Home
Shadow Brokers leaks show U.S. spies successfully hacked Russian, Iranian targets
The leaked NSA documents and tools published in recent months by the mysterious Shadow Brokers group have provided rare insight into the clandestine digital espionage operations pursued by the spy agency over the past few years, including information on operations aimed at Iran and Russia.
Last Friday the rogue group released a new package of NSA files, this time detailing numerous tools designed to break into older versions of Microsoft Windows and a campaign to compromise banking networks in the Middle East. Additional targets were also mentioned one week prior in a separate archive that was largely ignored by most media outlets.
Yet the document cache published April 8 provides evidence that the NSA had once launched a series of successful computer-based intrusions against multiple high-profile foreign targets, including the Office of the President of Iran and the Russian Federal Nuclear Center, said two former intelligence officials who spoke to CyberScoop on the condition of anonymity due to their knowledge of internal operations. That release contained files with earmarked organizations and other evidence that explains how certain cyberattacks were engineered.
“The fact that this is in there the way it is means these targets were definitely owned,” one former intelligence official said. “It means it was a successful op, plain and simple.”
Another former intelligence official that worked at the NSA and also spoke on condition of anonymity said the April 8 document dump offered authentic internal information regarding past agency operations.
While the Shadow Brokers published a list of 300 IP addresses last October that were supposedly once compromised by the spy agency, it was not until recently that researchers were provided with more comprehensive targeting data.
An analysis of one archive presented by the Shadow Brokers reveals a collage of web domains and hardware systems that were at one point targeted by the NSA and attacked with a suite of hacking tools. These domains include:
A closer look at the full filenames in the archive provides additional insight. The websites themselves represent targeted host machines, or boxes, each of which is paired with two different codenames— one for the hacking tool used and another for the associated operation.
For example, one such file name is listed as:
Experts say stoicsurgeon is a post-exploitation tool, meaning that a different exploit was necessary to first compromise the target. “Ctrl” in the sample is the name of the loader. “x86-Linux” refers to the 32-bit Linux operating system used by the target in this case. “Vezarat,” a term referring to Iran’s Ministry of Intelligence, is the host box in the dolat.ir domain that was specifically compromised.
It all translates to an NSA operation that likely saw U.S. spies hack into a host box inside a computer network that was of high interest to national security analysts in Washington during the Obama administration. According to an internal PowerPoint presentation previously leaked by former agency contractor Edward Snowden, “Optimusprime” is related to the NSA’s SPINALTAP project, a program that was introduced to combine data from active operations and passive signals intelligence.
Stoicsurgeon is just one hacking tool used against the web domains listed above. Another tool, codenamed “suctionchar,” also features prominently in the archive filename list — for example: suctionchar_agent__v__2.0.27.18_x86-linux-tilttop-comet.vniitf.ru.
Security researcher x0rz described “suctionchar” as a “32 or 64 bit OS, solaris sparc 8,9, Kernel level implant” that provide an attacker with “transparent, sustained, or realtime interception of processes input/output vnode traffic,” that can also “intercept ssh, telnet, rlogin, rsh, password, login, [and] csh” data.
https://www.cyberscoop.com/nsa-shadow-brokers-leaks-iran-russia-optimusprime-stoicsurgeon/
Written by
Chris Bing Apr 18, 2017 | CyberScoopThe leaked NSA documents and tools published in recent months by the mysterious Shadow Brokers group have provided rare insight into the clandestine digital espionage operations pursued by the spy agency over the past few years, including information on operations aimed at Iran and Russia.
Last Friday the rogue group released a new package of NSA files, this time detailing numerous tools designed to break into older versions of Microsoft Windows and a campaign to compromise banking networks in the Middle East. Additional targets were also mentioned one week prior in a separate archive that was largely ignored by most media outlets.
Yet the document cache published April 8 provides evidence that the NSA had once launched a series of successful computer-based intrusions against multiple high-profile foreign targets, including the Office of the President of Iran and the Russian Federal Nuclear Center, said two former intelligence officials who spoke to CyberScoop on the condition of anonymity due to their knowledge of internal operations. That release contained files with earmarked organizations and other evidence that explains how certain cyberattacks were engineered.
“The fact that this is in there the way it is means these targets were definitely owned,” one former intelligence official said. “It means it was a successful op, plain and simple.”
Another former intelligence official that worked at the NSA and also spoke on condition of anonymity said the April 8 document dump offered authentic internal information regarding past agency operations.
While the Shadow Brokers published a list of 300 IP addresses last October that were supposedly once compromised by the spy agency, it was not until recently that researchers were provided with more comprehensive targeting data.
