The leaked NSA documents and tools published in recent months by the mysterious Shadow Brokers group have provided rare insight into the clandestine digital espionage operations pursued by the spy agency over the past few years, including information on operations aimed at Iran and Russia.
Last Friday the rogue group released a new package of NSA files, this time detailing numerous tools designed to break into older versions of Microsoft Windows and a campaign to compromise banking networks in the Middle East. Additional targets were also mentioned one weekprior in a separate archive that was largely ignored by most media outlets.
Yet the document cache published April 8 provides evidence that the NSA had once launched a series of successful computer-based intrusions against multiple high-profile foreign targets, including the Office of the President of Iran and the Russian Federal Nuclear Center, said two former intelligence officials who spoke to CyberScoop on the condition of anonymity due to their knowledge of internal operations. That release contained files with earmarked organizations and other evidence that explains how certain cyberattacks were engineered.
“The fact that this is in there the way it is means these targets were definitely owned,” one former intelligence official said. “It means it was a successful op, plain and simple.”
Another former intelligence official that worked at the NSA and also spoke on condition of anonymity said the April 8 document dump offered authentic internal information regarding past agency operations.
While the Shadow Brokers published a list of 300 IP addresses last October that were supposedly once compromised by the spy agency, it was not until recently that researchers were provided with more comprehensive targeting data.
An analysis of one archive presented by the Shadow Brokers reveals a collage of web domains and hardware systems that were at one point targeted by the NSA and attacked with a suite of hacking tools. These domains include:
A closer look at the full filenames in the archive provides additional insight. The websites themselves represent targeted host machines, or boxes, each of which is paired with two different codenames— one for the hacking tool used and another for the associated operation.
Our IP Address: