HOME

TheInfoList



OR:

The Shadow Brokers (TSB) is a
hacker group Hacker groups are informal communities that began to flourish in the early 1980s, with the advent of the home computer. Overview Prior to that time, the term ''hacker'' was simply a referral to any computer hobbyist. The hacker groups were out ...
who first appeared in the summer of 2016. They published several leaks containing hacking tools, including several zero-day exploits, from the "
Equation Group The Equation Group, classified as an advanced persistent threat, is a highly sophisticated threat actor suspected of being tied to the Tailored Access Operations (TAO) unit of the United States National Security Agency (NSA). Kaspersky Labs descr ...
" who are widely suspected to be a branch of the
National Security Agency The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collecti ...
(NSA) of the United States. Specifically, these exploits and vulnerabilities targeted enterprise firewalls,
antivirus software Antivirus software (abbreviated to AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware. Antivirus software was originally developed to detect and remove computer viruses, hence the nam ...
, and
Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...
products. The Shadow Brokers originally attributed the leaks to the Equation Group threat actor, who have been tied to the NSA's
Tailored Access Operations The Office of Tailored Access Operations (TAO), now Computer Network Operations, and structured as S32, is a cyber-warfare intelligence-gathering unit of the National Security Agency (NSA). It has been active since at least 1998, possibly 1997 ...
unit.


Name and alias

Several news sources noted that the group's name was likely in reference to a character from the ''
Mass Effect ''Mass Effect'' is a military science fiction media franchise created by Casey Hudson, Drew Karpyshyn and Preston Watamaniuk. The franchise depicts a distant future where humanity and several alien civilizations have colonized the known univers ...
'' video game series.
Matt Suiche Matthieu Suiche (born September 22, 1988), also known as Matt and under the username msuiche, is a French hacker and entrepreneur widely known as the founder of MoonSols, and co-founder of CloudVolumes before it was acquired by VMWare in 2014. In ...
quoted the following description of that character: "The Shadow Broker is an individual at the head of an expansive organization which trades in information, always selling to the highest bidder. The Shadow Broker appears to be highly competent at its trade: all secrets that are bought and sold never allow one customer of the Broker to gain a significant advantage, forcing the customers to continue trading information to avoid becoming disadvantaged, allowing the Broker to remain in business."


Leak history


First leak: "Equation Group Cyber Weapons Auction - Invitation"

While the exact date is unclear, reports suggest that the preparation of the
leak A leak is a way (usually an opening) for fluid to escape a container or fluid-containing system, such as a tank or a ship's hull, through which the contents of the container can escape or outside matter can enter the container. Leaks are usuall ...
started at least in the beginning of August, and that the initial publication occurred August 13, 2016 with a Tweet from a
Twitter Twitter is an online social media and social networking service owned and operated by American company Twitter, Inc., on which users post and interact with 280-character-long messages known as "tweets". Registered users can post, like, and ...
account "@shadowbrokerss" announcing a
Pastebin A pastebin or text storage site is a type of online content-hosting service where users can store plain text (e.g. source code snippet (programming), snippets for code review via Internet Relay Chat (IRC)). The first pastebin was the eponymous ...
page and a
GitHub GitHub, Inc. () is an Internet hosting service for software development and version control using Git. It provides the distributed version control of Git plus access control, bug tracking, software feature requests, task management, continuous ...
repository containing references and instructions for obtaining and decrypting the content of a file supposedly containing tools and exploits used by the
Equation Group The Equation Group, classified as an advanced persistent threat, is a highly sophisticated threat actor suspected of being tied to the Tailored Access Operations (TAO) unit of the United States National Security Agency (NSA). Kaspersky Labs descr ...
.