An analysis of one archive presented by the Shadow Brokers reveals a collage of web domains and hardware systems that were at one point targeted by the NSA and attacked with a suite of hacking tools. These domains include:
- dolat.ir: Islamic Republic of Iran Presidential Office website
- vniitf.ru: Russian Federal Nuclear Center website
- mail.prf.gov.ru: a mail server for the Presidential Administration of Russia (aprf.gov.ru is no longer online)
- vega-int.ru: a website for Russian internet service provider, Vega-Internet
- snz.ru: a website for the office providing telecommunications and other internet support for Vniitf.ru
- minatom.ru: a website of the Ministry for Atomic Energy of the Russian Federation
- udprf.ru: the Office of the President of the Russian Federation website
- rowdaco.com: a defunct website once apparently used by a Somalia-based electronics store, Rowda Electronics Company
- ikoula.com: a website for a French data storage and server rental company
A closer look at the full filenames in the archive provides additional insight. The websites themselves represent targeted host machines, or boxes, each of which is paired with two different codenames— one for the hacking tool used and another for the associated operation.
For example, one such file name is listed as:
In this context, the term “stoicsurgeon” is a reference to the codename of the deployed tool. “Optimusprime” is the title of an NSA operation. “v__1.5.33.2” details the version of stoicsurgeon, a rootkit backdoor aimed at Linux’s MultiArch — which helps install library packages from multiple architectures on the same machine.stoicsurgeon_ctrl__v__1.5.33.2_x86-linux-optimusprime-vezarat.dolat.ir
Experts say stoicsurgeon is a post-exploitation tool, meaning that a different exploit was necessary to first compromise the target. “Ctrl” in the sample is the name of the loader. “x86-Linux” refers to the 32-bit Linux operating system used by the target in this case. “Vezarat,” a term referring to Iran’s Ministry of Intelligence, is the host box in the dolat.ir domain that was specifically compromised.
It all translates to an NSA operation that likely saw U.S. spies hack into a host box inside a computer network that was of high interest to national security analysts in Washington during the Obama administration. According to an internal PowerPoint presentation previously leaked by former agency contractor Edward Snowden, “Optimusprime” is related to the NSA’s SPINALTAP project, a program that was introduced to combine data from active operations and passive signals intelligence.
Stoicsurgeon is just one hacking tool used against the web domains listed above. Another tool, codenamed “suctionchar,” also features prominently in the archive filename list — for example: suctionchar_agent__v__2.0.27.18_x86-linux-tilttop-comet.vniitf.ru.
Security researcher x0rz described “suctionchar” as a “32 or 64 bit OS, solaris sparc 8,9, Kernel level implant” that provide an attacker with “transparent, sustained, or realtime interception of processes input/output vnode traffic,” that can also “intercept ssh, telnet, rlogin, rsh, password, login, [and] csh” data.
-In this Story-
cyber espionage, cybersecurity, FISA, insider threat, intelligence agencies, Iran, leaks, news, NSA, Russia, Shadow Brokers, spying, TAOhttps://www.cyberscoop.com/nsa-shadow-brokers-leaks-iran-russia-optimusprime-stoicsurgeon/
» Al-Alaq: The monetary situation in Iraq is excellent and our reserves support the stability of the e
» utube 11/23/24 MM&C Reporting-Expectations are High-IMF-Flexible Exchange Rate Regime-Pr
» utube 11/25/24 MM&C MM&C Iraq News-CBI Building Final Touches-Oil Exports-Development Road-Turkey-B
» Parliamentary movement to include the salary scale in the next session
» Parliamentary Finance Committee reveals the budget paragraphs included in the amendment
» Al-Maliki calls on the Bar Association to hold accountable members who violate professional conduct
» Politician: The security agreement with America has many aspects
» Kurdistan Planning: More than 6 million people live in the region, the oldest of them is 126 years o
» Al-Alaq: Arab consensus on the role of central bank programs in addressing challenges
» Economics saves from political drowning
» Agriculture calls for strict ban on import of "industrial fats" and warns of health risks
» Iraq is the fourth largest oil exporter to China
» Railways continue to maintain a number of its lines to ensure the smooth running of trains
» Parliament resumes its sessions tomorrow.. and these are the most important amendments in the budget
» Bitcoin Fails to Continue Rising as It Approaches $100,000
» Minister of Planning: There will be accurate figures for the population of each governorate
» Popular Mobilization Law is ready for voting
» Mechanisms for accepting people with disabilities into postgraduate studies
» Government coordination to create five thousand jobs
» Transport: Next month, a meeting with the international organization to resolve the European ban
» Census is a path to digital government
» Calls to facilitate loans and reduce interest rates for the private sector
» The launch of the third and final phase of the "population census"
» Al-Sudani: We have accomplished a step that is the most prominent in the framework of planning, deve
» Justice discusses modern mechanisms to develop investment in real estate and minors’ money
» Dubai to host Arabplast exhibition next month
» Al-Tamimi: Integrity plays a major role in establishing the foundations of laws that will uphold jus
» Reaching the most important people involved in the "theft of the century" in Diyala
» Transportation: Completion of excavation works and connection of the immersed tunnel manufacturing b
» Between internal and regional challenges... Formation of the Kurdistan government on a "slow fire" a
» Kurdistan Region Presidency: We will issue a regional order to determine the first session of parlia
» The Minister of Foreign Affairs announces the convening of the Ambassadors Conference tomorrow, Mond
» Al-Sudani: Iraq must always be at the forefront
» Al-Mashhadani: We support the Foreign Ministry in confronting any external interference that affects
» Al-Sudani chairs meeting with Oliver Wyman delegation
» Half a million beggars in Iraq.. 90% of them receive welfare salaries
» Sudanese announces preliminary results of the general population and housing census in detail
» The centenary of the Iraqi Ministry of Foreign Affairs.. A journey of challenges and achievements
» Prime Minister's Advisor Announces Assignment of Two International Companies to Study Iraqi Banking
» Agriculture: Integrated Support Project Provides 1,333 Job Opportunities
» The Media and Education Commission discuss introducing advanced curricula related to artificial inte
» Al-Mashhadani’s First Test: Discussing Israeli Threats and Avoiding Controversial Laws
» By name.. A parliamentary bloc reveals that five ministers will be questioned at the end of the legi
» The financial budget is subject to political and economic amendments in the next parliamentary sessi
» Will the government's efforts succeed in ending the electricity crisis in Iraq?
