The Shadow Brokers, a mysterious hacker group that emerged in August, has released files detailing targets that the NSA-linked Equation Group may have been using as launch points for cyberwarfare operations.
The Shadow Brokers announced their Halloween operation, called "Trick-or-Treat," in a post on the blogging platform Medium. The post bemoans the effect of money on the political process, and then threatens the entire electoral process.
"USSA elections is coming! 60% of Amerikansky never voting. Best scenario is meaning half of remaining red or blue fanatics or 20% of the most fanatical is picking USSA government? A great power. A free country. A good-doer. TheShadowBrokers is having suggestion. On November 8th, instead of not voting, maybe be stopping the vote all together? Maybe being grinch who stopped election from coming? Maybe hacking election is being the best idea?"
Toward the end of the post are links to encrypted files. The contents of the files contain "configuration data for an as-yet-undisclosed toolkit," according to cybersecurity firm, HackerHouse. The files also contain "a number of IP addresses and hosts which may have been targeted by the tools."
Analysis of the targeted IPs shows that the majority of them are based in Asian countries, with China topping the list, followed by Japan and Korea. Non-Asian domains in the top-10 list include Spain, Germany, Mexico, Italy, and Russia. Among the targeted IP addresses, 32 are .edu domains, and nine are .gov domains.
HackerHouse suggests that the NSA's secret toolkit is likely used for "backdoor/implant" operations, which means that the Equation Group could be hosting attacks on other targets from servers listed in the Trick-or-Treat leak. Launching attacks from these 3rd-party servers is likely meant to "hinder attribution" and obfuscate the source of the attacks.
Cybersecurity researcher Matt Suiche told ZDNet that there isn't "much to see" in the file dump. The configuration data is useless without the tools used by the Equation Group.
The leak contains no exploits, vulnerabilities, or source code, unlike the Shadow Brokers' August leak, which made available a selection of actual, usable software created by the Equation Group.
With the release, ZDNet reports the Shadow Brokers left the following message: "This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files."
The hacker group said in August that they want to raise one million Bitcoins in the auction, or $567,130,000. So far, they have reportedly raised $1,400. The most recent leak could be an attempt to keep the Shadow Brokers' name relevant on social media in order to boost the selling price of their previous hack.