The Shadow Brokers – a mysterious entity that previously leaked a number of computer exploits used by hackers linked with the National Security Agency (NSA) – has released a fresh cache of data believed to be hundreds of IP addresses used by the same elite unit, known as the Equation Group.
Previously, in August, the Shadow Brokers emerged to disclose a slew of alleged NSA exploits used to compromise network gear built by Cisco, Fortinet and Juniper. It claimed to be auctioning off further data for 1m bitcoin – equivalent to over $550m – however that quickly fell apart.
Cybersecurity researchers analysing the latest release have concluded it is a list of servers from around the world the Equation Group hackers had compromised to launch its exploits. The latest release – hosted on a Medium blog post – is signed with the same PGP key as the initial posts.
"All of these Equation Group targets were compromised between 2000 and 2010. Likely that most are cleaned up, unless they have disk backups," said researcher Mustafa Al-Bassam. Meanwhile, cybersecurity expert Matt Suiche told IBTimes UK it contains a "list of targets including mail servers from early 2000."
According to security firm Hacker House, the leak contains "configuration data for an as-yet-undisclosed toolkit for a variety of UNIX platforms and also a number of IP addresses and hosts which may have been targeted by the tools." It contains references to tools with names like 'Stoicsurgeon', 'Dewdrop' and 'Incision'.
"In total 352 IP addresses are provided alongside 306 domain names which these tools may have been run on," Hacker House said, adding that timestamps in the data dump run from 22 August 2000 to 18 August 2010, confirming other reports.
It continued: "The hosts include 32 .edu domains and nine .gov domains. The geographic distribution of attacked hosts appears to be global impacting 49 countries." Additionally, China, Japan and Korea reportedly make up a substantial number of the targeted servers.
A separate cybersecurity researcher called Matt Swan compiled the Shadows Brokers data into a Microsoft Excel spreadsheet showing the domains, IP addresses, targeted operating system, timestamps and previously undisclosed NSA-linked implants in the latest release.
Announcing the release, the Shadow Brokers, which may be linked to the Russian state, released a long and rambling blog post written in broken English. "TheShadowBrokers is having special trick or treat for Amerikanskis tonight," the group stated.
It continued: "TheShadowBrokers is making special effort not to using foul language, bigotry, or making any funny. [...] Maybe political hacks is being more important? How bad do you want it to get? When you are ready to make the bleeding stop, pay us, so we can move onto the next game."
The release comes following the arrest of an NSA contractor called Harold Martin who has been named as a key suspect in the original Shadow Brokers leaks. Martin, who reportedly worked for the NSA's Tailored Access Operations (TAO), hoarded terabytes of classified data, including computer exploits.
Edward Snowden, former NSA analyst-turned-whistleblower, has said he believes the Shadow Brokers leak may have been a warning from Russia. In a series of tweets published on 16 August, he said: "The hack of an NSA malware staging server is not unprecedented, but the publication of the take is."
The NSA has not yet commented on the legitimacy of the leaks. Chris Inglis, a fomer deputy director of the agency, recently told IBTimes UK: "In an increasingly interconnected world it's going to be impossible for NSA [...] to keep a perfect hold of its secrets, especially when it has to interact with the outside world."