Home Tags NSA contractor

Tag: NSA contractor

Red Flag Windows: Microsoft modifies Windows OS for Chinese government

Chinese government blocked Microsoft product purchases after NSA leaks.

Ex-NSA Contractor Indicted In Alleged Theft Of Classified Data

Harold Thomas Martin III, accused of stealing 50 terabytes of highly sensitive government information, will appear in court on Feb. 14.

Former NSA contractor indicted over 50TB gov’t classified data theft

The former contractor reportedly spent 20 years pilfering government secrets and helping himself to the cream of the NSA's hacking tools library.

Ex-NSA contractor Harold Martin indicted: He spent ‘up to 20 years...

US prosecutors list dossiers and code allegedly swiped Former Booz Allen Hamilton contractor Harold Thomas Martin III allegedly stole secret and top-secret software and documents from American intelligence agencies for up to 20 years.

That's according to a federal grand jury indictment revealed today.…

New charges for ex-NSA contractor for allegedly taking elite hacking tools

Hal Martin allegedly was found with 50TB of data when arrested in August 2016.

Former NSA contractor may have stolen 75% of TAO’s elite hacking...

Prosecutors reportedly plan to charge Harold T. Martin with espionage.

Hacking Group 'ShadowBrokers' Release NSA Exploits, Then Go Dark

The hacker group "ShadowBrokers" releases 61 files said to contain exploit tools used by the National Security Agency, which could fuel a race between attackers—trying to create their own exploit tools—and defenders. The ShadowBrokers, a hacking group, pledged to shut down their operation and go dark on Jan. 12.

But as a final act of spite the group released 61 files from a cache of hundreds of programs allegedly belonging to an exploitation framework used by the U.S. National Security Agency.The files reportedly include programs for compromising systems and circumventing defensive software, including antivirus programs.

The group released the files because many—44, according to security experts—could be detected by at least one antivirus program, the group said in a statement posted online.“So long, farewell peoples,” the group stated. “TheShadowBrokers is going dark, making exit.

Continuing is being much risk … not many bitcoins.”The group originally appeared in August 2016, claiming to have stolen files from a NSA server—files that matched those described in documents leaked by former NSA contractor Edward Snowden. The files also matched the telltale signatures from an exploitation kit discovered by Russian antivirus firm Kaspersky.

The security firm dubbed the group behind the software as “The Equation Group.” In August the ShadowBrokers declared that they would release the files to anyone who paid them 10,000 bitcoins in an auction.Yet, the chaotic manner with which the group declared the auction—along with the astronomical price tag—suggested to many researchers that the group was not serious. Other researchers believe that the group is likely linked to Russian intelligence.“I think the Shadowbrokers are a front for Russian intelligence and the auction was a smokescreen,” Jake Williams, principal consultant for Rendition Infosec, a cyber-security services firm, told eWEEK. “It is an insane auction method.
It was likely never about raising revenue.”Williams argues that the release of the information is a parting shot at the Obama administration and intelligence organizations.

Furthermore, the release of the code will likely result in an arms race as other nation-states try to reverse engineer the files and incorporate the exploits as well as the vulnerabilities targeted by the exploits into their own attacks and defenses.“This is definitely a game changer for the industry,” he said. “This is the first time that we have ever seen a nation-state’s toolkit.
It likely represents years of research, and in a matter of weeks other nation-states and cyber-criminal groups will have reverse-engineered it.
I don’t think there is a nation-state attack team on the planet that is not reverse engineering this code and figuring out how they can best use the technology.”Kaspersky Lab verified that the files released on Dec. 12 matched those from the Equation Group.“Most of the samples in the archive are EquationDrug plugins, GrayFish modules and EquationVector modules,” the company said in a statement. “These three are known malware platforms used by the Equation group, which we described in February 2015.

From the list of 61 files provided, our products already detect 44 of them. We are updating our products to detect all further samples."However, the ShadowBrokers dropped another parting shot in fractured English.

They may be back.“TheShadowBrokers offer is still being good, no expiration,” the group said in a statement. “If TheShadowBrokers receiving 10,000 btc in bitcoin address then coming out of hiding and dumping password for Linux + Windows.”

Google Cloud unlocks key achievement

Encryption got you down? Google will manage your secrets for you Google on Wednesday introduced its Cloud Key Management Service in beta to help Google Cloud Platform customers deal with their encryption keys. "Cloud KMS offers a cloud-based root of trust that you can monitor and audit," said product manager Maya Kaczorowski in a blog post. "As an alternative to custom-built or ad-hoc key management systems, which are difficult to scale and maintain, Cloud KMS makes it easy to keep your keys safe." Following the disclosures about the scope of online surveillance by former NSA contractor Edward Snowden in 2013, encryption became more important for cloud service providers – particularly encryption that allows customers to control the keys. Google began offering customer-supplied encryption keys (CSEK) in June 2015.

But it hasn't exactly led the way with encryption for cloud customers.

Amazon Web Services introduced CSEK for S3 in June 2014 and in November of that year introduced AWS Key Management Service. Microsoft Azure added CSEK via Key Vault in January 2015. A Google spokesperson wasn't immediately available to discuss the service. Garrett Bekker, an analyst with 451 research, said in a statement provided by Google that KMS "fills a gap by providing customers with the ability to manage their encryption keys in a multi-tenant cloud service, without the need to maintain an on-premise key management system or HSM [hardware security module]." GCP customers can use Cloud KMS to create, use, rotate (at will or scheduled), and destroy AES-256 symmetric encryption keys.

Cloud KMS provides a REST API that can use a key to encrypt or decrypt data. Cloud KMS integrates with Cloud Identity Access Management and Cloud Audit Logging, two related GCP services. Kaczorowski says that Cloud KMS relies on the Advanced Encryption Standard (AES) in Galois/Counter Mode [PDF], a method for high-speed encryption.

Google constantly checks its implementation, residing in its BoringSSL library, using tools like Project Wycheproof, according to Kaczorowski. While key management offers convenience, the tradeoff is security, since service providers can be compelled to turn keys over to authorities when presented with lawful demands. ® Sponsored: Flash enters the mainstream.
Visit The Register's storage hub

Is an NSA contractor the next Snowden? In 2017, we hope...

EnlargeGetty Images News reader comments 6 Share this story We covered a ton of legal cases in 2016. The entire Apple encryption saga probably grabbed the gold medal in terms of importance. However, our coverage of a California fisherman who took a government science buoy hostage was definitely our favorite.

The case was dropped in May 2016 after the fisherman gave the buoy back. Among others, we had plenty of laser strike cases to cover.

There were guilty verdicts and sentencing in the red-light camera scandal that consumed Chicago.

The Federal Trade Commission settled its lawsuit with Butterfly Labs, a failed startup that mined Bitcoins.

A man in Sacramento, California, pleaded guilty to one count of unlawful manufacture of a firearm and one count of dealing firearms—he was using a CNC mill to help people make anonymous, untraceable AR-15s. While we do our best to cover a wide variety of civil and criminal cases, there are five that stand out to us in 2017.

These cases range from privacy and encryption, to government-sanctioned hacking, to the future of drone law in America. Drone's up, don't shoot Case: Boggs v. MeridethStatus: Pending in US District Court for the Western District of Kentucky In 2016, we reported on another drone shooting incident (seriously folks, don’t do it!) in Virginia.

A 65-year-old named Jennifer Youngman used her 20-gauge shotgun to take out what many locals believe was a drone flying over her neighbor, Robert Duvall’s, adjacent property. Yes, that Robert Duvall. “The man is a national treasure and they should leave him the fuck alone,” she told Ars. Youngman touched on a concept that many Americans likely feel in their gut but has not been borne out in the legal system: property owners should be able to use force to keep unwanted drones out of their airspace.

But here’s the thing: for now, American law does not recognize the concept of aerial trespass. At this rate, that recognition will likely take years. Meanwhile, drones get more and more sophisticated and less expensive, and they have even spawned an entire anti-drone industry. Legal scholars have increasingly wondered about the drone situation.

After all, banning all aircraft would be impractical.
So what is the appropriate limit? The best case law on the issue dates back to 1946, long before inexpensive consumer drones were feasible.

That year, the Supreme Court ruled in a case known as United States v.

that Americans could assert property rights up to 83 feet in the air. In that case, US military aircraft were flying above a North Carolina farm, which disturbed the farmer's sleep and upset his chickens.

As such, the court found that Farmer Causby was owed compensation. However, the same decision also specifically mentioned a "minimum safe altitude of flight" at 500 feet—leaving the zone between 83 and 500 feet as a legal gray area. "The landowner owns at least as much of the space above the ground as he can occupy or use in connection with the land," the court concluded. In 2015, a Kentucky man shot down a drone that he believed was flying above his property.

The shooter in that case, William Merideth, was cleared of local charges, including wanton endangerment. By January 2016, the Kentucky drone's pilot, David Boggs, filed a lawsuit asking a federal court in Louisville to make a legal determination as to whether his drone’s flight constituted trespassing.

Boggs asked the court to rule that there was no trespass and that he is therefore entitled to damages of $1,500 for his destroyed drone. Although the two sides have traded court filings for months, the docket has not been updated since June 2016, when Boggs’ attorneys pointed to a recent case out of Connecticut that found in favor of the Federal Aviation Administration’s regulation of drones. As Boggs’ legal team wrote: The Haughwout pleadings are directly relevant to the subject matter jurisdiction issue currently before the court.

The current dispute turns on whether a controversy has arisen that cannot be resolved without the Court addressing a critical federal question—the balance between the protection of private property rights versus the safe navigation of federal airspace.

The Haughwout dispute places this critical question in the context of an administrative investigation.
It highlights, as argued by Mr.

Boggs—and now the FAA—that questions involving the regulation of the flight of unmanned aircraft should be resolved by Federal courts. US District Judge David J. Hale has yet to schedule any hearings on the matter. Flood of torrents Case: United States v.
Status: Pending in the US District Court for the Northern District of Illinois In July 2016, federal authorities arrested the alleged founder of KickassTorrents (KAT).

The arrest was part of what is probably the largest federal criminal complaint in an intellectual property case since Megaupload, which was shuttered in early 2012. (That site’s founder, Kim Dotcom, has successfully beat back efforts to extradite him from New Zealand to the United States. He was ordered extradited a year ago, but that court decision is now on appeal.) In the case of KAT, Ukranian Artem Vaulin, 30, was formally charged with one count of conspiracy to commit criminal copyright infringement, one count of conspiracy to commit money laundering, and two counts of criminal copyright infringement.
Vaulin was arrested in Poland, where he remains in custody pending a possible extradition to the United States. Like The Pirate Bay, KAT does not host individual infringing files but rather provides torrent and magnet links so that users can download unauthorized copies of TV shows, movies, and more from various BitTorrent users. According to the 50-page affidavit, Vaulin and KAT’s claims that they respected the Digital Millennium Copyright Act were hogwash.

The affidavit was authored by Jared Der-Yeghiayan, who is a special agent with Homeland Securities Investigations and was also a key witness in the trial of Silk Road founder Ross Ulbricht. Vaulin has since retained Dotcom’s lawyer, Ira Rothken, who has made similar arguments in court filings on behalf of his more famous client. Namely, that there is no such thing as secondary criminal copyright infringement, and while some files uploaded to KAT may have violated copyright, that does not make Vaulin a criminal. Rothken has not yet been able to directly correspond with or even meet his Ukrainian client (and has to do so only through Polish counsel). Nevertheless, he filed a motion to dismiss in October 2016.