Publication and speculation about authenticity

The Pastebin introduces a section titled "Equation Group Cyber Weapons Auction - Invitation", with the following content:
Equation Group Cyber Chase Weapons Auction - Invitation - ------------------------------------------------ !!! Attention government sponsors of cyber warfare and those who profit from it !!!! How much you pay for enemies
cyber weapon Cyber may refer to: Computing and the Internet * ''Cyber-'', from cybernetics, a transdisciplinary approach for exploring regulatory and purposive systems Crime and security * Cyber crime, crime that involves computers and networks ** Conventi ...
s? Not malware you find in networks. Both sides,
RAT Rats are various medium-sized, long-tailed rodents. Species of rats are found throughout the order Rodentia, but stereotypical rats are found in the genus ''Rattus''. Other rat genera include ''Neotoma'' ( pack rats), ''Bandicota'' (bandicoot ...
+ LP, full state sponsor tool set? We find cyber weapons made by creators of
stuxnet Stuxnet is a malicious computer worm first uncovered in 2010 and thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition ( SCADA) systems and is believed to be responsible for causing su ...
,
duqu Duqu is a collection of computer malware discovered on 1 September 2011, thought by Kaspersky Labs to be related to the Stuxnet worm and to have been created by Unit 8200. Duqu has exploited Microsoft Windows's Zero day vulnerability, zero-day vu ...
,
flame A flame (from Latin ''flamma'') is the visible, gaseous part of a fire. It is caused by a highly exothermic chemical reaction taking place in a thin zone. When flames are hot enough to have ionized gaseous components of sufficient density they ...
.
Kaspersky Kaspersky Lab (; Russian: Лаборатория Касперского, tr. ''Laboratoriya Kasperskogo'') is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in th ...
calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files. .
The Pastebin includes various references for obtaining the file, named "EQGRP-Auction-Files.zip". This
zip file ZIP is an archive file format that supports lossless data compression. A ZIP file may contain one or more files or directories that may have been compressed. The ZIP file format permits a number of compression algorithms, though DEFLATE is th ...
contains seven files, two of which are the GPG-encrypted archives "eqgrp-auction-file.tar.xz.gpg" and "eqgrp-free-file.tar.xz.gpg". The "eqgrp-free-file.tar.xz.gpg" archive's password was revealed in the original Pastebin to be theequationgroup. The "eqgrp-auction-file.tar.xz" archive's password was revealed in a later Medium post to be CrDj"(;Va.*NdlnzB9M?@K2)#>deB7mN. The Pastebin continues with instructions for obtaining the password to the encrypted
auction An auction is usually a process of buying and selling goods or services by offering them up for bids, taking bids, and then selling the item to the highest bidder or buying the item from the lowest bidder. Some exceptions to this definition ex ...
file:
Auction Instructions - -------------------- We auction best files to highest bidder. Auction files better than stuxnet. Auction files better than free files we already give you. The party which sends most bitcoins to address: 19BY2XCgbDe6WtTVbTyzM9eR3LYr6VitWK before bidding stops is winner, we tell how to decrypt. Very important!!! When you send bitcoin you add additional output to transaction. You add OP_Return output. In Op_Return output you put your (bidder) contact info. We suggest use bitmessage or I2P-bote email address. No other information will be disclosed by us publicly. Do not believe unsigned messages. We will contact winner with decryption instructions. Winner can do with files as they please, we not release files to public.
The initial response to the publication was met with some skepticism, as to whether or not the content actually would be "...many many Equation Group cyber weapons."


Second leak: "Message #5 - TrickOrTreat"

This publication, made on October 31, 2016, contains a list of servers, supposedly compromised by Equation Group as well as references to seven supposedly undisclosed tools (DEWDROP, INCISION, JACKLADDER, ORANGUTAN, PATCHICILLIN, RETICULUM, SIDETRACK AND STOICSURGEON) also used by the threat actor.


Third leak: "Message #6 - BLACK FRIDAY / CYBER MONDAY SALE"

Message #6 reads as follows:
TheShadowBrokers is trying auction. Peoples no like. TheShadowBrokers is trying crowdfunding. Peoples is no liking. Now TheShadowBrokers is trying direct sales. Be checking out ListOfWarez. If you like, you email TheShadowBrokers with name of Warez you want make purchase. TheShadowBrokers is emailing you back bitcoin address. You make payment. TheShadowBrokers emailing you link + decryption password. If not liking this transaction method, you finding TheShadowBrokers on underground marketplaces and making transaction with escrow. Files as always being signed.
This leak contains 60 folders named in a way to serve as reference to tools likely used by Equation Group. The leak doesn't contain executable files, but rather screenshots of the tools file structure. While the leak could be a fake, the overall cohesion between previous and future leaks and references as well as the work required to fake such a fabrication, gives credibility to the theory that the referenced tools are genuine.


Fourth leak: "Don't Forget Your Base"

On April 8, 2017, the
Medium Medium may refer to: Science and technology Aviation *Medium bomber, a class of war plane * Tecma Medium, a French hang glider design Communication * Media (communication), tools used to store and deliver information or data * Medium of ...
account used by The Shadow Brokers posted a new update. The post revealed the password to encrypted files released last year to be CrDj"(;Va.*NdlnzB9M?@K2)#>deB7mN. Those files allegedly reveal more NSA hacking tools. This posting explicitly stated that the post was partially in response to President Trump's attack against a Syrian airfield, which was also used by Russian forces. The decrypted file, eqgrp-auction-file.tar.xz, contained a collection of tools primarily for compromising Linux/Unix based environments.


