The Shadow Brokers are offering the NSA arsenal for direct sale

Pierluigi Paganini December 15, 2016

The Shadow Brokers group has changed the model of sale, it has put up the NSA’s hacking arsenal for direct sale on an underground website.

The Shadow Brokers – Summary of the events

We have seen the notorious hacker group at the end of October, when the hackers leaked a fresh dump containing a list of servers that were hacked by the NSA-linked group known as Equation Group.

The Equation group compromised these targets using the hacking tools codenamed as INTONATION and PITCHIMPAIR. The ShadowBrokers provided the links to two distinct PGP-encrypted archives, the first one offered for free as a proof of the hack (its passphrase was ‘auctioned’), for the second one the group requested 1 million BTC .codenamed as INTONATION and PITCHIMPAIR.

The first archive was containing roughly 300MBs of data, including firewall exploits, hacking tools, and scripts with cryptonyms like BANANAUSURPER, BLATSTING, and BUZZDIRECTION.

The security researchers Mustafa Al-Bassam published an interesting post that lists all the exploits, implants, and tools for hacking firewalls (“Firewall Operations”) included in the dump.

The Equation Group ‘s hackers targeted products made by Cisco, Fortigate, Juniper, TOPSEC, and Watchguard.

The majority of files are at least three years old, meanwhile, the newest timestamp dating to October 2013.

Early October, TheShadowBrokers complained that no one seems to be bidding on their precious archive, an alleged member of the hacker group expressed his dissent on the lack of interest in ponying up bitcoins to release the full NSA data dump.

A couple of weeks before the group announced the launch of a crowdfunding campaign for the stolen arsenal because its auction received offers for less than two bitcoins.

The hacker group that’s believed to be behind the high-profile cyber theft of NSA hacking tools and exploits that sparked a larger debate on the Internet concerning abilities of US intelligence agencies and their own security.

Back to the present

Now, once again, the group has changed the model of sale, it has put up the NSA’s hacking arsenal for direct sale on an underground website.

The file offered on the website contains a file signed with the cryptographic key of The Shadow Brokers, confirming the intent of the group in selling the entire NSA arsenal directly to buyers one by one.

Someone using the Boceffus Cleetus online moniker published a post on Medium titled “Are the Shadow Brokers selling NSA tools on ZeroNet?” announcing that the Shadow Brokers hackers are now offering for sale the “NSA tools individually.”

ZeroNet is a decentralized network of peer-to-peer users for hosting websites.

“ZeroNet uses bitcoin cryptography and the BitTorrent network.The BitTorrent website Play hosts a magnet link repository on ZeroNet, which links to copyrighted content. There is a Reddit community which offers support for ZeroNet.” states Wikipedia.

“Well howdy partners! I don’t wanna be getting arrested for passing on fake news and all. I rekon [sic] I ain’t no security professional but I am whutcha might call a ZeroNet enthusiast,” Cleetus writes. ZeroNet is a platform for hosting websites using blockchain and BitTorrent technology.

“Those dastardly ole shadow brokers have themselves a zite on ZeroNet. Yep and fars as I can tell they appears to be sellin NSA tools individually now,” added Cleetus.

The website includes a list of the products available for sale as explained by Joseph Cox from Motherboard.

The items are classified type, the list includes “exploits,” “Trojans,” and “implant-”

Shadow Brokers NSA arsenal

“The site includes a long list of supposed items for sale, with names like ENVOYTOMATO, EGGBASKET, and YELLOWSPIRIT. Each is sorted into a type, such as “implant,” “trojan,” and “exploit,” and comes with a price tag between 1 and 100 bitcoins ($780—$78,000). Customers can purchase the whole lot for 1000 bitcoins ($780,000).” states the post published on Motherboard.

“The site also lets visitors download a selection of screenshots and files related to each item. Along with those is a file signed with a PGP key with an identical fingerprint to that linked to the original Shadow Brokers dump of exploits from August. This newly uncovered file was apparently signed on 1 September; a different date to any of The Shadow Brokers’ previously signed messages.”

“If you like, you email TheShadowBrokers with name of Warez [the item] you want make purchase,” a message on the site reads. “TheShadowBrokers emailing you back bitcoin address. You make payment. TheShadowBrokers emailing you link + decryption password. Files as always being signed,” states the message on the website.


[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  The Equation Group, ShadowBrokers)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment