Four Things We’ve Learned From the Alleged Equation Group Code Leak
August 22, 2016
The wake of the deeply bizarre auction of toolkits alleged to be from the Equation Group by the self-proclaimed “Shadow Brokers” has fuelled a great deal of speculation on social media about the provenance and capability of the dumped tools. While this speculation is interesting, the dump provides a valuable insight into how offensive operations are conducted by Advanced Persistent Threats (APTs).
The first thing to note is that the top-level directory of the dump is called “Firewall”, indicating that there may be other folders that were not included in this free file. We can cautiously assume that additional folders might include other types of network appliances and, perhaps, endpoints, such as Windows machines.
Inside the top-level directory is a collection of implants (effectively, malware/remote access toolkits) for certain vendor firewalls, a number of exploits for these firewalls, and collections of helper scripts and documentation.
Secondly, it’s notable that the various implants come with step-by-step instructions of how to install them. These instructions carefully identify the exact version of the firewall that is being targeted in order to ensure maximum reliability. The instructions then go on to describe what steps should be taken immediately after a successful compromise to ensure that the operation can continue undetected. Indeed, the scripts and accompanying documentation indicate that the tools are intended to be used by operators of medium technical capability. The technical sophistication, on the other hand, lies with the developers of the implants and the exploits, rather than the operator who is deploying them.
While the scripts are not necessarily the most elegant code ever written, it is clear that the developers emphasize substance over style. It’s possible to identify four main goals:
- Reliability. The exploits and implants need to work reliably in the field, as flaky or unstable code could crash the target device and thereby reveal the operation. The following snippet shows how careful the developers are at ensuring reliability and to terminate the exploitation attempt if there is a chance it may fail.
- Repeatability. The exploits and implants need to be used by mid-level operators so, in order for the documentation to be usable, the tools need to have well-defined side effects that can be documented in advance. The following advice shows the attention to detail necessary for the implant to be successfully installed.
- Stealth. The favoured approach for firewall compromise appears to be a minimal persistent backdoor in the firmware of the firewall, which can subsequently load a more feature-rich implant purely in memory. This in-memory implant can then be reloaded when the firewall is restarted. There are additional procedural steps required to ensure that the systems administrator does not notice anything untoward, as shown below.
- Deniability. The documentation provides a clue to the operational approach of the teams. An operator has a workstation, which is used to connect to an external “opsbox” (most likely hosted in a non/mis-attributable location) where the tools required for a particular operation are copied. This opsbox then talks to a “listening post”, which redirects traffic to the intended target. Direct connections to a target are naturally disallowed. The following example demonstrates how the indirect access is achieved.
This command shows that the workstation (possibly the opsbox) can talk to an implant via a listening post and prescribes the source and destination ports used for the connection. Finally, when an operation is completed, the environment is “burned”.
The Shadow Brokers dump yields a fascinating insight into APT offensive cyber operations. The goal of completing the mission clearly shapes the development approach taken and the emphasis of reliability, repeatability, stealth and deniability.