Monday, August 29, 2016

The Shadow Brokers Target Equation Group
On 13 August of 2016, a persona calling themselves “theshadowbrokers” announced the leak of Equation Group tools.  The leak appears to be authentic and includes several exploits used by Equation Group.  Three CVEs (2016-6366, 2016-6367, 2016-6909) have been assigned to the exploits and one, EXTRABACON (CVE-2016-6366), was considered a zero-day vulnerability when released.  Affected products and software versions are listed for each exploit.
This report provides analysis and mitigations for the exploits included in the leak. 
Wapack Labs is providing this analysis as situational awareness of tools leaked from a Tier VI adversary.

Publication date:                            26 August 2016

Handling requirements:                  Traffic light protocol (TLP) AMBER

Attribution/Threat Actors:              Equation Group

Actor Type:                                     Tier VI   

Potential Targets:                           USA / International

Past Reporting:                               DOC-4133

The full attribution report has been published in its entirety in the Red Sky Alliance portal.  For more information please contact the lab directly at 844-4-WAPACK, 603-606-1246, or

About Wapack Labs

Wapack Labs, located in New Boston, NH is a Cyber Threat Analysis and Intelligence organization supporting the Red Sky Alliance, the FS-ISAC and individual organizations by offering expert level targeted intelligence analysis answering some of the hardest questions in Cyber.  Wapack Labs’ engineers, researchers and analysts use deep analysis techniques and visualization to design and deliver transformational cyber-security analysis tools that fuse open source and proprietary information.  The intelligence derived from these tools and techniques serve as the foundation of Wapack Labs’ information reporting to the cyber-security teams of its customers and industry partners located around the world.