Analysis of the EQGRP leakage

As you know, yesterday TheShadowBrokers group released #EQGRP archive with some interesting data inside. As they mentioned, it’s a NSA leakage with a lot of “cyberweapon”.

I analysed this data yesterday to find the answers to following questions:

  1. When did the leak occur?
  2. Who were the targets?

Summary: 910 servers were hacker around the world between 2000 and 2010. Top targets are:

  1. Japan 110 servers
  2. China 109
  3. South Korea 108
  4. .NET servers 68
  5. Spain 56
  6. Taiwan 54
  7. Russia 45
  8. India 43
  9. .COM servers 40
  10. Germany 39

As a first step I analyzed GCC versions for all of the binary programs there. This simple bash command collect it:

$ find . -type f -exec sh -c “strings -a ‘{}’ | grep ‘GCC:’ | head -n 1 “ \; > gcc.list ; sort gcc.list | uniq -cd

The results addresses us back to 2000–2010 years. It’s GCC versions from 2.7.2 (1995) to 4.5.1 (2010)

After this I found a lot of registry files with the SHA-1 hashes of other files inside. Almost all of them includes meta information near these hashes with the dates. This command may helps to collect all these dates together:

find . -name “*sums*” -exec cat {} \; | egrep -o “ [1,2][0–9][0–9][0–9] “ > sums.stat ; sort sums.stat | uniq -cd

As a final step of this short analysis I analyzed the dates of servers infections from the log files of the exploits runs.

And then created the chart with stats of the targets by domain zones mentioned before.

I do not analyzed a lot of backdoors (called “rats”) from this archive. Hope it will be interesting to drill down into it.

All the data is available here:

CEO at Wallarm. Application security platform to prevent threats and discover vulnerabilities in a real-time.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store