Endpoint Protection

 View Only

Equation: Has secretive cyberespionage group been breached? 

Aug 16, 2016 01:54 PM

An attack group calling itself the Shadow Brokers has released a trove of data it claims to have stolen from the Equation cyberespionage group. The data contains a range of exploits and tools the attack group state were used by Equation. The Shadow Brokers said that the data dump was a sample of what had been stolen from hacking Equation and that the “best” files would be auctioned off to the highest bidder.

Equation was uncovered last year, when it was found to be using highly advanced malware tools to target organizations in a range of countries. The group is technically competent and well resourced, using highly developed malware tools that go to great lengths to evade detection.

Symantec Security Response is analyzing the data released by Shadow Brokers in order to assess the accuracy of the group's claims and will update our malware and exploit protections if necessary.

Q: How much data has been released?
A: Shadow Brokers released a 256-megabyte compressed archive containing around 4,000 files.

Q: What kinds of files are in the archive?
A: The files mainly appear to be installation scripts, configuration files, and exploits targeting a range of routers and firewall appliances.

Q: How old is the data?
A: Most of the files appear to be several years old, dating back to between 2010 and 2013.

Q: Does the data dump actually contain working exploits?
A: It will take some time to assess all of the released files. However, early indications are that at least some of the tools released are functioning exploits.

Q: What do we know about Shadow Brokers?
A: The group has no prior history. While it may be previously unknown, “Shadow Brokers” could also be a cover name for another group.

Q: What do we know about the unreleased data held by the group?
A: Very little. It has said it is keeping this a secret and simply claimed that it contains the “best” files.

Q: How will it auction the unreleased data?
A: The group provided a Bitcoin address and instructed interested parties to send Bitcoin to it. Losing bids would not be refunded and instead losing bidders would be granted “consolation prizes”. It claimed it was seeking to raise the incredibly large sum of 1 million Bitcoin (US$576.3 million) and, if it received this, it would publicly release more data.

Q: Is it possible this is a hoax?
A: While the files released are certainly not junk, it will take some time to fully establish if they are definitely linked to the Equation group.

Q: Does the data dump have links to any known tools?
A: Some of the files reference alleged US National Security Agency (NSA) tools named in the Edward Snowden leaks, e.g. “EPIC BANANA”, “EXTRA BACON”, and “ELIGIBLE CONTESTANT.” However, since these names were already public information it doesn’t provide proof of the files’ origin.

Update – August 18, 2016:

Q: There have been reports that leaked files contain a unique implementation of the RC5/RC6 encryption algorithm that has previously only been seen in Equation Group malware. Can you corroborate this?
A: We don’t believe this can prove a definite link between the two. The RC5/RC6 implementations are similar, in that some values used for instantiating the algorithm in their implementation were negated. However, further analysis by Symantec found a large number of files previously seen in the wild where these values were also present. We believe that the negated values might be an optimization introduced by the compiler used. In short, the similarities could have come about by accident rather than design.

Q: Have patches been released for any of the vulnerabilities disclosed in the leak?
A: To date, Cisco and Fortinet have issued security updates after exploits for their products were found in the leak. Cisco said that the leaked files contained exploits of two vulnerabilities affecting a number of its products: the Cisco ASA (Adaptive Security Appliance) and legacy Cisco PIX firewalls. The company has issued security advisories for both:

Cisco said that the while CVE-2016-6366 was a newly discovered vulnerability, CVE-2016-6367 had been fixed in 2011.

Meanwhile Fortinet has published a security advisory about a cookie parser buffer overflow vulnerability which it said affected older versions of its FortiGate (FOS) firmware, versions 4.3.8 and below. Customers are advised to upgrade to release 5.x or upgrade to 4.3.9 or above for models not compatible with 5.x.

Q: Did the leak include any exploits for Symantec products?
A: No exploits of Symantec products were found in the released files. Our investigation is still in progress.

Update – August 23, 2016:

Q: Are Juniper Networks products affected by the leak?
A: Juniper Networks has said the leak included tools targeting its NetScreen devices. “As part of our analysis of these files, we identified an attack against NetScreen devices running ScreenOS,” a Juniper Networks spokesperson said. “We are examining the extent of the attack, but initial analysis indicates it targets the boot loader and does not exploit a vulnerability on ScreenOS devices.” The company said it would continue its analysis and publish any new information in a blog or security advisory once more is known.

