The hacker or hackers calling themselves The Shadow Brokers, who have previously released NSA hacking tools for anyone to download, published more files on Monday.
This latest release comes while Hal Martin, an NSA contractor and, according to The Washington Post, the prime suspect in The Shadow Brokers case sits in detention after being arrested for allegedly stealing swaths of classified material.
“TheShadowBrokers is having special trick or treat for Amerikanskis tonight,” a message from the hackers posted to Medium reads. The message is signed with the same PGP key used to sign several previous posts, including the group’s original announcement that came with links to a slew of NSA exploits.
As for the files, The Shadow Brokers claim they reveal IP addresses linked to the Equation Group, a hacking unit widely believed to be tied to the NSA.
“This is being equation group pitchimpair (redirector) keys, many missions into your network is/was coming from these ip addresses,” The Shadow Brokers’ post continues.
It’s the same key.
The dump contains some 300 folders of files, all corresponding to different domains and IP addresses. Domains from Russia, China, India, Sweden, and many other countries are included. According to an analysis by the security researcher known as Hacker Fantastic, the dump contains 306 domains and 352 IP addresses relating to 49 countries in total.
If accurate, victims of the Equation Group may be able to use these files to determine if they were potentially targeted by the NSA-linked unit. The IP addresses may relate to servers the NSA has compromised and then used to deliver exploits, according to security researcher Mustafa Al-Bassam.
“So even the NSA hacks machines from compromised servers in China and Russia. This is why attribution is hard,” Al-Bassam tweeted on Monday.
With the problem of attribution in mind, more work will need to be done to truly validate the contents of the dump.
“A more detailed analysis might well prove that this is from the organisations they claim it to be from, but of course it still doesn’t prove, beyond a reasonable doubt, that it was NSA (or for that matter anyone else),” Alan Woodward, visiting professor at the University of Surrey, told Motherboard in a Twitter message.
The National Security Agency did not immediately respond to a request for comment.
The Shadow Brokers first emerged in August, when they posted links to a selection of NSA exploits and hacking tools onto Github and other websites.* Many of the tools targeted hardware firewalls—devices used to filter traffic in corporate and government networks, and to keep out attackers, including from brands such as Cisco, Huawei, and Fortinet.
The hackers claimed they would release more files to the winner of an online auction, or, if they received a total of one million bitcoin, they would release the rest of the files publicly. In October, however, The Shadow Brokers claimed the auction had been called off entirely. The password for the latest set of files is “payus.”
The new message goes on to complain about an apparent lack of media attention on The Shadow Broker’s escapades, in the group’s characteristic, and perhaps forced, broken English.
“Is ABC, NBC, CBS, FOX negligent in duties of informing Amerikanskis? Guessing ‘Free Press’ is not being ‘Free as in free beer’ or ‘Free as in free of government influence?’” it reads. The Shadow Brokers did not respond to a request for additional comment.
*Correction: An earlier version of this article said that The Shadow Brokers dumped the NSA exploits onto Github. Instead, the hackers posted links to the exploits onto Github and other sites.