Analysis of the EQGRP leakage

As you know, yesterday TheShadowBrokers group released #EQGRP archive with some interesting data inside. As they mentioned, it’s a NSA leakage with a lot of “cyberweapon”.

I analysed this data yesterday to find the answers to following questions:

  1. When did the leak occur?
  2. Who were the targets?

Summary: 910 servers were hacker around the world between 2000 and 2010. Top targets are:

  1. Japan 110 servers
  2. China 109
  3. South Korea 108
  4. .NET servers 68
  5. Spain 56
  6. Taiwan 54
  7. Russia 45
  8. India 43
  9. .COM servers 40
  10. Germany 39

As a first step I analyzed GCC versions for all of the binary programs there. This simple bash command collect it:

$ find . -type f -exec sh -c “strings -a ‘{}’ | grep ‘GCC:’ | head -n 1 “ \; > gcc.list ; sort gcc.list | uniq -cd

The results addresses us back to 2000–2010 years. It’s GCC versions from 2.7.2 (1995) to 4.5.1 (2010)

https://infogr.am/eqgrp_gcc_by_years

After this I found a lot of registry files with the SHA-1 hashes of other files inside. Almost all of them includes meta information near these hashes with the dates. This command may helps to collect all these dates together:

find . -name “*sums*” -exec cat {} \; | egrep -o “ [1,2][0–9][0–9][0–9] “ > sums.stat ; sort sums.stat | uniq -cd

As a final step of this short analysis I analyzed the dates of servers infections from the log files of the exploits runs.

And then created the chart with stats of the targets by domain zones mentioned before.

I do not analyzed a lot of backdoors (called “rats”) from this archive. Hope it will be interesting to drill down into it.

All the data is available here: https://docs.google.com/spreadsheets/d/1TGH4WPX4KKcFQxx8Eoe_vC4ucrt7H95v-ZE3jbYxSIU

A single golf clap? Or a long standing ovation?

By clapping more or less, you can signal to us which stories really stand out.