The government responded weeks later, and Rothken filed another response on November 18. Prosecutors, for their part, said that the Rothken-Vaulin theory was ludicrous: “For the defendant to claim immunity from prosecution because he earned money by directing users to download infringing content from other users is much like a drug broker claiming immunity because he never touched the drugs.” The two sides met before US District Judge John Z. Lee for a status conference on December 20, 2016. Judge Lee has not yet ruled on the motion to dismiss. Hoarder vs. Hacker Case: United States v. MartinStatus: Pending in the US District Court for the District of Maryland While everyone knows about Edward Snowden and the shockwaves he sent through the intelligence community in 2013, fewer people know the name Harold “Hal” Martin. Martin, like Snowden, was a contractor for the National Security Agency at Booz Allen Hamilton and held a top-secret clearance.
In August, he was arrested and criminally charged with “unauthorized removal and retention of classified materials by a government employee or contractor.” Prosecutors alleged that Martin had a substantial amount of materials that should never have left government custody. Unlike Snowden, it’s unclear whether Martin is simply a “hoarder” (as his own lawyer argued) or whether he was someone who meant to sell, divulge, or disclose classified NSA material. (Recent years have seen several unsolved leaks of classified material, including a source that provided intelligence materials that were published by the German magazine Der Spiegel.
In August 2016, there was the “Shadow Brokers” dump of NSA exploits. Neither leak has been definitively attributed.) Two months later, when news of his arrest became public, Martin was immediately fired and stripped of his clearance.

An October 20 filing states that Martin also took home “six full bankers’ boxes” worth of paper documents, many of which were marked “Secret” or “Top Secret.” The documents are dated from 1996 to 2016. “The weight of the evidence against the Defendant is overwhelming,” the government plainly stated in its filing, which continued: For example, the search of the Defendant’s car revealed a printed email chain marked as “Top Secret” and containing highly sensitive information.

The document appears to have been printed by the Defendant from an official government account. On the back of the document are handwritten notes describing the NSA’s classified computer infrastructure and detailed descriptions of classified technical operations.

The handwritten notes also include descriptions of the most basic concepts associated with classified operations, as if the notes were intended for an audience outside of the Intelligence Community unfamiliar with the details of its operations. The docket in Martin’s case has not advanced since October 31.

For now, he remains in custody. No further hearings have been scheduled. You say NIT, I say malware Case: United States v.

Status: Appeal pending in 8th US Circuit Court of Appeals On December 1, a change to a section of the Federal Rule of Criminal Procedure went into effect. Under the revised Rule 41, any magistrate judge is now allowed to issue warrants authorizing government-sanctioned hacking anywhere in the country. Prior to that, magistrates could only sign off on warrants within their own federal district. As Ars has reported previously, for more than two years now, the Department of Justice has pushed to change Rule 41 in the name of thwarting online criminal behavior enabled by tools like Tor. The rule change might have gone unnoticed if not for over 100 child porn cases.

The cases are currently being prosecuted nationwide against suspects accused of accessing a Tor-hidden website called Playpen. Many of those cases have progressed “normally,” or at least as “normally” as child porn cases can progress.

But some suspects have challenged the use of what the government calls a “network investigative technique” (NIT), which security experts have dubbed as malware. As Ars reported before, investigators in early 2015 used the NIT to force Playpen users to cough up their actual IP address, which made tracking them trivial.
In another related case prosecuted out of New York, an FBI search warrant affidavit described both the types of child pornography available to Playpen's 150,000 members and the malware's capabilities. As a way to ensnare users, the FBI took control of Playpen. Playpen users came to the site with their Tor-enabled digital shields down, revealing their true IP addresses.

The FBI was able to identify and arrest nearly 200 child porn suspects.

After 13 days, the FBI shut Playpen down. However, nearly 1,000 IP addresses were revealed as a result of the NIT’s deployment, which suggests that even more charges could be filed. Beau Croghan, a man in Iowa, was one of those hit by this NIT. He’s accused of downloading child porn via Playpen. However, this past year, his case was just one of three in which a judge ruled to suppress the evidence due to a defective warrant. In 2016, federal judges in Massachusetts and Oklahoma made similar rulings and similarly tossed the relevant evidence.

Thirteen other judges, meanwhile, have found that, while the warrants to search the defendants' computers via the hacking tool were invalid, they did not take the extra step of ordering suppression of the evidence.

The corresponding judges in the remainder of the cases have yet to rule on the warrant question. In Croghan’s case, however, US District Judge Robert Pratt seemed to have a clear understanding as to how the NIT worked. He rebuked the government’s arguments. Judge Pratt wrote: Here, by contrast, law enforcement caused an NIT to be deployed directly onto Defendants’ home computers, which then caused those computers to relay specific information stored on those computers to the Government without Defendants’ consent or knowledge.

