Another Shadow Brokers Leak

There's another leak of NSA hacking tools and data from the Shadow Brokers. This one includes a list of hacked sites.

According to analyses from researchers here and here, Monday's dump contains 352 distinct IP addresses and 306 domain names that purportedly have been hacked by the NSA. The timestamps included in the leak indicate that the servers were targeted between August 22, 2000 and August 18, 2010. The addresses include 32 .edu domains and nine .gov domains. In all, the targets were located in 49 countries, with the top 10 being China, Japan, Korea, Spain, Germany, India, Taiwan, Mexico, Italy, and Russia. Vitali Kremez, a senior intelligence analyst at security firm Flashpoint, also provides useful analysis here.

The dump also includes various other pieces of data. Chief among them are configuration settings for an as-yet unknown toolkit used to hack servers running Unix operating systems. If valid, the list could be used by various organizations to uncover a decade's worth of attacks that until recently were closely guarded secrets. According to this spreadsheet, the servers were mostly running Solaris, an operating system from Sun Microsystems that was widely used in the early 2000s. Linux and FreeBSD are also shown.

The data is old, but you can see if you've been hacked.

Honestly, I am surprised by this release. I thought that the original Shadow Brokers dump was everything. Now that we know they held things back, there could easily be more releases.

EDITED TO ADD (11/6): More on the NSA targets. Note that the Hague-based Organization for the Prohibition of Chemical Weapons is on the list, hacked in 2000.

Posted on November 1, 2016 at 2:10 PM • 16 Comments


evanNovember 1, 2016 2:20 PM

Man, it would be amazing if US news reported on this instead of the constant 'Russian hackers' fear mongering.

AlanNovember 1, 2016 3:05 PM

> Honestly, I am surprised by this release. I thought that the original Shadow Brokers dump was everything.

It's never everything. Even the Director of the NSA doesn't know everything. No matter how much you know, there's always more.

TJNovember 1, 2016 3:10 PM

American white-collar crime and political corruption? Why aren't you looking at the Russians with everyone else?

GrauhutNovember 1, 2016 4:33 PM

@evan: "'Russian hackers' fear mongering"

Yes, but as ironic as it sounds, shadow brokers could well be a Russian PsyOP.

Capitalism critics: "Isn't it great that you can buy everything?"

Timing: The latest release could well be a payback for the CyberHunta release.

"Cyber Hunta released emails October 28 from aides close to Vladimir Putin that show Russia heavily influencing the separatist movement in Ukraine."

Or there is some kind of hacking NGO playing with both sides... ;)

Ross SniderNovember 1, 2016 4:52 PM

Very interesting that the author speculates that attacks against China, Japan and Korea are for confusing attribution.

The Asia Pacific is the emerging fundamental focus of the National Security core of the United States. The plan for the Asia Pacific region - to prevent the old enemy Japan and the possible new enemy China from growing to a strength that could challenge the United States - is to create an adversarial balancing (divide and conquer) between Japan, Korea and China.

Likely with the US National Security "pivot to Asia" these targets are real targets, and not the tools of misattribution. Indeed, the targets listed have probably been attacked with misattributable source hosts - whose accumulation is another, separate, mission of the NSA and US military.

IchininNovember 1, 2016 5:03 PM

Geographical attribution is useless. "Cui bono" is a better base to form a hypothesis from.

Also, shows how pathetic those "pew-pew attack maps" are.

otherwiseNovember 1, 2016 6:10 PM

"closely guarded secrets"

Such do not exist on any computer system interfaced to an unclassified network.

otherwiseNovember 1, 2016 6:28 PM

"Data diodes" and such are physical media only. One direction only:

Unclassified -> Classified -> Incinerator.

In today's world, no one, not even the NSA, can "hack" from a Classified domain to an Unclassified domain without being hacked in return.

