In a new a blog post titled Trick or Treat?, and signed with the familiar encryption key from last time, the shadowy group claims to show a list of servers that have been hacked by the NSA, or more specifically Equation Group, a supposed NSA-affiliated group.
The list features 352 different IP addresses and 306 domain names, including many domains with .edu and .gov, suggesting universities and government agencies, along with a number of mail operators. The servers are spread across 49 countries including China (at the top of the list), India, Germany, Korea, Russia, and Japan among many others. Timestamps show that these servers were hacked between August 2000 and August 2010.
Also on the list are what appear to be names of hacking tools and operations such as “jackladder,” “incision,” and “sidetrack,” as well as on what servers there were used.
The Shadow Brokers’ blog post features some broken English about the U.S. elections and calls to disrupt it — “On November 8th, instead of not voting, maybe be stopping the vote all together?” it reads.
Security experts have met the list with some skepticism, in some cases pointing out that attribution in cyberattacks is always difficult, and that not all of these servers may have actually been attacked by the NSA.
“The Shadow Brokers continue to grapple for publicity and money. The list of servers is 9 years old, likely no longer exist or reinstalled,” said Kevin Beaumont, a security researcher, on Twitter. The group previously attempted to sell supposed NSA data for $600 million during the summer but found no takers.
My Hacker House, in its analysis, still advises caution to anyone who finds a familiar-looking server from their organization on the list and urges them to seek security help. “You may have inadvertently been hosting Equation Group APT cyberattacks from your environment.”
