Shadow Brokers Posted A New Leak From NSA

Shadow Brokers, the group behind the publishing this past August of National Security Agency hacking tools, has posted a new leak that the group said showcases hundreds of organizations the NSA targeted over greater than a decade.

“TheShadowBrokers is having special trick or treat for Amerikanskis tonight,” said the group, according to a report that said it was signed by the same encryption key used in the August posts. “Many missions into your networks is/was coming from these ip addresses.”

According to the report, the leak on Monday (Oct. 31) came from former NSA contractor Harold Thomas Martin III, who remains in federal custody on charges that he kept 50 terabytes of data in his home. A lot of the data included highly classified information, like the names of intelligence officers in the U.S. It also included the methods behind intelligence operations, noted the report. The report noted Martin came on the radar screen of investigators when they were looking into the August leak by the Shadow Brokers. Unnamed sources said they don’t know if Martin is associated with the group.

The report noted the leak on Monday contains 352 distinct IP addresses and 306 domain names that have come from an NSA hack. The timestamps included in the leak reveal the servers were targeted between Aug. 22, 2000, and Aug. 18, 2010. The addresses include 32 .edu domains and nine .gov domains. The targets were located in 49 countries, with the top 10 being China, Japan, Korea, Spain, Germany, India, Taiwan, Mexico, Italy and Russia, noted the report.

Other information revealed in the data dump include the configuration settings for an as-yet-unknown toolkit used to hack servers running Unix operating systems. “If this data is believed, then it may contain a list of computers which were targeted during this time period,” analysis provided by Hacker House, a firm that offers various security services, stated in the report. “A brief Shodan scan of these hosts indicate that some of the affected hosts are still active and running the identified software. These hosts may still contain forensic artifacts of the Equation Group APT group and should be subject to incident response handling procedures.”