Notwithstanding, I've heard that the NSA runs both classified and unclassified virtual machines on the same physical box. I'm not sure I believe it, but nevertheless I should warn against it:

I've also heard that the Jews refuse to eat meat and milk in the same meal. Now what happened when Abraham served meat and milk in the same meal to visitors from heaven? (Genesis 18.) Yes, whole cities were destroyed. So perhaps there is some lesson to be learned here.

HarryNovember 2, 2016 4:40 AM

@otherwise: Abraham is pre-Mosaic (before Moses); the kosher rules didn't exist. Mixing milk and meat is not why whole cities were destroyed. The lesson here is know your subject matter before drawing lessons from it.

Bad DogNovember 2, 2016 5:37 AM

The good news, sort of: It appears NSA is staying aways from the USA and Five Countries for this type of exploit. It seems.

Clive RobinsonNovember 2, 2016 6:21 AM

@ Otherwise,

Such do not exist on any computer system interfaced to an unclassified network.

And as Ed Snowden and several others have demonstrated, secrets can not be kept on computers connected to classified networks either.

I have a couple of pieces of advice I trot out from time to time, for those wishing to limit disclosure damage.

First and formost though one that defines the basic reason information leaks in one way or another from repositories,

    Efficiency -v- Security

It applies from below Layer 0 all the way through Layer 9 and above in the computing stack. It manifests it's self in side channels, increased complexity, increased attack surface and way too much privilege in individual entities and other lack in their control.

Information leakage comes in two basic forms intentional and unintentional. The former are considered to be forms of insider attacks, but they also occure due to what are excused as "poor engineering choices"[1] in place from before day zero of any project. The latter are side effects of the laws of physics and thermodynamics, thus ever present if not eternal foes.

The way to deal with information leakage below Layer 8 was known as "air gapping" and "perimeter minimization and control" from Layer 8 upwards.

Unfortunatly as is now obvious to those who can read an "air gap" is insufficient to stop information leakage due to those fundemental laws of nature. Why this has taken so long to become apparent to the majority of security practitioners, is a cause of puzzlement. Put simply anyone who actually understood the basic physics they were taught at school prior to being a teenager, could with a little thought have realised that what was needed was,

    Energy Gapping not just Air Gapping

Even of those in the security domain who had heard of what became known as TEMPEST or EmSec, apparently few of them realised that the channels and transducers by which information gets transported are bidirectional. Thus failed to recognise the potential of the "black arts" of "Susceptibility attacks" developed by those who did. This was even though the mechanisms of it were talked about publicly and openly since the 1980's as ElectroMagnetic Compatability (EMC) it rarely if ever crossed the mental gap in most security practitioners heads...

The reality is there are only two ways to limit the effects of energy based security issues be they by emission or susceptibility. The first is to minimize the information per unit of energy and secondly minimize the information per unit of time. The ways to achive these minimizations are many and varied and also supprisingly for some form part of Layer 8 and up "Perimeter Minimization and Control". One way this enhanced security can be achived is in effect to go backwards in technology for the three modes of information usage, storage, communication and processing.

We've been led to believe for "security reasons" the Russians have gone back in time to manual, (not electric) typewriters, Roneo / stadler style alcohol mimeograph machine copiers, carbon papers, type through stencils, filing cabinets with combination locks and safes in locked and armed guard defended bunker like repositories.

Having served some time when younger in such an environment, the hard security is obvious, as is the perimeter minimization and entity control. Whilst the lack of electrical energy for motors and electronics is also easily seen less obvious is what it does in minimization of information communication unless you think about it. A typed sheet of paper holds at best 3500 characters of information with words on average taking six charecters in the standard English alphabet. Thus little information is impressed on a physicaly large object, that is in turn difficult to, copy, conceal and communicate the information out of a such a controled security area. Which in turn minimizes the amount of information per unit of time / oportunity.

There are other advantages to typed documents, which is why I advise,

    Paper Paper Never Data

to those with requirments to minimize potential harms. It's also what I talk about when trying to minimize the harm caused by "electronic discovery". Which is something that has just poped up in the news again over an illicit server and now a laptop that might have over half a million mostly "gone missing" emails that the authorities are taking interest in...