Q: Has any money been sent to the Shadow Brokers yet?
A: Records associated with the Bitcoin address provided by the Shadow Brokers show that the group  has received 63 payments totaling 1.76 Bitcoin (approximately US$1,023). The majority came from a single payment of 1.5 Bitcoin.

Q: Do Symantec products detect the tools released in the leak?
A: Symantec and Norton products protect against the malware and exploits found in the leak with the following detections:


Intrusion prevention

0 Favorited
0 Files

Tags and Keywords


Dec 09, 2016 04:42 AM

“Based on the sophistication of Strider operations and malware it is more likely that their operations are based on selective targeting as opposed to the group struggling to successfully compromise intended targets.

Dec 09, 2016 12:19 AM

Great Article.. Symantec always ahead of all security product. Symantec already release the antivirus and IPS signature to prevent from this type of attack.

Dec 08, 2016 04:14 PM

With the rise of bitcoin this is to be expected. In the past a secure way to get cash for providing illegally obtained data was hard cache as it is hard to trace. However, that has one major constraint which is proximity. Now with bitcoin this illegal activities can be done on a global level. It is quite scary to think off that and on the other hand it also scary to think that banks own most of our money.

Dec 01, 2016 02:28 PM

Nice to have all the details in one spot for easy reference.  Also funny/scary that the hackers are hacked themselves. Thanks!

Nov 18, 2016 03:59 PM

I like to see the hackers being hacked.

Its good news to see the tools and method hacking groups use to penetrate and ingect systems.

I'm glad Symantec has validated/invalidated the questiosn going around for this data dump.  It calms some fears that peole have and also shows that there are groups/companies out thtere fighting for them.


Nov 10, 2016 05:37 AM

As of today (10th of October) they have now recieved just 2 Bitcoins. Here is the link to that bitcoin address in question for those wanting to donate.. ;-)


Judging from the vendor responses, these hacks are legitimate . Which is interesting, as very few parties seem to be eager to bid on this. And it all seems to have gone very quiet. Which begs the question, why?

Oct 04, 2016 10:42 AM

Interesting article. I am surprised they have only received 1.76 Bitcoin so far but it is a relief that there is protection offered by Symantec against the malware and the exploits found in the leak.

Sep 24, 2016 06:53 AM

Cyberespionage group Equation was uncovered last year, when it was found to be using highly advanced malware to target organisations across the globe.

Symantec already release the signature to prevent from this type of threat

Sep 23, 2016 08:08 AM

If this were the NSA then it would suggest a hypocrisy when said that Huawei kit would leave the US open to attacks. Very interesting to see vulnerabilities for companies such as Cisco in the list. 

Sep 23, 2016 05:19 AM

It seems the lasrge amount of data been breached. this shows still the data security is not yet taken into priority by bussiness and other stakeholder who holds critical information. we need to more proactive and preventive on data security else our privacy will be breached and will hear such more examples

Sep 23, 2016 04:09 AM

Great article. Sometimes I feels nothing is secure as almost everywhere the attacks are taking place and you need to broaden your vision to implement security solutions and cover entire IT network perimeter with multiple tier security with integration approach.

Sep 22, 2016 10:04 PM

Great article. I am sure that the security posture in terms of patch and vulnerabilities for OS and applications must be remediated. Ultimately data is important and every attempt is made to find the exploit. Therefore integrated endpoint security architecture is mandatory.

Sep 20, 2016 05:42 AM

I'm fairly sure that the dump will contain working exploits and even if they are out of date or from 2013 we all know how good/bad people can be at patching their systems and I'm not just talking about home users either. Nice that Symantec keep us up to date with all the information, also good to see the article was updated again when more information was uncovered.

Sep 17, 2016 03:47 AM

Tight and meaningful security is what every organization should implement. Most of organization just buy solutions and dont care how its implemented and operated. I think there is the gap and threat for risk and security posture. Also its important to keep the solutions/consoles/Os updated with latest versions/hot fixes/patches. etc.

Sep 15, 2016 01:48 PM

The primary concern here is the legitimacy and age of the exploits/data.  If they really wanted to profit from this, they'd release enough of the data to prove any worth.  Waiting to see how this plays out. 

Sep 14, 2016 02:17 PM

It's pretty amazing that this sort of stuff even exists. All these underground things happening that the average person would be none the wiser too. Incredible work as well and a good dent in it.

