A listing appeared on Pastebin on Saturday evening from an entity calling itself the Shadow Brokers, claiming to have obtained "cyber weapons" from the Equation Group — Kaspersky's name for what the public attribution has long described as the cluster of operations linked to NSA. The post offers two archives: a free sample, available immediately, and a larger archive being auctioned for one million bitcoins. The free sample is approximately 240 megabytes and contains what initial analysis confirms to be exploit code, implants, and tooling, much of it dated to between 2010 and 2013. (Original Shadow Brokers post archive, multiple sources mirrored). Cisco, Fortinet, and Juniper have spent the weekend confirming that the exploits in the sample dump work against currently-supported product lines.
The most attention-getting items in the sample are EXTRABACON, a privilege-escalation exploit against Cisco ASA firewalls (CVE-2016-6366, addressed in Cisco Security Advisory cisco-sa-20160817-asa-snmp), and EPICBANANA, a separate ASA flaw addressed in cisco-sa-20160817-asa-cli (Cisco security advisory page, August 17 batch). Fortinet has confirmed the EGREGIOUSBLUNDER exploit against older FortiGate appliances (Fortinet PSIRT FG-IR-16-023, August 17). The Juniper-affecting items in the sample are still being analysed. The age of the exploits suggests that the dump represents tooling captured some time ago — probably in the 2013-2014 window — but the tooling remains operationally useful against deployed estates today, because the deployed estates contain a substantial population of devices whose firmware versions are within the exploit windows.
The plausibility of the dump's provenance is, on the technical evidence, high. Researchers including Mustafa Al-Bassam and Matt Suiche have analysed the file-naming conventions, the exploit code structure, and the implants (@musalbas / Mustafa Al-Bassam analysis thread, August 14) and have concluded that the artefacts are consistent with the kind of operational tooling described in the Snowden disclosures three years ago, and inconsistent with what a fabricator would produce. The Equation Group attribution is not a stretch on the technical content; what the dump represents in operational terms is harder to assess.
The auction mechanics are a separate puzzle. One million bitcoins is, at current prices, around five hundred million dollars — a price that is not seriously a price; it is a statement. The auction is structured such that bidders effectively donate to the auction wallet without recourse, which is not a serious auction mechanism either. The likely interpretation is that the auction is performative and the disclosure objective is the visibility itself, with the additional possibility that the entity behind Shadow Brokers will follow up the sample dump with further releases regardless of the auction outcome. The press release is written in deliberately broken English which I will not analyse linguistically here (discussions of stylometric analysis of the post are widely linked) but which most observers consider deliberately misleading.
For operational work, the patches are out, and patching is the immediate task. Cisco ASA customers across the vCISO portfolio and the SOC fleet have been notified; the Browne Jacobson Cisco estate is patched as of yesterday afternoon, the Towry Cisco estate as of this morning, the manufacturer's Cisco estate is in the middle of a maintenance window tonight. The Fortinet customer base is smaller and the patches are simpler. The customer with the Juniper NetScreen estate that we patched in December for the ScreenOS Dual EC issue is on alert for whatever surfaces in the Shadow Brokers Juniper analysis when it comes.
The wider strategic concern is the precedent. State-grade offensive tooling has, over the past three years, leaked twice — Hacking Team in July 2015 and now this. The Hacking Team leak put commercial-grade implant code into criminal exploit kits within 24 hours; what happens when state-grade tooling is in similar circulation is the question that the next several years will answer. Several of the items in the sample are not exploits against patched-and-deprecated products. They work against currently-supported, currently-deployed enterprise infrastructure. The patch propagation will, as ever, be incomplete; some fraction of vulnerable devices will remain so for years. The defensive question is structural — every organisation operating with internet-facing Cisco, Fortinet, and Juniper appliances now needs to assume that exploits matching some subset of the leaked archive may be in adversary hands, and to harden the architecture accordingly. Network segmentation reducing the blast radius of a perimeter compromise. Monitoring of administrative access to perimeter devices. Egress controls that would catch a perimeter device used as an exfiltration pivot. The standard advice, applied harder.
The political concern, separately, is the question of who Shadow Brokers is. The candidate set is small. Russian state, in retaliation for or as escalation from the DNC information-operation reading. An insider at NSA or a contractor — Snowden 2.0, or someone with a more limited access window. A state-sponsored cluster from somewhere else. A criminal organisation with unusual access. None of those candidates are good, and none of them have the same operational implications. The intelligence community will spend the autumn working through that question; the public will probably not see most of the work; the answer, when it arrives, will affect the strategic posture of the United States toward whichever actor turns out to be responsible.
I will write more as the analysis matures. Tonight: patching.