Sunday night, a group called the Shadow Brokers released a new cache of data purporting to be taken from the NSA in a Medium post titled "Trick or Treat." Alongside other data, the new release reveals 108 IP addresses apparently compromised by the NSA as part of its operations. The majority of the nodes are located overseas, including compromises in China, Russia, India, or Pakistan, presumably to make it difficult for targets to attribute any attack launched through the network.
Most of the nodes themselves are several years old, but they could still be valuable to researchers looking to trace the NSA’s past activities. By running these IP addresses against server logs, possible targets could discover they had been targeted by the agency in the past, potentially revealing sensitive government operations.
As with any anonymous leak of stolen data, it’s possible the information was fabricated or altered in transit, although previous Shadow Brokers publications have proven to be genuine. The Medium post is also signed with PGP, thus verifying that it was written by the same source as previous Shadow Brokers drops.
The identity of the Shadow Brokers is still unconfirmed, but a number of analysts have suggested the campaign is a way for Russia to undermine NSA capabilities. The most recent message from the group plays with that impression further, writing, "Amerikanskis is not knowing USSA cyber capabilities is being screwed?"