Sep 12, 2016 11:15 AM

Very Interesting...Thank you Symantec

Sep 12, 2016 08:46 AM

What I would like to see in the future would be proactive security measures instead of reactive.  We spend to much time patching systems that have vulnerabilities and not enough time hardening our defenses.  Understandeably we cannot ensure 100% of our software cannot or will not be exploited but what about builtin security measures that would help with this? I think we need to shift our mindset from reactive to proactive and start coding/programming for the big picture.  My two cents.

Sep 10, 2016 05:58 AM


Shadow Brokers stoled from the Equation cyberespionage group.

Thieves stealing from another thieves. (hacker just got hacked!!!) 

It clearly shows shadow brokers are bigger thieves OR they are the part of Equation group!!!  And they are in open.

Shadow Brokers wants money (do they really!!) and they would sell this stolen loot to the highest bidder.

What is NSA doing about it? Seems Shadow Brokers are giving an open challenge to NSA.

Sep 09, 2016 01:25 AM

Whether the group was really hacked or if it was an inside job, this article truly reiterate for me that nothing is unhackable and any agency that doesn't try its best to secure it self or takes security light is really harming themselves.  It's amazing how many companies out there take security lightly.  Another good article by Symantec.

Sep 07, 2016 04:09 PM

Buen articulo, aunque me parece un poco antigua la informacion.


Sep 07, 2016 04:09 PM

Buen articulo, aunque me parece un poco antigua la informacion.


Sep 05, 2016 06:53 AM

Very interesting to see vulnerabilities for companies such as Cisco in the list. While they would never admit it, if this were the NSA then it would suggest a hypocrisy when they said that Huawei kit would leave the US open to attacks. 

Sep 04, 2016 02:19 AM

 The data contains a range of exploits and tools the attack group state were used by Equation

Sep 02, 2016 10:25 PM

This really helps put things in perspective. When you think of nation state or APT, you think of super sophisticated futuristic attacks but they may have code that I've written for all we know. I'm really interested to follow this over the coming weeks and I'm glad that companies like Sym are standing up for us. I don't want the NSA breaching my enterprise any more than some seedy hacker group.

Sep 02, 2016 01:24 PM

very informative

Sep 02, 2016 08:48 AM

Was this group (NSA) really hacked or was it an inside job? It also shows that the NSA doesn't properly disclose newly discovered vulnerabilities despite the fact they said they do.

Sep 02, 2016 12:57 AM

Good blog re what Symantec is doing something positive.

Sep 01, 2016 06:11 PM

Me parece curioso que entre grupos de esta clase hagan este tipo de cosas, me parece que existen cosas mas alla de lo obvio.

y creo que la info puede ser un poco antigua!


Sep 01, 2016 12:35 PM

Equation was uncovered last year, when it was found to be using highly advanced malware tools to target organizations in a range of countries

Sep 01, 2016 03:51 AM

Symantec Security Response is analyzing the data released by Shadow Brokers in order to assess the accuracy of the group's


Good stuff by symantec

Sep 01, 2016 03:31 AM

Symantec Endpoint Protection now protect against the malware and exploits which is above blog.



Sep 01, 2016 03:23 AM

Hacktool.Equation is a bucket detection for hacking tools allegedly used by the Equation group and released to the public by an attack group calling itself the Shadow Brokers


Also symantec Security response team release the defintion and ips signature for this attack.

Aug 31, 2016 01:08 PM

Nice blog by symantec response team

Aug 31, 2016 07:55 AM

A Good example of hackers being hacked.

Aug 31, 2016 04:53 AM

Good Article by Symantec

Aug 31, 2016 03:11 AM

Always good to see hacker groups get taken down or at least slowed down in some manner. Not sure how I feel about the information being sold but I guess in this world money is how it works.


Aug 30, 2016 11:13 PM

Aaw....good information but user awareness is equally important for maintening security posture in any work place. IT Initiatives must be taken with User Awareness programs designed to know them latest attack techniques and their root cause

Aug 30, 2016 11:26 AM

That's a lot of information, hopefully it will be put to good use.

Aug 30, 2016 05:22 AM

Good example of hackers being hacked. A reminder that there is good security but a flawless security does not exist.

