Shadow Brokers leaks show U.S. spies successfully hacked Russian, Iranian targets
The leaked NSA documents and tools published in recent months by the mysterious Shadow Brokers group have provided rare insight into the clandestine digital espionage operations pursued by the spy agency over the past few years, including information on operations aimed at Iran and Russia.
Last Friday the rogue group released a new package of NSA files, this time detailing numerous tools designed to break into older versions of Microsoft Windows and a campaign to compromise banking networks in the Middle East. Additional targets were also mentioned one week prior in a separate archive that was largely ignored by most media outlets.
Yet the document cache published April 8 provides evidence that the NSA had once launched a series of successful computer-based intrusions against multiple high-profile foreign targets, including the Office of the President of Iran and the Russian Federal Nuclear Center, said two former intelligence officials who spoke to CyberScoop on the condition of anonymity due to their knowledge of internal operations. That release contained files with earmarked organizations and other evidence that explains how certain cyberattacks were engineered.
“The fact that this is in there the way it is means these targets were definitely owned,” one former intelligence official said. “It means it was a successful op, plain and simple.”
Another former intelligence official that worked at the NSA and also spoke on condition of anonymity said the April 8 document dump offered authentic internal information regarding past agency operations.
While the Shadow Brokers published a list of 300 IP addresses last October that were supposedly once compromised by the spy agency, it was not until recently that researchers were provided with more comprehensive targeting data.
An analysis of one archive presented by the Shadow Brokers reveals a collage of web domains and hardware systems that were at one point targeted by the NSA and attacked with a suite of hacking tools. These domains include:
A closer look at the full filenames in the archive provides additional insight. The websites themselves represent targeted host machines, or boxes, each of which is paired with two different codenames— one for the hacking tool used and another for the associated operation.
For example, one such file name is listed as:
Experts say stoicsurgeon is a post-exploitation tool, meaning that a different exploit was necessary to first compromise the target. “Ctrl” in the sample is the name of the loader. “x86-Linux” refers to the 32-bit Linux operating system used by the target in this case. “Vezarat,” a term referring to Iran’s Ministry of Intelligence, is the host box in the dolat.ir domain that was specifically compromised.
It all translates to an NSA operation that likely saw U.S. spies hack into a host box inside a computer network that was of high interest to national security analysts in Washington during the Obama administration. According to an internal PowerPoint presentation previously leaked by former agency contractor Edward Snowden, “Optimusprime” is related to the NSA’s SPINALTAP project, a program that was introduced to combine data from active operations and passive signals intelligence.
Stoicsurgeon is just one hacking tool used against the web domains listed above. Another tool, codenamed “suctionchar,” also features prominently in the archive filename list — for example: suctionchar_agent__v__2.0.27.18_x86-linux-tilttop-comet.vniitf.ru.
Security researcher x0rz described “suctionchar” as a “32 or 64 bit OS, solaris sparc 8,9, Kernel level implant” that provide an attacker with “transparent, sustained, or realtime interception of processes input/output vnode traffic,” that can also “intercept ssh, telnet, rlogin, rsh, password, login, [and] csh” data.
https://www.cyberscoop.com/nsa-shadow-brokers-leaks-iran-russia-optimusprime-stoicsurgeon/
Written by
Chris Bing Apr 18, 2017 | CyberScoopThe leaked NSA documents and tools published in recent months by the mysterious Shadow Brokers group have provided rare insight into the clandestine digital espionage operations pursued by the spy agency over the past few years, including information on operations aimed at Iran and Russia.
Last Friday the rogue group released a new package of NSA files, this time detailing numerous tools designed to break into older versions of Microsoft Windows and a campaign to compromise banking networks in the Middle East. Additional targets were also mentioned one week prior in a separate archive that was largely ignored by most media outlets.