There is a significant difference between obtaining an IP address from a third party and obtaining it directly from a defendant’s computer. In November, the government appealed the ruling up to the 8th Circuit, arguing that the district court had gotten it wrong: ordering suppression of the evidence was going too far. As prosecutors argued in their November 22 filing: The facts of this case fall comfortably within this body of law and mandate the same result.

Assuming that the NIT Warrant was void because the magistrate judge lacked territorial authority to issue it, and further assuming that the FBI’s use of the NIT thereby amounted to an unconstitutional warrantless search or was somehow prejudicial, suppression is not warranted because the agents acted in objectively reasonable reliance on the subsequently invalidated warrant and were not culpable for the magistrate judge’s purported error. Croghan’s attorneys have been ordered to file their response by January 12, 2017. Hands off Case: United States of America v.
In the matter of a Warrant to Microsoft, Inc.
Status: Appeal pending en banc in 2nd US Circuit Court of Appeals It’s a case that’s being watched closely by many in the privacy community and the tech industry: Apple, the American Civil Liberties Union, BSA The Software Alliance, AT&T, Rackspace, Amazon, and others have joined in as amici. The question before the court was simple: does the Stored Communications Act, an American law that allows domestically held data to be handed over to the government, apply abroad? In other words: can the government order an American company (Microsoft) to give up data held overseas (in this case, in Ireland)? In July 2016, the 2nd Circuit said no. The case dates back to December 2013, when authorities obtained an SCA warrant, which was signed by a judge, as part of a drug investigation.

The authorities served it upon Microsoft, but when the company refused to comply, a lower court held the company in contempt. Microsoft challenged that, too.

The 2nd Circuit has vacated the contempt of court order, writing: The SCA warrant in this case may not lawfully be used to compel Microsoft to produce to the government the contents of a customer’s e‐mail account stored exclusively in Ireland.

Because Microsoft has otherwise complied with the Warrant, it has no remaining lawful obligation to produce materials to the government. What the government hopes would be revealed by acquiring the e-mail is not publicly known.

The authorities have also not revealed whether the e-mail account owner is American or if that person has been charged with a crime related to the drug investigation. On October 13, the government filed its en banc appeal before a full panel of judges at the 2nd Circuit, which has not formally decided to hear the case. As prosecutors wrote in that filing: There is no infringement of the customer’s privacy interest in his email content based on where Microsoft, at any given moment, chooses to store that content. Rather, the privacy intrusion occurs only when Microsoft turns over the content to the Government, which occurs in the United States.

The majority’s conclusion that the intrusion instead occurs where Microsoft “accessed” or “seized” the email content, Op. 39, is plainly wrong, because Microsoft could “access” or “seize” the email content on its own volition at any time and move it into the United States, or to China or Russia, or anywhere it chose, and the content would remain under Microsoft’s custody and control and the subscriber could not be heard to complain, unless and until the content were disclosed to the Government or another party.

This point is amply demonstrated by the concession of both Microsoft and the majority that Microsoft would have to comply with the Warrant if it had chosen (without consulting the subscriber) to move the target email account into the United States, even mere moments before the Warrant was served. Microsoft has not yet filed its response.

ShadowBrokers got NSA spy tools from rogue insider

The ShadowBrokers didn't break into the United States National Security Agency after all.

The latest research into the group of cybercriminals selling alleged NSA spy tools reinforced the idea that they'd received the classified materials from an insider within the intelligence agency, security company Flashpoint said. Analysis of the latest ShadowBrokers dump, which was announced earlier in the month on the blogging platform Medium by "Boceffus Cleetus," suggests the spy tools were initially taken directly from an NSA code repository by a rogue insider, Flashpoint said.

The company's researchers analyzed the sample file containing implants and exploits and various screenshots provided in the post and have "medium confidence" that an NSA employee or contractor initially leaked the tools, said Ronnie Tokazowski, senior malware analyst with Flashpoint. However, they were still "uncertain of how these documents were exfiltrated," he said. ShadowBrokers first began offering more than a dozen sophisticated tools for sale -- such as software for extracting decryption keys from Cisco PIX firewalls -- in underground marketplaces over the summer.