Aug 29, 2016 09:33 PM

Security and Availability comes in hand with hand.  Good Article by Symantec. Solution architects must design security solutions in such a way that it should represent the perfect blend of integration between endpoints security, network and gateway security.

Aug 29, 2016 01:11 PM

All I can say is patch patch and patch.  Companies need to have policies and procedures in place to ensure not only compliance related systems are patched but all systems are patched regularly.

Aug 29, 2016 12:52 PM

Data Data Data....its everywhere and must be protected, secured and made highly available. Symc Solutions make this happen through diverse integration among their solutions.

Aug 29, 2016 09:10 AM

It is interesting to see another group coming out and showing files that they have hacked.  Makes you think about how many other hacker groups are out there that have files that they are waiting to release. 

These groups are always a step ahead of security at companies.  This tells me that companies are still to reactive and not proactive in their security today.


Aug 29, 2016 07:36 AM

Some people might say that since the files are old, Equation can just update everything and make these files obsolete, but is it really possible? Really feasible?

And honestly ... that's a lot of money for some files.

Aug 29, 2016 07:20 AM

NIce and good information shared by symantec Team.

Good olne

Aug 28, 2016 06:55 AM

Yes. Every time Symantec Security is on the top level and provide value added information with protection from known and unknow attacks

Great Article by symantec

Aug 27, 2016 06:00 PM

Interesting read...
Gotta love how with all the experienced professional programmers out there, hackers still manage to find an open backdoor.

Aug 27, 2016 04:29 AM

A great blog, always keep your kit upto date. Even then it's worth thinking about layering security products.

Aug 27, 2016 04:05 AM

Truly informative. You go anywhere...data is always important and what must be protected and highly available all times. 

Aug 26, 2016 02:11 PM

Very interesting...

There is always someone a step ahead of someone in security world, whether it be the good or bad people.


Good Artical

Aug 26, 2016 10:06 AM

While the files seem legitimate, I have doubts as to how much they are still used for to there age. 3-6 years ago is a long time and there may have already been security updates for some of these exploits.

Aug 26, 2016 07:49 AM

More worried about which is using Microsoft windows XP and 2003.

Nice article shared by Symantec Team

Aug 26, 2016 04:08 AM

Good Article by Symantec

Aug 26, 2016 02:41 AM

Sally5432 - while it's good that they are keeping us informed in regarding to old operating system, one thing we need to be aware is that more and more software companies are EOL'ing their software for XP & Server 2003 support. That leave companies who still run this with no protection, how will they protect their network?

I know a few companies (which I won't say who for obvious reasons) who still run XP and Server 2003 due to expensive, bespoken software package with no upgrade path and they are so integrated within the system, it will be very expensive to upgrade everything at once. I feel sorry for them actually...

Aug 26, 2016 02:30 AM

I was wondering what AV software the comployed while the breach occured when I read the article, and how the security software was configured and monitored at the time. We heard similar story now and then, however, not many people will think if the attack is to us and are we good enough to detect it. 

Aug 26, 2016 01:59 AM

Still most of the organization are running on windows xp and windows 2003. so i am still more concern about for that organsation. so what is the action plan for the same.

Thats great Article provided by symnatec team.


Aug 25, 2016 03:32 PM

Very interesting...

There is always someone a step ahead of someone in security world, whether it be the good or bad people.

If we could only convert the bad into the good (ethical) hackers, maybe there would be less security flaws.


Great article!  Thanks for sharing!

Aug 25, 2016 02:56 PM

I'm sure the dump contains working exploits.  Unfortunately, how many organizations are still running XP?  Server 2003?  Never patched Java?  The list goes on and on and frankly is hard to keep up with.  I am thankful that the Symantec Security Response team is doing their best to keep everyone informed.  I appreciate the Q/A style of the post, easy to read & digest & will check back for more information.

Aug 25, 2016 02:15 PM

A fine example of hackers being hacked. A reminder that there is good security but a flawless security does not exist.

Aug 25, 2016 01:49 PM

Since most of the data is from 2013 how many of these solutions are patched or fixed?  Will there be more released?


Also I wonder how much of this was motiviated by the current election?  Like the reason they released it now was due to the election

Aug 25, 2016 01:04 PM

My main concern is th legitimacy of this data. I also find it a bit rich they're charging for it. Isn't it technically stolen information?

Related Entries and Links

No Related Resource entered.