Yet the document cache published April 8 provides evidence that the NSA had once launched a series of successful computer-based intrusions against multiple high-profile foreign targets, including the Office of the President of Iran and the Russian Federal Nuclear Center, said two former intelligence officials who spoke to CyberScoop on the condition of anonymity due to their knowledge of internal operations. That release contained files with earmarked organizations and other evidence that explains how certain cyberattacks were engineered.
“The fact that this is in there the way it is means these targets were definitely owned,” one former intelligence official said. “It means it was a successful op, plain and simple.”
Another former intelligence official that worked at the NSA and also spoke on condition of anonymity said the April 8 document dump offered authentic internal information regarding past agency operations.
While the Shadow Brokers published a list of 300 IP addresses last October that were supposedly once compromised by the spy agency, it was not until recently that researchers were provided with more comprehensive targeting data.
An analysis of one archive presented by the Shadow Brokers reveals a collage of web domains and hardware systems that were at one point targeted by the NSA and attacked with a suite of hacking tools. These domains include:
- dolat.ir: Islamic Republic of Iran Presidential Office website
- vniitf.ru: Russian Federal Nuclear Center website
- mail.prf.gov.ru: a mail server for the Presidential Administration of Russia (aprf.gov.ru is no longer online)
- vega-int.ru: a website for Russian internet service provider, Vega-Internet
- snz.ru: a website for the office providing telecommunications and other internet support for Vniitf.ru
- minatom.ru: a website of the Ministry for Atomic Energy of the Russian Federation
- udprf.ru: the Office of the President of the Russian Federation website
- rowdaco.com: a defunct website once apparently used by a Somalia-based electronics store, Rowda Electronics Company
- ikoula.com: a website for a French data storage and server rental company
A closer look at the full filenames in the archive provides additional insight. The websites themselves represent targeted host machines, or boxes, each of which is paired with two different codenames— one for the hacking tool used and another for the associated operation.
For example, one such file name is listed as:
In this context, the term “stoicsurgeon” is a reference to the codename of the deployed tool. “Optimusprime” is the title of an NSA operation. “v__1.5.33.2” details the version of stoicsurgeon, a rootkit backdoor aimed at Linux’s MultiArch — which helps install library packages from multiple architectures on the same machine.stoicsurgeon_ctrl__v__1.5.33.2_x86-linux-optimusprime-vezarat.dolat.ir
Experts say stoicsurgeon is a post-exploitation tool, meaning that a different exploit was necessary to first compromise the target. “Ctrl” in the sample is the name of the loader. “x86-Linux” refers to the 32-bit Linux operating system used by the target in this case. “Vezarat,” a term referring to Iran’s Ministry of Intelligence, is the host box in the dolat.ir domain that was specifically compromised.
It all translates to an NSA operation that likely saw U.S. spies hack into a host box inside a computer network that was of high interest to national security analysts in Washington during the Obama administration. According to an internal PowerPoint presentation previously leaked by former agency contractor Edward Snowden, “Optimusprime” is related to the NSA’s SPINALTAP project, a program that was introduced to combine data from active operations and passive signals intelligence.
Stoicsurgeon is just one hacking tool used against the web domains listed above. Another tool, codenamed “suctionchar,” also features prominently in the archive filename list — for example: suctionchar_agent__v__2.0.27.18_x86-linux-tilttop-comet.vniitf.ru.
Security researcher x0rz described “suctionchar” as a “32 or 64 bit OS, solaris sparc 8,9, Kernel level implant” that provide an attacker with “transparent, sustained, or realtime interception of processes input/output vnode traffic,” that can also “intercept ssh, telnet, rlogin, rsh, password, login, [and] csh” data.
