The installation of monitoring software has been conducted either by NSA's highly sophisticated hacking team or by hackers who leveraged the tools leaked by Shadow Brokers.
Last week, a collection of spy tools allegedly used by the National Security Agency for operations against global targets of interest, was leaked online by the underground hacking group, Shadow Brokers.
The tools were released online in the following form and were accessible to anyone:
NSA's cyber-weapons include many exploits for Microsoft Windows, Lotus Notes, MDaemon Webadmin, IIS, Solaris systems and Microsoft Exchange, as well as additional Python-based tools.
These tools (Fuzzbunch, Eternalblue, Doublepulsar, Danderspritz) has part of the powerful NSA hacking toolset (also known as NSA Metasploit) exploited by the intelligence organization for hacking operations against governments, companies and organizations.
SecNews researchers conducted a thorough study of the Shadow Brokers leak, mainly focusing on its effects. As it has been known, the NSA backdoor has already been installed on thousands of computers and servers around the world. A map of the affected countries is presented below:
The purpose of SecNews research, considering the importance of leaked data, was to identify companies or networks exclusively from the Greek Territory that have been targeted by malicious activities related to NSA's cyber weapons.
After analyzing the leaked NSA toolkit and taking into account its particular digital features, we conducted an investigation to detect which IP addresses in Greece are affected by the NSA cyber weapons!
The evaluation procedure was carried out in the following steps:
- Firstly, we scanned the Greek Internet for publicly exposed SMB (Port 445) & Remote Desktop (RDP Port 3389) services.
- We detected 1086 IP addresses With SMB enabled online
- We detected 4263 IP addresses With Remote Desktop enabled online
- Then, using properly parameterized scripts like Mass-scan, detect_doublepulsar_rdp & smb (Python) and in conjunction with the NSA-leaked files, we detected where the cyber weapon is installed.
The final results / results are shown in the table below. For security reasons, the IP addresses are hidden, as they protect the targeted companies / organizations. Therefore, it is not possible for a malicious user to use the mentioned cyber-weapon for his own benefit.
According to the findings, the NSA remote access software was installed:
- Within the network (AIA-Cust3-Infr) of Athens International Airport "Eleftherios Venizelos". We are not in a position to know whether the network is related to the airport's infrastructure or to a third party company in which the airport provides backbone access.
- He and a web server (accessible via the internet) belonging to SKAI TV, one of the largest media groups in Greece.
- He and the server belonging to Vodafone (or an affiliate company).
- On and server / part of the Internal Network Management System Interworks Cloud (interworks.biz, webserve.gr). It is worth mentioning that the Business Marketplace of the telecommunications company Wind (windbusiness.com) is located in the same IP class.
- She PC with DSL / VDSL connection (OTE / Cosmote) but it is not known whether it is a corporate customer or a home user. In any case, it does not seem to have any correlation with OTE / Cosmote 's critical infrastructure.
- Within a server of SYKARIS (possibly a graphic arts company).
- Within a server of MELKA (possibly a construction company).
- On and the terminal / server of the Civil Engineering Department of The Aristotle University of Thessaloniki.
- On and the terminal / server of the Technological Educational Institute of Epirus, in the VLAN management system.
- On and terminal at University of Thessaly (possibly a remote DSL connection).
According to our research, all of the aforementioned systems were infected with the "Doublepulsar" exploit. Doublepulsar allows an attacker to install malicious software of choice, that can not be tracked as a DLL.
"It must be mentioned that we can not know whether the installation of cyber weapons was conducted by the NSA or third-party hackers who leveraged the tools leaked by the ShadowBrokers. One think is sure, however, that the affected companies / organizations should immediately test and evaluate their systems security (and especially if the affected systems are related to internal networks). "
The same procedure that we have applied during our research to the Greek Public Internet can also be implemented on internal servers to check if cyber-monitoring software is installed. The aforementioned targets are designed to conduct digital analysis and security audits to obtain an objective analysis of the affected servers.
SecNews researchers are at the disposal of administrators or legal representatives of affected companies, organizations and entities, to provide them with any additional information needed. Details on the assessment procedure or how security audits can be performed on an internal network may also be provided after the detection of a related infection by the administrators and the identification of its extent.