150 comments

[ 2.7 ms ] story [ 217 ms ] thread
Interesting discussions happening on Twitter, eg https://twitter.com/thegrugq. Looks like this could be at least somewhat legit.
The grugq tweets should always be read with the understanding/context that he sells bugs to the Feds. He is not an impartial observer on the topic of nation-state malware.
Sounds important. What does it all mean?
Equation Group is the name given by AV vendors to a group of attacks thought to be carried out by NSA. This is, apparently, a dump of internal files (mostly exploits and command & control scripts) that someone got ahold of. They're now apparently trying to auction them off.

If it's a fake, it's a very good one – the code words match up to things we've seen in the Snowden leaks, e.g. Jetplow (https://www.schneier.com/blog/archives/2014/01/jetplow_nsa_e...). Matthieu Suiche has a good initial writeup here:

https://medium.com/@msuiche/shadow-brokers-nsa-exploits-of-t...

It should be noted that it is only suspected that the Equation Group is related to the NSA. I only bring this up not because I don't think it is but rather to emphasize that it has not been proven yet.
If this leak is real, it points to one of two things. Either it isn't the NSA and is a company or some quasi-governmental group - owing to the fact that any of this shit the NSA makes would be on JWICS terminals and absolutely not accessible to the internet, or it means there's a leak from the NSA that dumped these files and has decided to sell them. I'd lean more towards the former.
The command and control ("listening posts" in intelligence community parlance) for even NSA implants has to be on the public internet so the victims can phone home. This stuff could be from one of those servers.
Is that necessarily true for NSA et al.? I don't see why the target couldn't just send the data towards an arbitrary destination, and that data be collected by NSA via a passive tap. Commands could be sent using a QUANTUM-style technique (packet injection with spoofed origin)
Snowden did tweet what looked like an AES key last week.
It was a sha2 (or rather, a 64-byte length hex string). I wondered myself if it wasn't the secret key to some encrypted file.
For the curious, the Equation Group Wikipedia article has a section dedicated to Possible links to Stuxnet and the NSA: https://en.wikipedia.org/wiki/Equation_Group#Possible_links_....

If nothing else, I found this compelling*

> In addition, timestamps in the malware seem to indicate that the programmers worked overwhelmingly Monday–Friday in what would correspond to a 08:00–17:00 workday in an Eastern United States timezone.

*assuming you trust the timestamps.

(comment deleted)
Wikipedia link for the lazy folks like me that didn't know the Equation Group: https://en.wikipedia.org/wiki/Equation_Group
> The malware used in their operations, dubbed EquationDrug and GrayFish, is found to be capable of reprogramming hard disk drive firmware.

Wow. We really are f----d all the way down the stack.

The row hammer attack convinced me of that. It feels like nothing is hardened at the very low levels that get hit by truly dedicated attacks.

(https://en.wikipedia.org/wiki/Row_hammer#Implications)

Geez, I'd never heard of this.. I just spent an hour reading up on it.. There's even a Javascript implementation (because of course there is)...
It blew my mind when I first encountered it.

The basic idea - flip bits a lot until things crash - wasn't totally shocking. But learning that Project Zero had put up working privilege escalation attacks off something so bizarre? That's just too far.

At least Van Eck phreaking is still hard to use in practice...

SD Cards have a full 32-bit processor on them. You can find videos on hacking them. In theory, you can re-label a 32GB card as 16GB, create a 16GB journey and write two copies of everything stored to it. Then you just steal the card back and get all the data off it.
> Then you just steal the card back and get all the data off it.

If you're stealing hardware, the only thing you're not capable of already is (necessarily) being able to decrypt it. So this would apply to any unencrypted SD card. Not terribly effective use of the hack.

A better one would be to do so with one of those WiFi SD cards[0] and transmit the data over the network. You could just read it directly from the card and place deleted files into your buffer when you overwrite them, and hope they don't delete more than your buffer's size of data before you can upload it.

[0]:https://en.wikipedia.org/wiki/Secure_Digital#Vendor_enhancem...