The post-exploitation tools, intended to give attackers a way to gain a foothold in the network or move around laterally after the initial breach, targeted flaws in commercial appliances and software.

The Cisco vulnerability (now patched) would have allowed attackers to spy on encrypted communications, for example. Flashpoint's investigators believe the files were taken from a code repository because the sample file was written in the Markdown, a lightweight markup language commonly used in code repositories to simplify how files are parsed. "Looking at the dump and how the data is structured, we're fairly certain it's from internal code repository and likely an employee or contractor who had access to it," said Tokazowski. When the first set of ShadowBrokers were put up for sale, there was speculation that attackers had either successfully breached NSA infrastructure or NSA operatives had mistakenly left sensitive files on a publicly accessible staging server.
Shortly afterwards, the FBI arrested NSA contractor Harold Martin for stealing government materials.
Some of the tools included in the ShadowBrokers dump were among the classified materials in Martin's possession, suggesting some kind of involvement with the theft and sale. While Flashpoint's Tokazowski rejected the idea that the cybercriminals had stolen the files directly through external remote access or discovered them on an external staging server, he did not draw any conclusions whether Martin was involved. While the contractor denies he gave anyone the files, it seems quite possible that someone else may have broken into his non-classified computer to steal the tools. The theft of the ShadowBrokers files overlap somewhat with former Booz Hamilton consultant Edward Snowden who stole thousands of NSA-related documents, but Flashpoint said there was nothing linking the theft of these tools with the former NSA contractor. "The close proximity of events raises the question if there were multiple insiders acting independently during 2013," Tokazowski said. Nation-state attacks and flashy attacks tend to consume most of the security attention, but malicious insiders pose a significant threat to enterprise networks because they already have access to sensitive data and systems. Most IT teams will never have to worry about dealing with a nation-state attack, but every single one of them has to face the prospect of an employee or an administrator going rogue and stealing corporate secrets or damaging the network. Mistakes as a result of careless insiders, such as when employees copy files for non-malicious reasons but the copies get stolen by adversaries, are also common. In the case of The ShadowBrokers, the contractor or employee may have had limited access to the tools since the implants and exploits released thus far appear to be all Linux- and Unix-based.

An insider with wider access would theoretically have been able to grab different types of tools. There's not enough evidence to understand the rogue insider's motivations for stealing the spy tools, but Flashpoint doesn't think it was money. The implants and exploits in this set appear to have been developed between 2005 to 2013, such as the ElatedMonkey exploit, which targeted a local privilege escalation flaw in a 2008 version of the web hosting control panel interface cPanel.

The attack tools are several years old, making it likely the NSA has already moved on to more modern exploitation tools.
If the insider wanted to sell them, the time to do so was shortly after the theft. "If The Shadow Brokers were trying to make a profit, the exploits would have been offered shortly after July 2013, when the information would have been most valuable," Flashpoint said.

Shadow Brokers Releases Second Trove of Spying Tools

The new leak appears to disclose NSA tactics. Shadow Brokers, a secretive online group that in August published details of hacking tools allegedly belonging to the NSA, released new leaks this week that appear to expose more of the agency's cyber strategies, as well as those from multiple foreign countries. The leak discloses NSA-style code names, including "Jackladder" and "Dewdrop," the Associated Press reports.
It also appears to offer a list of servers compromised by the Equation Group, a separate hacking organization with ties to the NSA. In a post on Medium in broken English, Shadow Brokers referenced Equation Group twice and suggested that its motivation for exposing the server information was related to the US presidential election.

The post also demands a ransom payment, although it does not suggest a specific amount of money. Named after its penchant for encryption algorithms, the Equation Group has hacked targets in more than 30 countries—including Iran, Russia, Pakistan, Afghanistan, India, and China, according to security firm Kaspersky.
Its focus is on government, nuclear research, military, and nanotechnology organizations, as well as companies developing cryptographic technologies. The hackers' malware can reprogram hard drive firmware, and has been found on devices from Seagate, Western Digital, and Samsung.

