A group called the Shadow Brokers has released a new cache of data purporting to be taken from the NSA in a Medium post titled “Trick or Treat” — revealing hundreds of IP addresses apparently compromised by the NSA as part of its operations.
Interestingly, the majority of the nodes are located overseas, including compromises in China, Russia, India, or Pakistan, presumably to make it difficult for targets to attribute any attack launched through the network.
At least four Pakistani Internet Service Providers (ISPs) are also part of the leaked list.
As with any anonymous leak of stolen data, it’s possible the information was fabricated or altered in transit, although previous Shadow Brokers publications have proven to be genuine. The Medium post is also signed with PGP, thus verifying that it was written by the same source as previous Shadow Brokers drops.
In Pakistan, the compromised ISPs include PTCL gateway exchange in Lahore, Paknet (which was merged into PTCL in 2007), Multinet and Micronet.
The data dumped online by the group contains 352 distinct IP addresses and 306 domain names that purportedly have been hacked by the NSA. As indicated by the timestamps included in the leak, the servers were targeted between August 2000 and August 2010.
According to details, PTCL ITI Lahore 5 was targeted in May 2003, while Micronet and Multinet’s severs were attacked in year 2000 and 2002, respectively. Interestingly, all compromised ISPs were running on Solaris, a Unix operating system originally developed by Sun Microsystems.
The development comes after online publication The Intercept reported in August that NSA hacked Pakistan’s National Telecommunications Corporation (NTC) to spy on Pakistani civilian and military leadership.
According to an April 2013 NSA presentation, NSA hackers used SECONDDATE – a tool designed to intercept web requests and redirect browsers on target computers to an NSA web server – to breach targets in NTC’s VIP division. It said the targets contained documents pertaining to “the backbone of Pakistan’s Green Line communications network used by its civilian and military leadership.”
The identity of the Shadow Brokers is still unconfirmed, but a number of analysts have suggested the campaign is a way for Russia to undermine NSA capabilities. The most recent message from the group plays with that impression further, writing, “Amerikanskis is not knowing USSA cyber capabilities is being screwed?”