The Shadow Brokers
- June 8, 2017
- Clayton Rice, K.C.
Who are those guys?
On August 13, 2016, a date that remains murky, a hacker published stolen tools from the Equation Group which is widely believed to be the United States National Security Agency (NSA). The tools were reported to include exploits that targeted firewalls, anti-virus software and Microsoft products. Over the next eight months a gigabyte of NSA weaponized software exploits was reported to have been leaked by the Shadow Brokers. Then, on April 14, 2017, the mysterious group (or person) published its most significant release containing approximately 300 megabytes of data claimed to have been stolen from the NSA. The Good Friday dump included exploits and hacking tools aimed at most versions of Microsoft Windows and the SWIFT banking system.
In an article titled NSA-leaking Shadow Brokers just dumped its most damaging release yet published by Ars Technica on April 14, 2017, Dan Goodin described the report of the dump this way:
“The contents included compiled binaries for exploits that targeted vulnerabilities in a long line of Windows operating systems, including Windows 8 and Windows 2012. It also included a framework dubbed Fuzzbunch, a tool that resembles the Metasploit hacking framework that loads the binaries into targeted networks. Independent security experts who reviewed the contents said it was without question the most damaging Shadow Brokers release to date. ‘It is by far the most powerful cache of exploits ever released,’ Matthew Hickey, a security expert and co-founder of Hacker House, told Ars. ‘It is very significant as it effectively puts cyber weapons in the hands of anyone who downloads it. A number of these attacks appear to be 0-day exploits which have no patch and work completely from a remote network perspective’.” Mr. Goodin wrote in an update that none of the exploits were, in fact, zero days.
In a post to Lawfare, also on April 14, 2017, titled Shadow Brokers Redux: Dump of NSA Tools Gets Even Worse, Nicholas Weaver of the International Computer Science Institute in Berkeley, California, wrote: “[T]oday those wiley and sarcastic (and probably Russian) hackers dumped the really amazing stuff: operational notes from the NSA’s active targeting of banks in the Middle East and the NSA’s collection of Microsoft Windows exploitation tools. This may well be the most damaging dump against the NSA to date, and it is without question the most damaging post-Snowdon release.” Dr. Weaver went on to say that the Friday before a holiday weekend was perfect timing as many defenders would be offline. “I’m only being somewhat glib,” he wrote, “in suggesting that the best security measure for a Windows computer might be to just turn it off for a few days.”
Focusing on the impact on the global banking system in an article for WIRED titled Major Leak Suggests NSA Was Deep In Middle East Banking Syatem also published on April 14, 2017, technology journalist Andy Greenberg said that the new leak revealed evidence that the NSA hacked into EastNets, the Dubai based firm that oversees payments in the global SWIFT transaction system. “The leak includes,” Mr. Greenberg wrote, “detailed lists of hacked or potentially targeted computers, including those belonging to firms in Qatar, Dubai, Abu Dhabi, Syria, Yemen, and the Palestinian territories.” Although EastNets denied that it was hacked, Mr. Greenberg said that the leak showed otherwise and that “nothing in the leaked documents suggests that the NSA used its access to EastNets’ SWIFT systems to actually alter transactions or steal funds. Instead, stealthily tracking the transactions within that network may have given the agency visibility into money flows in the region – including to potential terrorist, extremist, or insurgent groups.”
On May 12, 2017, the WannaCry ransomware attack exploded worldwide that targeted computers running the Microsoft operating system by encrypting data and demanding ransom payments in Bitcoin. On May 16, 2017, in a report to Reuters titled Shadow Brokers group linked to NSA spy leaks threatens sale of new secrets, Eric Auchard and Dustin Volz wrote that the leaks and the WannaCry virus attack “have renewed debate over how and when intelligence agencies should disclose vulnerabilities used in cyber spying programs so that businesses and consumers can better defend themselves against attacks.”