The exploit, carried out via physical interceptions like infected USB drives and CD-ROMs, is undetectable and cannot be removed. It is unclear how Shadow Brokers wound up with data from Equation Group.

This week's leak also raises questions about possible ties to Harold Martin, the former NSA contractor who was arrested in August for allegedly stealing more than 50 terabytes of classified data.

Authorities are attempting to prove that the Equation Group got its information from Martin.

New leak may show if you were hacked by the NSA

EnlargeMustafa Al-Bassam reader comments 20 Share this story Shadow Brokers—the name used by a person or group that created seismic waves in August when it published some of the National Security Agency's most elite hacking tools—is back with a new leak that the group says reveals hundreds of organizations targeted by the NSA over more than a decade. "TheShadowBrokers is having special trick or treat for Amerikanskis tonight," said the Monday morning post, which was signed by the same encryption key used in the August posts. "Many missions into your networks is/was coming from these ip addresses." Monday's leak came as former NSA contractor Harold Thomas Martin III remains in federal custody on charges that he hoarded an astounding 50 terabytes of data in his suburban Maryland home. Much of the data included highly classified information such as the names of US intelligence officers and highly sensitive methods behind intelligence operations. Martin came to the attention of investigators looking into the Shadow Brokers' August leak.

Anonymous people with knowledge of the investigation say they don't know what connection, if any, Martin has to the group or the leaks. Equation Group was originally a name researchers from Moscow-based Kaspersky Lab gave to an elite team of NSA-tied hackers who exploited some of the same then-unknown Windows flaws later targeted by the Stuxnet worm that attacked Iran's nuclear program.

The group operated undetected for more than 14 years until Kaspersky researchers brought it to light.

The researchers dubbed it "Equation Group," but there's no evidence that was the name anyone inside the group used.

The people penning posts accompanying the leaks that started in August then used the Equation Group name when identifying the elite team the data and tools allegedly belonged to. According to analyses from researchers here and here, Monday's dump contains 352 distinct IP addresses and 306 domain names that purportedly have been hacked by the NSA.

The timestamps included in the leak indicate that the servers were targeted between August 22, 2000 and August 18, 2010.

The addresses include 32 .edu domains and nine .gov domains.
In all, the targets were located in 49 countries, with the top 10 being China, Japan, Korea, Spain, Germany, India, Taiwan, Mexico, Italy, and Russia.
Vitali Kremez, a senior intelligence analyst at security firm Flashpoint, also provides useful analysis here. The dump also includes various other pieces of data.

Chief among them are configuration settings for an as-yet unknown toolkit used to hack servers running Unix operating systems.
If valid, the list could be used by various organizations to uncover a decade's worth of attacks that until recently were closely guarded secrets.

According to this spreadsheet, the servers were mostly running Solaris, an operating system from Sun Microsystems that was widely used in the early 2000s. Linux and FreeBSD are also shown. "If this data is believed then it may contain a list of computers which were targeted during this time period," the analysis provided by Hacker House, a firm that offers various security services, stated. "A brief Shodan scan of these hosts indicate that some of the affected hosts are still active and running the identified software.

These hosts may still contain forensic artifacts of the Equation Group APT group and should be subject to incident response handling procedures." The domains and IP addresses purportedly belong to organizations that were hacked by the NSA.

But according to Monday's Shadow Brokers post, once they were compromised, some of them may have been used to attack other NSA targets.
If true, the list could help other organizations determine who may have been behind suspicious interactions they had with the listed servers.

The possibility that some of hacked servers were used to attack other sites were raised by the discussion of a tool called pitchimpair, which the authors claimed is a "redirector." Typically, redirectors are used to surreptitiously direct someone from one domain to another. Other purported NSA tools discussed in Monday's dump have names including DEWDROP, INCISION, JACKLADDER, ORANGUTAN, PATCHICILLIN, RETICULUM, SIDETRACK, AND STOCSURGEON. Little is immediately known about the tools, but the specter that they may be implants or exploits belonging to the NSA is understandably generating intrigue in both security and intelligence circles.