventional wisdom indicate Russian responsibility."

He also speculates the data leak has to do with U.S. politicians attributing the DNC hacks to the Russians.

The 1 million bitcoin request? That’s straight-up Dr. Evil.

And the scheme itself is an obvious plot heist of a Batman: The Animated Series episode, where Dr. Hugo Strange attempts to auction off the Dark Knight’s identity to his rogue’s gallery.

This could all be circumstantial, a false flag, aliens, or a host of other possibilities.

It’s clear, though, whoever these perpetrators want the world to at least think they’re chaos-loving supervillains in the vein of Tyler Durden or the Joker (Heath Ledger version, of course).

There’s even a line at the end of the villainous e-monologue about Wealthy Elites that asks “Do you feel in charge?” In The Dark Knight Rises, Bane asked greasy billionaire developer John Dagget the same thing before killing him.

But as troll-like and stereotypical-bad-guy-to-the-point-of-absurdity as the Shadow Brokers are, the threat shouldn’t be taken lightly.

On Aug. 17, Cisco verified the hacking tools released on Github contained ”exploit code that can be used against multi-vendor devices, including the Cisco ASA and legacy Cisco PIX firewalls.”

These oddly delicious-sounding exploits, EXTRABACON and EPICBANANA, can crash a server, create a denial of service or execute arbitrary code. The files are all dated 2013.

EPICBANANA exploits a vulnerability in the command-line interface (CLI) parser of Cisco Adaptive Security Appliance (ASA) Software. Cisco’s known about this weakness for years, fixing it in 2011.

These mysterious mustache-twirling keyboard bandits aren’t completely impotent, though. Cisco Product Security Incident Response Team (PSIRT) rates the vulnerability in the Simple Network Management Protocol (SNMP) code as “High.”

For workarounds and more info, visit Cisco's Security Advisory Site.

List of Cisco’s Vulnerable Products:

  • Cisco ASA 5500 Series Adaptive Security Appliances
  • Cisco ASA 5500-X Series Next-Generation Firewalls
  • Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • Cisco ASA 1000V Cloud Firewall
  • Cisco Adaptive Security Virtual Appliance (ASAv)
  • Cisco Firepower 9300 ASA Security Module
  • Cisco PIX Firewalls
  • Cisco Firewall Services Module (FWSM)

Cisco also recommends anyone in charge of a network “follow[s] sound system administration practices, hardening device configurations, and updating devices to run the current version of the software are simple best practices for customers to protect their networks.”

“Administrators are advised to allow only trusted users to have SNMP access and to monitor affected systems using the SNMP-server host command,” Cisco says.

Before you attempt to stem any possible cyberattacks and quell this uprising that would mostly hurt the working class, though, keep in mind the following:

"Reporters (not call journalist) make living say write only nice things about Elites, convince dumb cattle, is just politics, everything is awesome, check out our ads and our prostitutes."