-In this Story-
cyber espionage, cybersecurity, FISA, insider threat, intelligence agencies, Iran, leaks, news, NSA, Russia, Shadow Brokers, spying, TAOhttps://www.cyberscoop.com/nsa-shadow-brokers-leaks-iran-russia-optimusprime-stoicsurgeon/
Today at 6:20 am by Rocky
» “Iraq is in danger.” Political warnings against ending the work of the UN mission
Today at 6:19 am by Rocky
» The Iraqi Interior Minister announces the signing of a security cooperation memorandum with Syria
Today at 6:17 am by Rocky
» The Minister of Oil told “Al-Iqtisad News”: The 5th and 6th rounds will add 3 Mqmq of gas to Iraq’s
Today at 6:16 am by Rocky
» Economist: Tax revenues from the private sector should be 4 trillion dinars annually
Today at 6:14 am by Rocky
» The Real Estate Bank calls on the Iraqi Central Bank to determine a plan to allocate a new initiativ
Today at 6:13 am by Rocky
» More than one billion and 400 million dollars...CBI sales within a week
Today at 6:12 am by Rocky
» Oil: Iraq achieved self-sufficiency in liquid gas and began exporting the surplus
Today at 6:10 am by Rocky
» Iraq begins exporting liquid gas
Today at 6:09 am by Rocky
» The Cabinet Secretariat sets to Al-Iqtisad News the completion date for the Chinese agreement school
Today at 6:09 am by Rocky
» Securities: The most recent law of the Authority in the Arab and regional countries
Today at 6:07 am by Rocky
» A European desire to strengthen security and economic cooperation with Baghdad
Today at 6:06 am by Rocky
» The close selection of a person for the position of Speaker of Parliament
Today at 6:05 am by Rocky
» Parliamentary law excludes the exchange of penalties for cash amounts
Today at 6:04 am by Rocky
» An agreement with Italy to finance industrial projects
Today at 6:02 am by Rocky
» The Najaf Chamber of Commerce signs a “memorandum of understanding” with its Thai counterpart
Today at 6:01 am by Rocky
» Baghdad, Arab Forum
Today at 6:00 am by Rocky
» Specialists: Economic integration and job opportunities await development
Today at 5:59 am by Rocky
» The President of the Republic, Nechirvan and Barzani stress the necessity of coordinating efforts be
Today at 5:57 am by Rocky
» The Judicial Institute announces the names of those accepted for the 48th and 49th sessions
Today at 5:56 am by Rocky
» Today's newspapers are interested in launching the fifth licensing supplement rounds and the sixth l
Today at 5:55 am by Rocky
» Al-Sudani receives the Secretary-General of the Arab Network for National Human Rights Institutions
Today at 5:53 am by Rocky
» Trade participates in the meetings of the Economic and Social Council at the level of senior officia
Today at 5:52 am by Rocky
» The Minister of Transport discusses with the Tunisian Minister of Foreign Affairs and Immigration wa
Today at 5:50 am by Rocky
» Iraq recorded an increase in its oil exports to the United States last week
Today at 5:49 am by Rocky
» It is governed by three dimensions.. Parliament talks about a strategic priority for Iraqi national
Today at 5:48 am by Rocky
» To what extent do Arab countries influence politically Iraq? It has become more independent
Today at 5:46 am by Rocky
» The Iranian ambassador in Baghdad: Iraq has paid its debts, and the security agreement includes thre
Today at 5:45 am by Rocky
» Dollar exchange rates decline slightly on the Baghdad Stock Exchange
Today at 5:44 am by Rocky
» China has 18% of the fields in the two new rounds, and 11 countries share the remainder
Today at 5:43 am by Rocky
» On the table...a proposal for the Kurdistan oil crisis and an effort to conclude a similar agreement
Today at 5:42 am by Rocky
» Al-Awadi: A government decision to provide sovereign guarantees and guarantees to encourage the inve
Today at 5:40 am by Rocky
» 6 Chinese companies are among the winners of developing Iraqi oil and gas fields
Today at 5:38 am by Rocky
» Baghdad gives UNAMI the end of 2025 to leave the country after fiery briefings
Today at 5:37 am by Rocky
» Dhi Qar clarifies: The quarry burying radioactive materials is regular and does not pose a danger
Today at 5:36 am by Rocky
» Al-Sudani: There are 64 lagging projects in Babylon
Today at 5:34 am by Rocky
» The housing crisis is expanding and planning confirms: Iraq needs 3 million housing units to solve i
Today at 5:34 am by Rocky
» 90 billion dinars were recovered from social protection violators
Today at 5:32 am by Rocky
» Iraq seeks to increase its oil reserves to more than 160 billion barrels
Today at 5:31 am by Rocky
» After keeping the numbers secret... Did the rain increase Iraq's water reserves by 120%?
