Minimize your digital risk by detecting data loss, securing your online brand, and reducing your attack surface.
A powerful, easy-to-use search engine that combines structured technical data with content from the open, deep, and dark web.
Digital Risk Protection
Read our new practical guide to reducing digital risk.
New report recognizes Digital Shadows for strongest current offering, strategy, and market presence of 14 vendors profiled
Read Full Report
The wake of the deeply bizarre auction of toolkits alleged to be from the Equation Group by the self-proclaimed “Shadow Brokers” has fuelled a great deal of speculation on social media about the provenance and capability of the dumped tools. While this speculation is interesting, the dump provides a valuable insight into how offensive operations are conducted by Advanced Persistent Threats (APTs).
The first thing to note is that the top-level directory of the dump is called “Firewall”, indicating that there may be other folders that were not included in this free file. We can cautiously assume that additional folders might include other types of network appliances and, perhaps, endpoints, such as Windows machines.
Inside the top-level directory is a collection of implants (effectively, malware/remote access toolkits) for certain vendor firewalls, a number of exploits for these firewalls, and collections of helper scripts and documentation.
Secondly, it’s notable that the various implants come with step-by-step instructions of how to install them. These instructions carefully identify the exact version of the firewall that is being targeted in order to ensure maximum reliability. The instructions then go on to describe what steps should be taken immediately after a successful compromise to ensure that the operation can continue undetected. Indeed, the scripts and accompanying documentation indicate that the tools are intended to be used by operators of medium technical capability. The technical sophistication, on the other hand, lies with the developers of the implants and the exploits, rather than the operator who is deploying them.
While the scripts are not necessarily the most elegant code ever written, it is clear that the developers emphasize substance over style. It’s possible to identify four main goals:
This command shows that the workstation (possibly the opsbox) can talk to an implant via a listening post and prescribes the source and destination ports used for the connection. Finally, when an operation is completed, the environment is “burned”.
The Shadow Brokers dump yields a fascinating insight into APT offensive cyber operations. The goal of completing the mission clearly shapes the development approach taken and the emphasis of reliability, repeatability, stealth and deniability.