Hackers claim to have stolen tools from NSA-linked attack squad

A hacker group going by the name "Shadow Brokers" has started an online auction for hacking tools it claims to have stolen from an attack squad linked to the US National Security Agency.

The Shadow Brokers posted news of the auction to Pastebin this morning, stating they would release tools pilfered from the Equation Group if they receive $1 million in Bitcoin through the sale. 

"We want make sure Wealthy Elite recognises the danger cyber weapons, this message, our auction, poses to their wealth and control. Let us spell out for Elites. Your wealth and control depends on electronic data," the hackers wrote.

"You see what 'Equation Group' can do. You see what cryptolockers and stuxnet can do. You see free files we give for free. You see attacks on banks and SWIFT in news. Maybe there is Equation Group version of cryptolocker+stuxnet for banks and financial systems?"

The hackers posted sample code for what they say is around half of what they have in total online.

They promised the "best files" would be released after the auction. Most of the postings on sites like Github and Tumblr have since been taken down.

They refused to detail what was in the auction files to encourage Equation Group to bid in the sale and pump up the price.

While they did not provide any technical details on they managed to access the files, the hackers claimed they followed Equation Group's "traffic", finding its "source range" and discovering "many many cyber weapons". 

Equation Group was first linked to the NSA by security vendor Kaspersky in February last year.

The security vendor at the time claimed the group was the most advanced hacking collective it had come across. Kaspersky did not directly identify Equation Group as an arm of the NSA, but laid out evidence that linked the group to the spy agency.

The files dumped by the Shadow Brokers include exploits for specific routers and firewalls as well as command and control configurations and installation scripts.

iTnews was unable to verify the veracity of the dumped data.

Security experts appeared sceptical of the significance of the files.

"This #EquationGroup free dump seems mostly binary builds, installation scripts, and general configuration for a C&C. Seems credible," security researcher Claudio Guarnieri wrote on Twitter.

"There are nothing from Equation, only names from ANT catalog [an NSA hacking toolset made publicby Der Speigel in 2013]," Kaspersky researcher Aleks Gostev said. 

"Most of the code appears to be batch scripts and poorly coded python scripts. Nonetheless, this appears to be legitimate code," security pro Matt Suiche wrote.

Matt Tait (@pwnallthethings) noted the size of the free files on offer was larger than the size of the auction file.

"Hypothesis: files are from an old counter-hack (would be insane to dox an ongoing op vs EG) being rolled out as #DNCleak gunboat diplomacy," he said.