[1] "Poor Engineering Choices" is most often a "managment euphemism" used to pass the buck downwards to avoid responsability for their own failings.

War GeekNovember 2, 2016 6:57 AM

The Kurchatov Institute was still running FreeBSD 4.0 in 2007?

I'm thinking the Equation group had to jostle around with a whole gang of invaders inside there. Even 4.11 was stale by then :)

Clive RobinsonNovember 2, 2016 7:05 AM

@ Bruce,

Now that we know they held things back, there could easily be more releases.

Let us hope so on the sunlight/disinfectant principle.

As for being surprised, there are two very old military maxims to remember. Firstly, "Keep your powder dry" and secondly "Draw the opponent out".

Keeping the powder dry, has changed it's meaning from the apparent stating the obvious, it now means keeping things in reserve, often secret, so the opponent gets a false sense of your capabilities and reserves, thus when drawn out they find that things are rather not as they thought, thus in effect they have advanced into a trap.

We saw this in the gulf war when the Iraqi power, water and communications and other infrastructure were attacked as the first order of battle. Such behaviour where the fall out would be mainly agaist civilians would once have been not just unthinkable but also illegal under international law.

But it also had in it the seeds of it's own failure, in that a decade or more down the road Iraq is still a broken country, with some of those civilians now armed and out for not just themselves but to extract payback.

Who ever designed and deployed these attacks on what is arguably targets of "economic interest" only has not only caused harm[1] to civilians, they planted a seed that has grown and there is now a price to be payed. Thus the question of "What price the reaping?".

[1] If you look back at what went on in South Korea, the North alledgedly developed from nowhere very sophisticated and targeted cyber-attacks. Against amoungst other things the GPS systems used by aircraft and shipping, the banking sector causing instability and more. Some believe understandably that the North Koreans did not develop or deploy so effectively such advanced technology without any sign of testing... Thus the question of who had the knowledge and ability to test such attacks. The US MSM that went further than the knee jerk headlibe reactions looked where they were directed which was towards China. But again the attacks were not of their MO. Thus with the revelation of this information I suspect a number of South Korean interests will examine the data very attentively looking or correlation. And perhaps the US MSM might look a little closer to home, after all the US DOD is known to have carried out quite indepth and extensive testing of the GPS systems for vulnerabilities. Likewise the US IC is known to have carried out many and varied forms of attack against targets of "economic interest" over many decades. So the attacks that caused harm in South Korea, are standard fare for US Military / IC entities...

Bilibus BlunderbustNovember 2, 2016 9:23 PM

Who could of possibly profited, considering their share holdings?


The US military, and intelligence dudes, like most other dudes are elite, or L337 dude, with a remarkable similarity to the vibe given off by old telecom workers. You seen the gear they use, maybe stuff so old got less vulnerabilities, lol "Who has been using our towers?", they would say. "I don't know, why don't you watch and find out." You'll get a better quality photo with a smaller zoom lens though. Watch out for the virus in the pirated computer games being distributed over your network, yo and thanks for the internet for all them years, we got pretty bored out here and the nearest university was 1000 miles away.

I suggest one day they read how stuff works, but then again they don't want their own people having the skills to see what goes on outside their little area (or in it), that could get complicated, as they ain't staying away from nothing. How little has changed in 30 years is disturbing.

WilliamNovember 3, 2016 11:04 AM

Disgruntled employees are like Dread Pirate Roberts, one leads to another, and another. It's going to stick around a little. There isn't much we can do about it.

Karen K, November 3, 2016 6:27 PM

@ Clive Robinson

There are other advantages to typed documents, which is why I advise,

Paper Paper Never Data

With which, we proudly bring you - supported by Ed Snowden and Glenn Greenwald - the all new, Inter-Clives communication system

(With a nod to British India and their great work creating an efficient postal and library service, way back when )

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.