Yep, I bungled the link. The tumblr has all of the information but it's split into separate posts:

https://theshadowbrokers.tumblr.com/

Thanks, we updated the submission.
Could you change the link to the tumblr? The github page has been pulled.
for bid : 1DVm58QvyRksyRtzHvbo6UyEt4fZYMWXFQ
The structure of this auction is amazing!

1. All bids are paid up front, and you never get your money back, even if you aren't the highest bidder. So if people bid $50, $70, and $100, they collect $220.

2. No one can verify what is actualy up for sale before the auction.

3. There is no way for the world to know that they actualy delivered the goods after the auction.

4. There is no way for the highest bidder to know that they will actually receive the goods.

5. There is nothing stopping the auctioneers from bidding. This not only raises the price, but they still get to keep every bidders money even if the high bid is their own.

Everything about this auction is lined up to incentivize a scam.

>Everything about this auction is lined up to incentivize a scam.

Yes, however the contents of the free sample seems very real. Without having dug into the binaries it's hard to tell, but it's hard to imagine someone wrote this to scam 1 million BTC out of the net.

With 1 million BTC on the line, you have a hard time imagining that someone would do this?

People do work for a lot less..

Yes.
Maybe it's the language? Given what I've read this seems real.

However, with that much money on the line (if that figure is correct), you could fake almost anything.

I'm curious if they (in lack of better English) didn't mean 1 million USD in BTC. 1 million BTC is -a lot of money-, even for a release of Equation Group material.
That's 6.3% of all Bitcoin currently in circulation. A crazy amount.
1,000,000 Bitcoin == 563,770,000.00 USD

https://www.google.com/search?q=1000000+btc+in+usd

Sort of... When trading that large a fraction of the whole pool of BTC, the trade itself would drastically alter the value of a BTC. To the point that I'd be surprised if someone could openly acquire that large number of BTCs before being priced out of the market.

The block chain makes it worse because everyone can see the progress of the buyer and there's no market maker with anywhere near this level of liquidity.

A private transaction of BTC wouldn't effect the market value of BTC. It is correct to say 1M BTC = 565M USD; the market price of BTC/USD is only effected when the BTC is sold on an exchange.
Almost no single entity has that much BTC (as of 2016 only ~15 million Bitcoins exist), to acquire it someone would have to aggregate the Bitcoins from many other entities by via buys on a Bitcoin exchange. This would cause a massive spike in the price of Bitcoin.

Interesting to note: there has been no new Bitcoin block for the last 1 hour 23 minutes. This happens from time to time, but it is a little suspicious.

See https://blockchain.info/

They don't except it all from a single entity.
> Yes, however the contents of the free sample seems very real.

The only people who could verify if it's real are the Equation Group themself. For anyone else it's impossible to verify - it's just some names.

So: If it's real the Equation Group will bid - probably a lot. If it's fake no one will bid.

So it'll be easy to tell which it is.

> If it's real the Equation Group will bid - probably a lot.

Why? You have no guarantee what you're bidding for will remain private, and you don't want to give it legitimacy by bidding. Who's to say if it's real the Equation Group wouldn't bid, under the assumption that it's already out there and you have absolutely no guarantees that anyone you're dealing with would keep their word.

They would bid to try to track them, not to try to keep it private.
Wouldn't the Equation Group just hack their systems and erase the code?
Can they? The real world is not like a TV show - you can't just hack into any arbitrary system and expect you'll get in.

Some systems you can get into some you can't.

Sure, but there's no incentive to hold anything back.

Let's say you break into a server and steal 10 vulnerabilities, from an organization (e.g. the NSA) who are never going to acknowledge how many vulnerabilities they had or were stolen.

If you want to get the most in the auction, the best thing you could possibly do is to release all 10 of your vulnerabilities for free, claiming that it's just a teaser, and that you have many more. Then you take in bids and disappear. It makes no sense to only release 2 or 3 and hold back the remainder; the unreleased ones are essentially wasted because they didn't actually contribute to any bidding activity: nobody knew they existed when they were bidding. That they exist at all is a happy surprise to the winning bidder, but with no further sales, customer goodwill isn't worth anything.

There's really no incentive to actually follow through on the sale at all. The only purpose of the "goods" to the seller is to attract bids, but with nobody to verify what's actually for sale, the best strategy is to use everything for what amounts to advertising, in the hope of gaining more attention and attracting more bids.

I wouldn't dump it all at once, if I were them, though. I'd do an initial release, and them some more once the initial bids (if there are any) slow down, and keep doing that over and over until the market is entirely worn out and all the vulnerabilities have been disclosed. That's the profit-maximizing strategy, I think.

Alternatively, the whole auction is a ruse to confuse people before they drop the whole thing for free.
Who would that benefit and how?
The seller (they get the money) and everyone else (the world can use the dump for free) but the payer (he payed what the rest of the world got for free).
I also like this part:

> Q: When does auction end? A: Unknown. When we feel is time to end. Keep bidding until we announce winner.

> Everything about this auction is lined up to incentivize a scam.

Actually if they could tie their identity to some positive reputation, the other points wouldn't be so bad (they could still attempt an exit scam).

The fact that they are so honest about the refunds actually makes me think it's not a scam, since scammers would probably lie and promise the opposite.

That's what they want you to think.
If somebody tells you "you are not getting you're money back", I think that no longer makes it a scam. You know exactly what you are getting into at that point.
It can still be a scam if you don't receive the goods.
Not to mention the complete insults to anyone who would want to buy it.

A government would handle this by trying to chase down the autioneers. If they wanted the data, they would buy it from Kaspersky, assuming it's real.

The auctioneers indicate that they have the "server side" code. Kaspersky would only have the "client side" code.

...The client gets infected with malware and sends the data home... to some server. The server side.

But the servers are uninteresting, the clever part is just the client code. And that in original source form, not as the binary. But also much more until the 0-days used are patched.
It would be reasonable to assume that the data in the auction contains as-of-yet undiscovered exploits. this also makes sense when you consider we will not likely know who walks away with this.
If they were really serious, they would be using Dark Leaks.
This is most likely a honeypot to make a list of potential enemies of the state.
It makes sense if they know they've released information that the person who this was leaked from can absolutely verify it's legitimacy, and wants to keep it secret at all costs while also maximizing return.
Correct! This is why they are doing it this way.
it actually makes no sense to set it up like a penny auction. like if you are scamming why not just let people bid by sending you bitcoin then promise to return it if their bid fails but then instead just keep the coin. if you are legitimate then why run it like a scam. i'm sure there is some explanation.
If this is real and has anything that can link the files to the NSA, it has the potential to be a major humiliation for the US.
I suspect that's the real plan here. Use the auction to stir up attention and blackmail any state actors implicated by these files into hushing the whole thing.

Hence the open ended termination.

Alternatively, use the auction to stir up attention and low bids, even though there's nothing here.

Then imply a state actor won (via a large self-bid) or disrupted the auction. Hence the penny-auction structure, where they can walk away and keep preliminary bids.

(comment deleted)
If this is legit, a hack/leak of Equation Group files might just be the coolest hack in history.
(comment deleted)
(comment deleted)
Ha. I was targeted by this auction specifically. The odd thing is whoever is behind this went through the trouble of posting it to the SecureDrop instance behind BerlinLeaks.

https://heartsucker.com/blog/children-at-play

Whoever wrote this possibly "made" all the mistakes on purpose, not to be fingerprinted by its writing style (it's a common technique).

I wonder if software already exists for this, like, purposely filling a text with random mistakes so that the identity of the writer is safe.

> The message we got was full of both types of errors, and it was either written by someone who wasn't a native English speaker, or it was cleverly crafted to sound so.

Yes, I acknowledged this but for a different reason.

