Published data from the elite cyber-grouping Equation Group was not a joke

    We recently wroteabout the possible leakage of confidential data known cyber group Equation Group (Five Eyes / Tilded Team). The published information was prepared in hot pursuit, and the incident with the publication of the data was considered as causing doubts. However, over the past few days, we were able to examine the archive published in the public domain, as well as collect trusted sources confirming the accuracy of the information of the Shadow Brokers hacker group. The size of the archive itself with the data available for access is about 300MB, it has more than 3.5 thousand files. The decrypted public part of the archive, which we have already mentioned, contains various installation scripts, configuration files, information about working with C & C servers, and working exploits for popular routers and firewalls.

    In addition, the names of files from this archive coincide with the identifiers of NSA implants from the well-known ANT catalog .


    Directories with abbreviations in the directory Firewall \ Exploits. As the name implies, they contain exploits for various network firewalls.

    Interpretations of some exploit abbreviations were published by Matt Suiche security writer.

    EGBL = EGREGIOUS BLUNDER (Fortigate Firewall + HTTPD exploit (apparently in 2006 the CVE)
    ELBA = Eligible BACHELOR
    ELBO = Eligible Bombshell (Chinese TOPSEC the firewall versions 3.3.005.057.1 to 3.3.010.024.1)
    the ELCA = Eligible CANDIDATE
    ELCO-Eligible Contestant =
    EPBA = EPIC BANANA
    ESPL = ESCALATE PLOWMAN
    EXBA = EXTRA BACON (Cisco Adaptive Security Appliance v8.0 to v8.4)

    Some of the above exploits (Exploits directory) are described below.

    EGREGIOUSBLUNDER A remote code execution. It effects models 60, 60M, 80C, 200A, 300A, 400A, 500A, 620B, 800, 5000, 1000A, 3600, and 3600A. The model of the firewall is detected by examining the ET in the HTTP headers of the firewall.

    ELIGIBLEBACHELOR An exploit for TOPSEC firewalls running the TOS operation system, affecting versions 3.2.100.010, 3.3.001.050, 3.3.002.021 and 3.3.002.030. XML-like payload that starts with <? Tos length = "001e:% 8.8x"?>.

    Remote control code for firewalls for firewalls and firewalls, for example, it can affect the 3.2.100.010.1pbc17iv3 to 3.3.005.066.1. Version detection by ETag examination.

    Thus, the exploits are designed to bypass the firewalls of Cisco PIX & ASA devices, Juniper Netscreen, Fortigate, and others. The following are descriptions of implants that were also taken from the NSA ANT catalog. Information was published by another security resercher here .

    BANANAGLEE A non-persistent firewall software directly to memory. Also mentioned in the previously leaked NSA ANT catalog.

    BANANABALLOT A BIOS module associated with an implant (likely BANANAGLEE).

    BEECHPONY A firewall implant that is a predecessor of BANANAGLEE.

    JETPLOW A BANANAGLEE. Also mentioned in the previously leaked NSA ANT catalog.


    The slide of the NSA ANT catalog which refers to the BANANAGLEE implant for Cisco ASA devices. Directory \ eqgrp-free-file \ Firewall \ BANANAGLEE \.


    The directory with the shellcode files for different versions of Cisco ASA devices.

    A complete list of files from a publicly available archive can be downloaded here . To decrypt the archive itself on Windows, you need the gpg2 tool from the Gpg4win package.

    As Hacker Fantastic notes on his twitter, one of the scripts contains a command to load a new implant using an exploit and a specific set of commands.



    It should be noted that the names of directories and files themselves do not constitute a trusted source of data belonging to the Equation Group. However, the exploits themselves turned out to be workers , and one of the former NSA TAO (Tailored Access Operations) specialists confirmed the identity of the published NSA data. TAO was already mentioned by us in a post dedicated to the recently released Zero Days film as an NSA unit responsible for conducting hacker attacks and cyber-offensive operations around the world.

    In the above post, the author demonstrates the success of the EXTRA BACON exploit on one of the Cisco ASA devices. The exploit is used to prohibit authentication on the router, which allows attackers to remotely connect to it via Telnet or SSH and execute the necessary commands. The following script from the archive and the command is used to launch the exploit.

    python extrabacon_1.1.0.1.py exec -t 10.1.1.250 -c pubString --mode pass-disable

    Equation Group is related to the creation of the most successful types of cyber weapons.

    • Stuxnet
    • Duqu
    • Regin
    • Flame
    • EquationLaser
    • EquationDrug
    • Doublefantasy
    • TripleFantasy
    • Grayfish
    • Fanny

    »Known cyber-grouping Equation Group could be subjected to large-scale hacking | Link
    »The creators of the film Zero Days shed light on the authors Stuxnet | link
    »NSA ANT catalog | link
    »Tailored Access Operations | Link
    »Slides NSA ANT | link1 | link2
    "Powerful NSA hacking tools have been revealed online | link
    »Free archive file list | Link
    »EquationGroup Tool Leak - ExtraBacon Demo | Link
    »Shadow Brokers: NSA Exploits of the Week | link
    »JETPLOW: NSA Exploit of the Day | link
    Equation Group Firewall Operations Catalog | link

    Also popular now: