{
	"id": "36d19401-5bb5-446d-9d0a-f94c2604f442",
	"created_at": "2026-04-06T00:09:47.465721Z",
	"updated_at": "2026-04-10T03:26:53.328767Z",
	"deleted_at": null,
	"sha1_hash": "e3e8a7166412a321cb093eaf34f613f65bf5754c",
	"title": "Shadow Brokers leaks show U.S. spies successfully hacked Russian, Iranian targets",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52147,
	"plain_text": "Shadow Brokers leaks show U.S. spies successfully hacked Russian,\r\nIranian targets\r\nBy Chris Bing\r\nPublished: 2017-04-18 · Archived: 2026-04-05 16:47:21 UTC\r\nThe leaked NSA documents and tools published in recent months by the mysterious Shadow Brokers group have\r\nprovided rare insight into the clandestine digital espionage operations pursued by the spy agency over the past few\r\nyears, including information on operations aimed at Iran and Russia.\r\nLast Friday the rogue group released a new package of NSA files, this time detailing numerous tools designed to\r\nbreak into older versions of Microsoft Windows and a campaign to compromise banking networks in the Middle\r\nEast. Additional targets were also mentioned one week prior in a separate archive that was largely ignored by most\r\nmedia outlets.\r\nYet the document cache published April 8 provides evidence that the NSA had once launched a series of\r\nsuccessful computer-based intrusions against multiple high-profile foreign targets, including the Office of the\r\nPresident of Iran and the Russian Federal Nuclear Center, said two former intelligence officials who spoke to\r\nCyberScoop on the condition of anonymity due to their knowledge of internal operations. That release contained\r\nfiles with earmarked organizations and other evidence that explains how certain cyberattacks were engineered.\r\n“The fact that this is in there the way it is means these targets were definitely owned,” one former intelligence\r\nofficial said. “It means it was a successful op, plain and simple.”\r\nAnother former intelligence official that worked at the NSA and also spoke on condition of anonymity said the\r\nApril 8 document dump offered authentic internal information regarding past agency operations.\r\nWhile the Shadow Brokers published a list of 300 IP addresses last October that were supposedly once\r\ncompromised by the spy agency, it was not until recently that researchers were provided with more comprehensive\r\ntargeting data.\r\nAn analysis of one archive presented by the Shadow Brokers reveals a collage of web domains and hardware\r\nsystems that were at one point targeted by the NSA and attacked with a suite of hacking tools. These domains\r\ninclude:\r\ndolat.ir: Islamic Republic of Iran Presidential Office website\r\nvniitf.ru: Russian Federal Nuclear Center website\r\nmail.prf.gov.ru: a mail server for the Presidential Administration of Russia (aprf.gov.ru is no longer online)\r\nvega-int.ru: a website for Russian internet service provider, Vega-Internet\r\nsnz.ru: a website for the office providing telecommunications and other internet support for Vniitf.ru\r\nminatom.ru: a website of the Ministry for Atomic Energy of the Russian Federation\r\nudprf.ru: the Office of the President of the Russian Federation website\r\nhttps://www.cyberscoop.com/nsa-shadow-brokers-leaks-iran-russia-optimusprime-stoicsurgeon/\r\nPage 1 of 2\n\nrowdaco.com: a defunct website once apparently used by a Somalia-based electronics store, Rowda\r\nElectronics Company\r\nikoula.com: a website for a French data storage and server rental company\r\nA closer look at the full filenames in the archive provides additional insight. The websites themselves represent\r\ntargeted host machines, or boxes, each of which is paired with two different codenames— one for the hacking tool\r\nused and another for the associated operation.\r\nFor example, one such file name is listed as:\r\nstoicsurgeon_ctrl__v__1.5.33.2_x86-linux-optimusprime-vezarat.dolat.ir\r\nIn this context, the term “stoicsurgeon” is a reference to the codename of the deployed tool. “Optimusprime” is the\r\ntitle of an NSA operation.  “v__1.5.33.2” details the version of stoicsurgeon, a rootkit backdoor aimed at Linux’s\r\nMultiArch — which helps install library packages from multiple architectures on the same machine.\r\nExperts say stoicsurgeon is a post-exploitation tool, meaning that a different exploit was necessary to first\r\ncompromise the target. “Ctrl” in the sample is the name of the loader. “x86-Linux” refers to the 32-bit Linux\r\noperating system used by the target in this case. “Vezarat,” a term referring to Iran’s Ministry of Intelligence, is the\r\nhost box in the dolat.ir domain that was specifically compromised.\r\nIt all translates to an NSA operation that likely saw U.S. spies hack into a host box inside a computer network that\r\nwas of high interest to national security analysts in Washington during the Obama administration. According to an\r\ninternal PowerPoint presentation previously leaked by former agency contractor Edward Snowden,\r\n“Optimusprime” is related to the NSA’s SPINALTAP project, a program that was introduced to combine data from\r\nactive operations and passive signals intelligence.\r\nStoicsurgeon is just one hacking tool used against the web domains listed above.  Another tool, codenamed\r\n“suctionchar,” also features prominently in the archive filename list — for example:\r\nsuctionchar_agent__v__2.0.27.18_x86-linux-tilttop-comet.vniitf.ru.\r\nSecurity researcher x0rz described “suctionchar” as a “32 or 64 bit OS, solaris sparc 8,9, Kernel level implant”\r\nthat provide an attacker with “transparent, sustained, or realtime interception of processes input/output vnode\r\ntraffic,” that can also “intercept ssh, telnet, rlogin, rsh, password, login, [and] csh” data.\r\nSource: https://www.cyberscoop.com/nsa-shadow-brokers-leaks-iran-russia-optimusprime-stoicsurgeon/\r\nhttps://www.cyberscoop.com/nsa-shadow-brokers-leaks-iran-russia-optimusprime-stoicsurgeon/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.cyberscoop.com/nsa-shadow-brokers-leaks-iran-russia-optimusprime-stoicsurgeon/"
	],
	"report_names": [
		"nsa-shadow-brokers-leaks-iran-russia-optimusprime-stoicsurgeon"
	],
	"threat_actors": [
		{
			"id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5",
			"created_at": "2022-10-25T16:07:24.561104Z",
			"updated_at": "2026-04-10T02:00:05.03343Z",
			"deleted_at": null,
			"main_name": "Shadow Brokers",
			"aliases": [],
			"source_name": "ETDA:Shadow Brokers",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "171b85f2-8f6f-46c0-92e0-c591f61ea167",
			"created_at": "2023-01-06T13:46:38.830188Z",
			"updated_at": "2026-04-10T02:00:03.114926Z",
			"deleted_at": null,
			"main_name": "The Shadow Brokers",
			"aliases": [
				"Shadow Brokers",
				"ShadowBrokers",
				"The ShadowBrokers",
				"TSB"
			],
			"source_name": "MISPGALAXY:The Shadow Brokers",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434187,
	"ts_updated_at": 1775791613,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e3e8a7166412a321cb093eaf34f613f65bf5754c.pdf",
		"text": "https://archive.orkl.eu/e3e8a7166412a321cb093eaf34f613f65bf5754c.txt",
		"img": "https://archive.orkl.eu/e3e8a7166412a321cb093eaf34f613f65bf5754c.jpg"
	}
}