Thursday, January 21, 22:12
Home security NSA Cyber ​​Weapons installed in High Profile Targets in Greece

NSA Cyber ​​Weapons installed in High Profile Targets in Greece

The installation of monitoring software has been conducted either by NSA's highly sophisticated hacking team or by hackers who leveraged the tools leaked by Shadow Brokers.


Last week, a collection of spy tools allegedly used by the National Security Agency for operations against global targets of interest, was leaked online by the underground hacking group, Shadow Brokers.

The tools were released online in the following form and were accessible to anyone:

NSA's cyber-weapons include many exploits for Microsoft Windows, Lotus Notes, MDaemon Webadmin, IIS, Solaris systems and Microsoft Exchange, as well as additional Python-based tools.

These tools (Fuzzbunch, Eternalblue, Doublepulsar, Danderspritz) has part of the powerful NSA hacking toolset (also known as NSA Metasploit) exploited by the intelligence organization for hacking operations against governments, companies and organizations.



SecNews researchers conducted a thorough study of the Shadow Brokers leak, mainly focusing on its effects. As it has been known, the NSA backdoor has already been installed on thousands of computers and servers around the world. A map of the affected countries is presented below:

The purpose of SecNews research, considering the importance of leaked data, was to identify companies or networks exclusively from the Greek Territory that have been targeted by malicious activities related to NSA's cyber weapons.

After analyzing the leaked NSA toolkit and taking into account its particular digital features, we conducted an investigation to detect which IP addresses in Greece are affected by the NSA cyber weapons!

The evaluation procedure was carried out in the following steps:

  • Firstly, we scanned the Greek Internet for publicly exposed SMB (Port 445) & Remote Desktop (RDP Port 3389) services.
  • We detected 1086 IP addresses With SMB enabled online
  • We detected 4263 IP addresses With Remote Desktop enabled online
  • Then, using properly parameterized scripts like Mass-scan, detect_doublepulsar_rdp & smb (Python) and in conjunction with the NSA-leaked files, we detected where the cyber weapon is installed.

The final results / results are shown in the table below. For security reasons, the IP addresses are hidden, as they protect the targeted companies / organizations. Therefore, it is not possible for a malicious user to use the mentioned cyber-weapon for his own benefit.

NSA Greek Targets


According to the findings, the NSA remote access software was installed:

  • Within the network (AIA-Cust3-Infr) of Athens International Airport "Eleftherios Venizelos". We are not in a position to know whether the network is related to the airport's infrastructure or to a third party company in which the airport provides backbone access.
  • He and a web server (accessible via the internet) belonging to SKAI TV, one of the largest media groups in Greece.
  • He and the server belonging to Vodafone (or an affiliate company).
  • On and server / part of the Internal Network Management System Interworks Cloud (, It is worth mentioning that the Business Marketplace of the telecommunications company Wind ( is located in the same IP class.
  • She PC with DSL / VDSL connection (OTE / Cosmote) but it is not known whether it is a corporate customer or a home user. In any case, it does not seem to have any correlation with OTE / Cosmote 's critical infrastructure.
  • Within a server of SYKARIS (possibly a graphic arts company).
  • Within a server of MELKA (possibly a construction company).
  • On and the terminal / server of the Civil Engineering Department of The Aristotle University of Thessaloniki.
  • On and the terminal / server of the Technological Educational Institute of Epirus, in the VLAN management system.
  • On and terminal at University of Thessaly (possibly a remote DSL connection).

According to our research, all of the aforementioned systems were infected with the "Doublepulsar" exploit. Doublepulsar allows an attacker to install malicious software of choice, that can not be tracked as a DLL.

"It must be mentioned that we can not know whether the installation of cyber weapons was conducted by the NSA or third-party hackers who leveraged the tools leaked by the ShadowBrokers. One think is sure, however, that the affected companies / organizations should immediately test and evaluate their systems security (and especially if the affected systems are related to internal networks). "

The same procedure that we have applied during our research to the Greek Public Internet can also be implemented on internal servers to check if cyber-monitoring software is installed. The aforementioned targets are designed to conduct digital analysis and security audits to obtain an objective analysis of the affected servers.

SecNews researchers are at the disposal of administrators or legal representatives of affected companies, organizations and entities, to provide them with any additional information needed. Details on the assessment procedure or how security audits can be performed on an internal network may also be provided after the detection of a related infection by the administrators and the identification of its extent.


Please enter your comment!
Please enter your name here


Mac: How to see which model you have and when it was released

When you need support for your Mac - or want to install some kind of upgrade - you usually need to know the exact ...

Bill Gates: Will he work with Biden on COVID-19 / climate change?

Microsoft co-founder Bill Gates said on Twitter that he is looking forward to working with the new US President, Joe Biden, and ...

What are the rumors circulating about the iPhone 13?

Apple iPhone 13 will have a redesigned Face ID system that will have a smaller notch at the top of the screen, ...

Biden: How was the political transition in the US captured on social media?

As Joe Biden was sworn in as President of the United States, this important political transition was captured on popular social media. On January 20, ...

CentOS ceases to be supported but RHEL is offered for free

Last month, Red Hat caused a great deal of concern in the Linux world when it announced the discontinuation of CentOS Linux.

Microsoft Office 365 employee passwords leaked online!

A new large-scale phishing campaign targeting global organizations has been found to bypass Microsoft Office 365 Advanced Threat Protection (ATP) and ...

COSMOTE and Microsoft provide new cloud solutions for businesses

COSMOTE and Microsoft expand their cooperation, offering even more advanced and high quality cloud solutions, in large and small ...

Cyber ​​attacks in Eastern Europe are on the rise!

The cyber-attacks that have taken place in many US government agencies and companies in recent months have caused concern in the developing countries of ...

Tesla reduces the prices of the Model 3 in Europe

Tesla has reduced the prices of the Model 3 in many European markets, which reductions could be partly linked ...

iOS, Android, XBox users in the crosshairs of a new malvertising campaign

Recently a new malvertising campaign was discovered that targets users of mobile and other connected devices and uses effective ...