Now, in the wake of WannaCry, the Shadow Brokers has threatened to leak more hacking tools claimed to have been stolen from the NSA. In an article titled Shadow Brokers threaten to unleash more hacking tools published in the May 17, 2017, edition of the Guardian, Samuel Gibbs summarized the group’s recent post:
“In a blog post written in their trademark broken English, the group said they had more so-called Ops Disks, which they said were also stolen from the NSA. They also claimed to have exploits for web browsers, routers, smartphones, data from the international money transfer network Swift and ‘compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs’.
The hacking group said they would release tools to subscribers each month or would ‘go dark permanently’ if the ‘responsible party’ bought all the tools for a lump sum, suggesting the Shadow Brokers could be willing to hand over stolen hacking tools to the NSA for a price.
While the Shadow Brokers’ motives remain unknown, they claimed they were not interested in the bug bounties paid by software firms for vulnerabilities found in their code or selling to ‘cyber thugs’. They said they were ‘taking pride in picking adversary equal to or better than selves, a worthy opponent’ and that it was ‘always being about theshadowbrokers vs theequationgroup’ [a sophisticated hacking team believed to be operated by the NSA].”
In a piece titled Who are the Shadow Brokers? published by The Atlantic on May 23, 2017, Bruce Schneier of the Berkman Center for Internet & Society at Harvard Law School said that the short answer is: “We don’t know. But we can make some educated guesses based on the material they’ve published.” I will condense the guesses as follows:
- The material was from autumn 2013 and seems to have been collected from an external NSA staging server controlled by the United States but with no connection to the agency. While it is possible that the agent is a whistleblower, it seems unlikely that a whistleblower would sit on attack tools for three years before publishing. A whistleblower would act more like Edward Snowden or Chelsea Manning – collecting and then publishing – and publishing documents that discuss what the US is doing to whom. That is not what we see here. It is simply a bunch of exploit code which does not have the political or ethical implications that a whistleblower would want to highlight.
- It is not random hackers who stumbled on these tools and are just trying to harm the NSA or the US. Again, the three year wait makes no sense. These documents and tools are cyber-Kryptonite; anyone who is secretly hoarding them is in danger from half the intelligence agencies in the world.
- That leaves a nation state. Whoever got this information years before and is leaking it now has to be both (a) capable of hacking the NSA and (b) willing to publish it. The obvious list of countries who fit the two criteria is small: Russia and China. But the problem with the Russia theory is, why? These leaked tools are more valuable if kept secret. Russia could use the knowledge to detect NSA hacking in its own country and to attack other countries. By publishing the tools, the Shadow Brokers are signalling that they don’t care if the US knows the tools were stolen. But the “we don’t give a damn” nature of the releases points to an attacker who isn’t thinking strategically: a lone hacker or hacking group which clashes with the nation state theory.
- Could there be a mole inside the NSA? If it is a mole, the guess is that the person was arrested before the Shadow Brokers released anything. No country would burn a mole working for it by publishing what that person delivered while he or she was still in danger. Intelligence agencies know that if they betray a source this severely, they will never get another one. That points to two possibilities. The first is that the files came from Hal Martin. He is the NSA contractor who was arrested in August for hoarding agency secrets in his house for two years. The other option is a mysterious second NSA leaker of cyberattack tools discovered in 2015 and also arrested. (See: Ellen Nakashima. Pentagon and intelligence community chiefs have urged Obama to remove the head of the NSA. The Washington Post. November 19, 2016)
On May 16, 2017, a week before Mr. Schneier’s article, the Shadow Brokers announced that a “Data Dump of the Month” service would be launched in June and then posted this to their Twitter account @shadowbrokers on May 30, 2017:
“Q. What is going to be the next dump?
TheShadowBrokers is not deciding yet. Something of value to someone. See theshadowbrokers’ previous posts. The time for ‘I’ll show you mine if you show me yours first’ is being over. Peoples is seeing what happenings when theshadowbrokers is showing theshadowbrokers’ first. This is being wrong question. Question to be asking ‘Can my organization afford not to be first to get access to theshadowbrokers dumps?’ ”