An anonymous group calling itself the Shadow Brokers claims to have hacked the computer systems used by the Equation Group, an elite cyberattack team associated with the National Security Agency (NSA). Claiming to have stolen some of its cyberweapons, the group says it is holding an auction to sell them off to the highest bidder. Shadow Brokers have also provided a sample of the alleged stolen data as proof of their legitimacy.
"How much you pay for enemies cyber weapons?" the post, which has since been taken down, reads. "We hack Equation Group. We find many, many Equation Group cyber weapons. You see pictures. We give you some Equation group files free... But not all, we are auction (sic) the best files."
The hacking collective has posted two sets of files so far — a free sample of the stolen data and a second encrypted file whose decryption key is up for sale in a bitcoin auction.
"If you want know your networks hacked, you send bitcoin," they write. "If you want to hack networks like equation group, you send bitcoin. If you want reverse, write many words, make big name for self, get many customers, you send bitcoin. If want to know what we take, you send bitcoin (sic)."
If the auction raises $1m bitcoins in total, which is worth about $560m, the group says it will release all the files for free.
In 2015, security firm Kaspersky described Equation Group as one of the most advanced hacking groups in the world, describing it as a "threat actor that surpasses anything known in terms of complexity and sophistication of techniques". The firm also noted that the group, which has been in action for almost two decades, has ties with the infamous espionage malware platforms Stuxnet and Flame.
Some security experts who have downloaded and examined the sample files posted by the group, which date most recently to 2013, say the leak could be legitimate or an elaborate hoax. However, they note that the sample includes 300 megabytes of code which match up with exploits used by the NSA. It reportedly also includes exploits targeting equipment sold by Juniper, Fortigate, Topsec and Cisco.
Claudio Guarnieri, a researcher at the University of Toronto's Citizen Lab, tweeted that the content does seem credible.
"It looks very much as if the NSA attacked someone, and that someone managed to source the origin of the attacks, and counter-hacked them," Guarnieri told the Wired. "The content is credible enough and properly reflects what we know of some of the program names in there."
However, he does note that it is still to early to link the code and data released to the Equation Group or another NSA-linked cyberattack team.
"The code in the dump seems legitimate, especially the Cisco exploits ... and those exploits were not public before," Matt Suiche, founder of UAE-based cybersecurity start-up Comae Technologies, told Forbes. "The content seems legit." Suiche, who detailed the products affected in a post on Medium, also said that the connection to the Equation Group, however, could have been faked.
According to another Kaspersky Lab researcher, there is "nothing" in the sample that links the data to the Equation Group. However, he did note that some of their names are from ANT Catalog, a 50-page NSA hacking toolset that was published in 2013 by Der Spiegel.
"If the Shadow Brokers actually hacked something, it wasn't 'the NSA'. At least not in the sense that some group is now in the NSA's many various networks reading through documents and e-mails and such," Sean Sullivan, a security advisor at F-Secure, told Business Insider. "If something was hacked, it was a resource directly related to the Equation Group ... A server of some sort was hacked."
Although the hacking group says the alleged leak is directed at "wealthy elites", it is unclear whether it was politically motivated.
At the time of publishing, the auction has five transactions worth a total 0.1200 BTC ($68).
The latest claimed breach comes on the heels of the much-publicised breach into the Democratic National Committee that saw thousands of hacked internal emails from the DNC published by WikiLeaks. Notorious hacker Guccifer 2.0 recently claimed responsibility for the recent DNC and Democratic Congressional Campaign Committee (DCCC) hacks.