Today at 5:30 am by Rocky
» In the first quarter of 2024.. Iran will displace Iraq and become the second largest producer in OPE
Today at 5:28 am by Rocky
» Iraqi oil exports to Jordan stopped 20 days ago
Today at 5:27 am by Rocky
» Iraq and Syria sign a memorandum of security cooperation in several fields
Today at 5:25 am by Rocky
» Parliament recommends stopping electronic schools in Iraq
Today at 5:24 am by Rocky
» Parliamentary law rules out passing a law replacing penalties with sums of money
Today at 5:22 am by Rocky
» After a rare meeting... sources talk about Al-Sadr's future in political life in Iraq
Today at 5:21 am by Rocky
» The President of the Republic warns of climate change and its threat to food security and future gen
Today at 5:20 am by Rocky
» The Iranian ambassador to Iraq talks about negotiations for the withdrawal of American forces and Tu
Today at 5:19 am by Rocky
» Deputy: Iraq represents an important factor in the stability of the global oil market
Today at 5:16 am by Rocky
» Transportation: The Iraqi-Turkish technical committees continue to fulfill the requirements for impl
Today at 5:15 am by Rocky
» Economic: Raising the interest rate will reduce real estate prices
Yesterday at 8:20 am by Rocky
» Did Barzani agree in Tehran to end the presence of Iranian groups in Kurdistan? - urgent
Yesterday at 8:16 am by Rocky
» Al-Sudani: We are establishing a new situation for the global energy market through the Development
Yesterday at 8:14 am by Rocky
» Al-Sudani: The government program devoted a wide scope to the government’s vision for oil and gas in
Yesterday at 8:11 am by Rocky
» Al-Awadi: Ending the work of the UNAMI mission is consistent with the government’s vision in this fi
Yesterday at 8:10 am by Rocky
» utube 5/9/24 MM&C 0:02 / 46:46 PM - Al-Sudani - Golden Opportunity - Private Sector - Contra
Yesterday at 6:34 am by Rocky
» utube MM&C 5/11/24 Iraqi Dinar - IQD Update - International - IraqTiming - 2024 Budget Schedule - Sp
Yesterday at 6:32 am by Rocky
» MM&C Floating the dinar" returns to the forefront.. Will the Central Bank of Iraq resort to it and w
Yesterday at 6:24 am by Rocky
» The Secretary of the Ministry of Defense meets with the Commander of the NATO mission
Yesterday at 6:17 am by Rocky
» Expert: The stability of the economy is linked to the political situation
Yesterday at 6:13 am by Rocky
» A parliamentary request to lift the injustice against 20,000 Iraqi employees
Yesterday at 6:09 am by Rocky
» Parliamentary Finance criticizes the government's failure to send the budget schedules
Yesterday at 6:08 am by Rocky
» Minister of Oil: The 5th and 6th licensing rounds will take place within the framework of exploratio
Yesterday at 6:07 am by Rocky
» Al-Sudani: Iraq is a difficult number in the global market in the field of energy
Yesterday at 6:06 am by Rocky
» Al-Khanjar rejects Al-Halbousi’s request to head Parliament
Yesterday at 6:05 am by Rocky
» Revealing the date of the arrival of the 2024 budget schedules
Yesterday at 6:04 am by Rocky
» Al-Halbousi nominates Talal Al-Zubaie for presidency of the House of Representatives
Yesterday at 6:03 am by Rocky
» "A coup in Iraqi universities"... Replacement of presidents and deans under the new education law
Yesterday at 6:01 am by Rocky
» Al-Sudani: Iraq is a difficult number in the equation of energy and oil wealth in the region and the
Yesterday at 6:00 am by Rocky
» Minister of Oil: We hope to announce an increase in Iraq’s oil reserves to 160 billion barrels
Yesterday at 5:58 am by Rocky
» Iraq's mass graves...stories that did not end with the burial of their owners, and the "legacy of IS
Yesterday at 5:57 am by Rocky
» Pictures: New licenses in Iraq to extract “huge” quantities of oil and gas
Yesterday at 5:56 am by Rocky
» Transport reopens the Baghdad - Samarra railway line
Yesterday at 5:55 am by Rocky
» Al-Awadi: A government decision to provide sovereign guarantees and guarantees to encourage the inve
Yesterday at 5:54 am by Rocky
» Oil clarifies the mechanism for investing grant funds and licensing contracts
Yesterday at 5:51 am by Rocky
» A $700 million agreement is signed between Iraq and Italy to finance these projects
Yesterday at 5:50 am by Rocky
» Iraq recovers 90 billion dinars from social protection violators
Yesterday at 5:49 am by Rocky
» Sudanese officially launches the two licensing rounds and sets the date for stopping gas burning
Yesterday at 5:48 am by Rocky
» An economic vision for the standard of competition for exploratory plots in Iraq
Yesterday at 5:47 am by Rocky
» The Iraqi Islamic Bank announces an increase in its capital to 300 billion dinars
Yesterday at 5:46 am by Rocky
» A communication from the Ministry of Health to the Ministry of Interior in Kurdistan regarding “herb
Yesterday at 5:44 am by Rocky
» Popular agreement to end the “cancer towers” crisis in the oldest villages of Diyala.. Document
Yesterday at 5:42 am by Rocky
» What is the reason for OPEC's decision to stop publishing its estimates of the volume of global dema
Yesterday at 5:41 am by Rocky
» It includes 29 projects in 12 governorates.. Launching the fifth supplementary licensing round and t
Yesterday at 5:40 am by Rocky
» Among them are 8 Chinese companies...an economic view of the criteria for competition over explorato
Yesterday at 5:38 am by Rocky
» Sudanese: Gas burning will stop within 3-5 years
Yesterday at 5:38 am by Rocky
» With the extension of its legislative term.. Will the Iraqi parliament succeed in resolving the budg
Yesterday at 5:36 am by Rocky
» Al-Sudani's angry message to Guterres: We do not need UNAMI.. Describe your belongings and leave
Yesterday at 5:35 am by Rocky
» As a result of corruption charges... Parliamentary signatures were collected to dismiss the director
Yesterday at 5:33 am by Rocky
» 13 countries are competing for 29 fields, and Anbar and Muthanna have the lion’s share... Details of
Yesterday at 5:30 am by Rocky
» Ending the international coalition’s mission...negotiations may take more time
Yesterday at 5:29 am by Rocky
» Oil reveals a mechanism to support services and establish infrastructure projects in the producing g
Yesterday at 5:27 am by Rocky
» Al-Hakim: The future cannot be mortgaged to volatile oil prices
Yesterday at 5:26 am by Rocky
» The New Generation Movement files a lawsuit to dissolve the regional government: It is unable to mak
Yesterday at 5:24 am by Rocky
» Al-Sudani: The government program devoted a wide scope to the government’s vision for oil and gas in
Yesterday at 5:23 am by Rocky
» Al-Rafidain: Loans for purchasing residential units start from 5 to 150 million
Yesterday at 5:21 am by Rocky
» Iraq launches a new licensing round to develop oil and gas fields
Yesterday at 5:20 am by Rocky
» Signing an agreement between Iraq and Italy to finance industrial projects worth $700 million
Yesterday at 5:19 am by Rocky
» Minister of Oil: Soon we will announce the increase in Iraq’s oil reserves to 160 billion barrels
Yesterday at 5:18 am by Rocky