There's a lot of game theory that suggests it's not worth betting on this because any bet will have a rational higher one.
Yep - dollar auctions shouldn't ever get bids if I remember. That's one hell of a strange structure if you have a real product.
To prove this is real, they should've:

- Split the leak into multiple chunks, each encrypted with a different key, and each readable/usable on its own

- Announce, ahead of time, that a random chunk will be revealed, based on the hash of block #N on the Bitcoin network

- On block #N, reveal chunk number block_N_hash % num_chunks.

Basically, reveal a provably random chunk in a way that cannot be controlled by the auctioneers, which would ensure that all the chunks are (most likely) real.

Also, if they really want to make this as trust-free as possible, they could use ZKCP [0][1] to make the payment stage and the reveal stage atomic - the moment the payment is taken by the auctioneers, the decryption key is revealed (using hash-locked transactions and zero knowledge proofs).

This, however, won't work with their penny auction style bids.

[0] https://en.bitcoin.it/wiki/Zero_Knowledge_Contingent_Payment

[1] https://bitcoincore.org/en/2016/02/26/zero-knowledge-conting...

(comment deleted)
(comment deleted)
They could even use the blockchain as a source of randomness to choose which chunks of the encrypted file they reveal for free.
That's exactly what my parent comment suggested :-)
Opps didn't see that. =)

Using hashes like you are suggesting you wouldn't even need ZK proofs. There is a simple trick you could do with the keys such that you post a single 128 value which is checkable with a tree of OP_HASH and OP_DUPs and would, with very high probability, reveal all the keys.

As pointed out below the problem with this scheme is that you could hash the same files with a little randomness added and make it look like you have more data to sell than you do. I think with some GC-based ZK proofs you could show this isn't true and each file is legitimately different (for example demonstrating randomly selected bit relationships or word frequencies).

They would need to reveal several chunks, otherwise they could encrypt the same thing n times.
Yes, you're correct, I missed that! An alternative solution is to give a descriptive name to each chunk (could simply be its filename), so that people could see the contents matches the description once its revealed.
That this is happening in real time...wild.
I wouldn't call this auction even remotely smart. Bitcoin is public and can be tracked -- if the files are legit, this is a great way to end up on every nation state watchlist in the world. Oh, you're bidding on these files? That's a great signal to every government that you're a big target.
This reeks of misdirection.

Nobody could be both smart enough to hack Equation Group and dumb enough to think that they could just cash out through bitcoin and walk away.

Smart people screw up all the time..

If they're real, that's probably how these files got out there in the first place.

If you got your hands on something like this, you probably think you're pretty smart, and you'd probably try to come up with some smart way to make some money off this, and this is the plan you'd come up with...

See my first sentence...

Anyone who did even cursory research on Bitcoin would know that it's trivially traceable when redeemed.
Are you suggesting that BTC can't be laundered?
It can be, for example with tumblers, CoinJoin implementations, or conversion to cash at a willing financial institution. However, none of those avenues are reliable for someone facing a sophisticated global adversary.
Just want to make this as clear as possible. Throwaway account, so I won't be replying or ever using this ever again, but let me run through a few things.

* Whomever is running this auction knows everything that has been mentioned in these threads already, and they're probably a few steps ahead of us all. There are multiple indicators that they know what they're doing from a technical standpoint and that it's very likely that these 'weapons' indeed do what they claim. * On the other hand, there's a lot of reason to believe that these could potentially be faked, since the whole auction is just designed to generate income.

Equation Group is a real group. They do exist, they get paid really well to operate, and a couple things jump out as obviously being bait.

If you were to place a bid, (I plan to bid a couple dozen BTC or so, but I want to see what other people do first) then they say they'd contact you with decrypt information and then you'd have the rest.

The real Equation Group is a group of intelligent individuals, rumored to be a group of several dozen people, and so they realize that they all have to operate under the same standards, and resist being correlated. These guys know that every so-called elite hacker that we know about, we know about them because they fucked up. We know that EG exists because their tradecraft WASNT good enough. The real question is whether or not they wanted us to find out. Bitmessage isnt perfect, i2p isnt perfect, none of these tools are perfect and the entire idea of a group that might not even exist contacting a bidder after they may or may not have bid the highest bid is just ridiculous.

