Notorious hacking group the Shadow Brokers is back in the news after it published a list of servers claimed to have been compromised by the National Security Agency-linked Equation Group.

The group had previously claimed to have hacked the Equation Group and then attempted to sell much of what they found, before switching to an effort to crowdfund the release of the tools; presumably, the list of servers was obtained at the same time the Equation Group hacking tools were.

Included on the list are 352 distinct IP addresses and 306 domain names, with time stamps indicating that the servers were targeted between Aug. 22, 2000 and Aug. 18, 2010.

The addresses include 32 .edu domains and nine .gov domains, with locations spanning 49 countries, with China, Japan, Korea, Spain, Germany, India, Taiwan, Mexico, Italy and Russia topping the list for most popular.

Most of the servers on the list were running Solaris, while the remainder were running Linux and FreeBSD.

According to My Hacker House, the dump also includes which hacking tools were used to breach the service:

We found the leak to contain references to undisclosed tools DEWDROP, INCISION, JACKLADDER, ORANGUTAN, PATCHICILLIN, RETICULUM, SIDETRACK and STOICSURGEON. The directory structure used includes references to “intonation” and “pitchimpair”. The original post references “pitchimpair” as being a “redirector” tool, likely a backdoor/implant used for tunneling additional attacks. These as-yet-undisclosed software projects could be implants, tools or exploits used by the notorious Equation APT group.

Because of the age of the infections, it’s possible that many of the systems may have been replaced or cleaned, but My Hacker House does note that it found a number of the infected servers are still active.

Who is it?

The latest data dump was accompanied by a message on blogging platform Medium from the Shadow Brokers that included a long-winded ramble about the forthcoming Presidential election, in particular, claims that the election itself is rigged.

Given the political line the group has taken, the obvious candidate for who is behind the group is Russians, but it’s not that simple either. According to Security Week a linguistic analysis conducted by Taia Global suggests that whoever is behind Shadow Brokers is a native English speaker trying to appear non-native, something you can definitely see in the way the latest ramble reads.

The other possibility is that the Shadow Brokers is someone either within the NSA itself or working for one of its contractors, and while that may seem like it would make a great work of fiction, you need look no further than Edward Snowden to know that it could be possible.

Image credit: electronicfrontierfoundation/Flickr/CC by 2.0