NSA Equation Group Breach

Souti Dutta
By Souti Dutta

September 27, 2016

NSA Breach: Am I Impacted?

n August 13, 2016 a data breach was announced by an unknown threat actor called TSB or The Shadow Brokers. A group of hackers operated by NSA commonly known as the Equation Group was the victim of the data breach. A part of leaked data was uploaded to several sites including MEGA (mega.nz) as part of the teaser and was available for free. At the same time, an auction announcement of remaining data was posted to various sites, including Twitter, GitHub, Tumblr, Reddit, Imgur, and Pastebin.

Can I Get Compromised?

List of Identified Exploitable Vulnerabilities

The vulnerabilities target Fortinet, Cisco PIX/ASA, Juniper NetScreen, TOPSEC, and WatchGuard firewalls by bypassing credentials and establishing backdoor access. Several unknown vendors are also likely being affected.

The summarised views of the affected impact points and vendors are presented below:

A full list of the leaked tools can be viewed by visiting the following URL: http://goo.gl/stGC94


Taking the advantage of “zero-day” or unknown vulnerabilities or flaws are the primary motivation behind devising these tools / malwares / exploits. However, as per the experts, this arsenal of sophisticated tools can be quite dated. Based on the creation / compilation date it has been claimed that the hacking tools were developed somewhere in 2013 (http://goo.gl/JIIwR5).

As of writing, Cisco and Juniper are the only organizations who openly acknowledged that the leaked tools are devised to target their devices. In an email from a spokesperson of Cisco announced:

“Cisco is in the process of investigating all aspects of the exploit. We are following our well-established process to investigate and disclose vulnerabilities. If something new is found that our customers need to be aware of and respond to, we will share it through our established disclosure processes.”

Ref: http://goo.gl/S9ENyo


Although the noted leaked tools are no doubt highly sophisticated and authentic hacking gears, considering the tool compilation date it can be safe to assume that most of the targeted vulnerabilities are patched by now. The best way to ensure this is to check and ascertain the patch levels of the devices in question. If the device is installed with the latest version of security updates provided by its OEM, then majority of such exploitations can be avoided.

Am I Already Compromised?[vc_column_text]

  • C&C Infrastructure Employed by Equation Group (117 Domains, 25 IP Addresses)
    - A list of domains and IP addresses primarily employed by the Equation Group as part of their C&C infrastructure. The same can be accessible via: http://goo.gl/TprM5X. If any incoming and/or outgoing communication is observed in the firewalls, UTMs, Proxy etc. from any of the IPs and domains mentioned, it can be a valid point to dig deep and look further.
  • Anti-Virus Detection Names (43 Names)
    - The detection names mentioned here are the basic indicators when a known malware devised by the Equation Group got introduced in a system. The AV detection names mentioned here are specific to Kaspersky products and can be accessible via: http://goo.gl/TprM5X.


The NSA breach is a very significant event in the torrent of such leaks; because whoever the hackers were they were able to crack NSA security to get their hands on this hacking treasure trove. However, there is also speculation that the leak could have been a mistake by a TSA team member.

The contents were made available to the public, so there is an additional risk of smaller hackers exploiting unpatched vulnerabilities in these exploits. Since most of the worlds networks run in CISCO and Juniper, and the available exploits through these releases are primarily targeting devices from these manufacturers. This is like having the master key to just about every door in the neighbourhood.

Most significantly, if the breach has really happened, these hackers probably had access to NSA for months or perhaps even years. It is still unknown what else these hackers have in their possession.

So, what next? Although most of the exploits currently available publicly are outdated, businesses need to ensure that their applications are updated with the latest patches, and security Operations should get more vigilant on incoming and outgoing traffic. That said, there is no ‘silver bullet’ to mitigate this threat. One can only take steps to minimize a potential breach and secure data.

Tags: blog


Souti Dutta