Kaspersky confirms connection between ShadowBrokers' malware and NSA-linked Equation Group

The cache of malware supposedly being auctioned off by the previously unknown ShadowBrokers hacking group is almost certainly the work of the Equation Group, a group of hackers linked with the US National Security Agency (NSA), according to security specialists Kaspersky.

The claim backs up the suggestion of NSA whistleblower Edward Snowden that the auction, far from being the fruit of the work of a group of especially talented hackers, is in fact intended as a coded message from Russian intelligence to the US.

Kaspersky was the first to identify the Equation Group and some of its tools in a report published back in 2015. It conjectured that Equation Group, which had a 15-year history of precision cyber attacks against nation state targets, was a front for the NSA.

It claims that a rare implementation of RC5/RC6 symmetric encryption-key block ciphers is one of a number of factors linking the ShadowBrokers dump with the Equation Group malware.

"Along with some non-native rants against ‘Wealthy Elites', the ShadowBrokers provided links to two PGP-encrypted archives. The first was provided for free as a presumptive show of good faith, the second remains encrypted at the time of writing," according to the blog posting from Kaspersky Lab's Global Research & Analysis Team.

The passphrase is supposedly being ‘auctioned', but with a reserve price of one million bitcoins that would cost more than $570m at the current price.

Initial tests of the released archive of malware indicates that the exploits do work.

"The first archive contains close to 300MB of firewall exploits, tools, and scripts under cryptonyms like BANANAUSURPER, BLATSTING, and BUZZDIRECTION. Most files are at least three years old, with change entries pointing to August 2013 the newest timestamp dating to October 2013," continues the analysis.

"While we cannot surmise the attacker's identity or motivation nor where or how this pilfered trove came to be, we can state that several hundred tools from the leak share a strong connection with our previous findings from the Equation group," Kaspersky claims.

The basis for its claims are the use of RC5 and RC6 symmetric encryption-key block ciphers, which will have been used to protect the malware when stored on a server ‘in the field' (rather than, assuming that the NSA was ultimately responsible for devising the malware, on a server directly controlled by the NSA).

"The ShadowBrokers' free trove includes 347 different instances of RC5/RC6 implementations... Comparing the older, known Equation RC6 code and the code used in most of the binaries from the new leak we observe that they are functionally identical and share rare specific traits in their implementation," claims Kaspersky.

So rare is the RC6 implementation in particular, it adds, that it has only ever been seen before within Equation Group malware.

"There are more than 300 files in the ShadowBrokers' archive which implement this specific variation of RC6 in 24 different forms. The chances of all these being faked or engineered is highly unlikely.

"This code similarity makes us believe with a high degree of confidence that the tools from the ShadowBrokers leak are related to the malware from the Equation Group," it concludes.