» Baghdad Airport Customs Increased to 400% After Implementing Automation
» EU: Integrated Support Project in Iraq Creates Jobs in Agriculture and Youth
» Al-Sudani attends the centenary ceremony of the establishment of the Ministry of Foreign Affairs
» Al-Mashhadani: We seek to keep foreign policy away from alignments that harm Iraq’s unity and sovere
» The Iraqi government is working to develop a competitive banking system and support the private sect
» Al-Alaq: Arab consensus on the role of central bank programs in addressing challenges
» Regional markets rise in first session of the week
» Kurdistan Region Presidency: We will issue an order to set the first session of the regional parliam
» Political differences hinder oil and gas law legislation
» Government coordination to create new job grades for graduates
» The financial budget is subject to amendments in the next parliamentary session
» Alsumaria Newsletter: Iraq reaches the final stages of the census and Parliament resumes its session
» After the elites and workers... Iranian factories "migrate" to Iraq
» Beggars in Iraq "refuse" welfare salaries.. Their profits are 10 times the salary!
» Amending the Election Law... A Means to Restore the Dilapidated Legitimacy
» Prime Minister announces population census results, Iraq reaches 45 million mark
» Find out the dollar exchange rates in the Iraqi markets
» Kurdistan Interior Ministry: General amnesty does not include those accused of killing women
» utube 11/21/24 MM&C MM&C News Reporting-Global Trade-Best Route in World-Purchase Power-Justice-Cen
» Al-Sudani discusses with the Secretary-General of the Digital Cooperation Organization enhancing dig
» President of the Republic: Partnership with the United States is essential to achieve regional stabi
» Mazhar Saleh reveals details of the 2023 budget and the 2024 budget horizon
» Absent control and rising corruption.. Sudan faces a harsh political winter
» A representative shows the laws prepared for voting during the upcoming sessions.
» Corrupt people in it.. Independent MP criticizes the performance of Al-Sudani's government
» Parliamentary Oil Committee reveals government move to end electricity crisis
» The Administrative Court postpones consideration of the lawsuit on the legitimacy of the Kirkuk gove
» MP: The ministerial reshuffle depends on consensus within the state administration
» Politicians put question marks on Al-Sudani: corruption, espionage and serving foreign interests
» The International Union of Arab Bankers honors the Chairman of the Private Banks Association: A prom
» Industry: Contracts to supply state ministries with food products
» After Shell Withdrawal, American Company Heads to Implement Al-Nibras Project in Iraq
» Revealing the fate of the Chinese deal in Iraq.. It was disrupted by this party
» The Central Bank of Iraq 77 years of challenges and reforms
» "Unprecedented numbers"... American "CNN" talks about tourism in Iraq
» After implementing automation, Baghdad Airport Customs jumps 400 percent
» Iraq participates in sustainable development activities
» Al-Sudani opens 790 model schools
» Parliamentary Culture: The Right to Information Law will satisfy all parties
» Al-Mashhadani to {Sabah}: Tomorrow we will discuss the Zionist threats
» Industry to {Sabah}: Contracts to supply state ministries with food products
» Trade cooperation between Najaf and Isfahan
» {New building} and {electronic systems} to develop forensic medicine
» A specialized center for monitoring the environmental situation in the capital
» International and parliamentary praise for the success of the "population census" process
» The European Union organizes a workshop in Basra on central administration and the wealth distributi
» The Media Authority and the Ministry of Education discuss the importance of enhancing and introducin
» Iraq's oil exports to America rose last week
» Electricity announces loss of 5,500 megawatts due to complete halt of Iranian gas supplies
» Tomorrow.. The Arab League is looking to unify its position against Israeli intentions to strike Ira
» The Central Bank moves its secret vaults to its new building.. Clarification of the truth of the cla
» Network reveals the fate of the Chinese deal.. It was disrupted by "Iraqi officials"
» From the White House to the "Leaders of Iraq"... A Message Regarding the Targeting of Baghdad