There is reason to believe that if EG actually exists, that there might be subdivisions within whatever larger collective they belong to (NSA, CIA, etc) that seem to learn from approaches that can be correlated to work that EG either wanted us to find, or didn't.

Regardless, these guys know enough to not get in trouble over this. Even if they're NSA contractors, or permanent employees, or some sort of secret operatives from some crazy Intel firm, whatever the case is, they aren't going to make some stupid mistake and ruin this.

I'd give this like a 30% chance of being real. Doesn't seem likely.

> I plan to bid a couple dozen BTC or so

I will really be surprised if anyone actually bids any significant amount. Come on, an open-ended auction where they keep all bids? The overly-russian phrasing? Just screams legitimacy.

> I plan to bid a couple dozen BTC or so

You plan to bid $5,000 to $20,000 for this? Are you serious? Where do you work?!?

[S]He's probably one of the folk that got into the bitcoin game back when you could mine one in a day.

It's one of the things that puzzles and fascinates me about bitcoins in general - the early adapters have a disproportionate amount. Seems like a terrible investment because of the cap on growth - as soon as the currency reaches a certain threshold value, the select few cash out a few dozen or hundred. It drops again, they sit back and let demand build up again.

Isn't this obviously a hoax? The screenshots are not at all what I would expect -- python files? shell scripts? in the face of esoteric pieces of C software like stuxnet?

Add on the fact that the author of the readme is clearly writing in an exaggerated Russian / East European accent, with such wild claims and mystery surrounding the terms of the auction...I would suspect joke or alternate reality game more quickly than a hack of Equation Group.

> Add on the fact that the author of the readme is clearly writing in an exaggerated Russian / East European accent, with such wild claims and mystery surrounding the terms of the auction...I would suspect joke or alternate reality game more quickly than a hack of Equation Group.

Without any spelling mistakes.

Does anyone expect GitHub to intervene as the (partial) host here? Does this put them in a legal situation?
Looks like they've already intervened:

"This repository has been disabled.

Access to this repository has been disabled by GitHub staff. Contact support to restore access to this repository. "

> Does this put them in a legal situation?

Not really. GitHub aren't liable for the initial upload due to safe harbor laws. If the dump is fake, then there's no problem for GitHub. Life goes on.

If the dump is real then potentially the owner could force GitHub to remove it, but in doing so would have proven the legitimacy of those files, which is something you don't usually want to do.

GitHub may, of course, choose to suspend the account for their own reasons (I don't know, for example, what their T&Cs are for running auctions via their site, but it's probably not allowed).

There's a fair amount of legal question with what the repo creators are doing: likely at least fraud and very possibly theft, conspiracy, etc. While GitHub does have safe harbor protections, once they're alerted to their service being used for illegal activity they do have to intervene. They can't knowingly continue to host such material and maintain their safe harbor status.
Speculation: Maybe the NSA isn't EQ Group. Maybe the NSA is the auctioneers. "You want record straight? Bid!" The CIA has a long history of being self funding, right? Does the NSA, too?
I agree, but I'd take it one step further. This could be CIA or NSA exposing just enough information given already known public information on the equation group.

At that point it would look completely legit, but could be used to track back large amounts of Bitcoin. If the NSA knows through listening stations which adversary groups are sending how much BTC then they'll be able to follow the leads back significantly.

Combining technical knowledge of trades and BTC movement with CIA knowledge of on-the-ground information may net them some fantastic information.

With the addition of getting a large about of BTC for future funding. That would be a powerful move.

Remember that money causes work. When you give people money in return for doing some type of work, people will do more of it.

So if you buy organic food, people will grow more organic food. If you buy oil, people will pump more oil. If you buy ivory, people will kill elephants for their tusks.

If you put money into this, people will do more of it.

Who would have thought that the FSB had such a sense of humour?
(comment deleted)