Fifth leak: "Lost in Translation"

On April 14, 2017, the
Twitter Twitter is an online social media and social networking service owned and operated by American company Twitter, Inc., on which users post and interact with 280-character-long messages known as "tweets". Registered users can post, like, and ...
account used by The Shadow Brokers posted a tweet with a link to the Steem blockchain. Herein, a message with a link to the leak files, encrypted with the password Reeeeeeeeeeeeeee. The overall content is based around three folders: "oddjob", "swift" and "windows". The fifth leak is suggested to be the "...most damaging release yet" and CNN quoted Matthew Hickey saying, "This is quite possibly the most damaging thing I've seen in the last several years,". The leak includes, amongst other things, the tools and exploits codenamed: DANDERSPIRITZ, ODDJOB, FUZZBUNCH, DARKPULSAR, ETERNALSYNERGY, ETERNALROMANCE,
ETERNALBLUE EternalBlue is a computer exploit (computer security), exploit developed by the U.S. National Security Agency (NSA). It was leaked by the The Shadow Brokers, Shadow Brokers hacker group on April 14, 2017, one month after Microsoft released patc ...
, EXPLODINGCAN and EWOKFRENZY. Some of the exploits targeting the Windows operating system had been patched in a Microsoft Security Bulletin on March 14, 2017, one month before the leak occurred. Some speculated that Microsoft may have been tipped off about the release of the exploits.


EternalBlue

Over 200,000 machines were infected with tools from this leak within the first two weeks, and in May 2017, the major
WannaCry ransomware attack The WannaCry ransomware attack was a worldwide cyberattack in May 2017 by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitco ...
used the ETERNALBLUE exploit on
Server Message Block Server Message Block (SMB) is a communication protocol originally developed in 1983 by Barry A. Feigenbaum at IBM and intended to provide shared access to files and printers across nodes on a network of systems running IBM's OS/2. It also provides ...
(SMB) to spread itself. The exploit was also used to help carry out the
2017 Petya cyberattack A series of powerful cyberattacks using the Petya malware began on 27 June 2017 that swamped websites of Ukrainian organizations, including banks, ministries, newspapers and electricity firms. Similar infections were reported in France, Germa ...
on June 27, 2017. ETERNALBLUE contains kernel shellcode to load the non-persistent
DoublePulsar DoublePulsar is a backdoor implant tool developed by the U.S. National Security Agency's (NSA) Equation Group that was leaked by The Shadow Brokers in early 2017. The tool infected more than 200,000 Microsoft Windows computers in only a fe ...
backdoor A back door is a door in the rear of a building. Back door may also refer to: Arts and media * Back Door (jazz trio), a British group * Porta dos Fundos (literally “Back Door” in Portuguese) Brazilian comedy YouTube channel. * Works so title ...
. This allows for the installation of the PEDDLECHEAP payload which would then be accessed by the attacker using the DanderSpritz Listening Post (LP) software.


Speculations and theories on motive and identity


NSA insider threat

James Bamford James Bamford (born September 15, 1946) is an American author, journalist and documentary producer noted for his writing about United States intelligence agency, intelligence agencies, especially the National Security Agency (NSA). ''The New Y ...
along with
Matt Suiche Matthieu Suiche (born September 22, 1988), also known as Matt and under the username msuiche, is a French hacker and entrepreneur widely known as the founder of MoonSols, and co-founder of CloudVolumes before it was acquired by VMWare in 2014. In ...
speculated that an insider, "possibly someone assigned to the SA'shighly sensitive
Tailored Access Operations The Office of Tailored Access Operations (TAO), now Computer Network Operations, and structured as S32, is a cyber-warfare intelligence-gathering unit of the National Security Agency (NSA). It has been active since at least 1998, possibly 1997 ...
", stole the hacking tools. In October 2016, ''
The Washington Post ''The Washington Post'' (also known as the ''Post'' and, informally, ''WaPo'') is an American daily newspaper published in Washington, D.C. It is the most widely circulated newspaper within the Washington metropolitan area and has a large nati ...
'' reported that Harold T. Martin III, a former contractor for
Booz Allen Hamilton Booz Allen Hamilton Holding Corporation (informally Booz Allen) is the parent of Booz Allen Hamilton Inc., an American management and information technology consulting firm, headquartered in McLean, Virginia, in Greater Washington, D.C., with 8 ...
accused of stealing approximately 50 terabytes of data from the
National Security Agency The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collecti ...
(NSA), was the lead suspect. The Shadow Brokers continued posting messages that were cryptographically-signed and were interviewed by media while Martin was detained.


Theory on ties to Russia

Edward Snowden Edward Joseph Snowden (born June 21, 1983) is an American and naturalized Russian former computer intelligence consultant who leaked highly classified information from the National Security Agency (NSA) in 2013, when he was an employee and su ...
stated on
Twitter Twitter is an online social media and social networking service owned and operated by American company Twitter, Inc., on which users post and interact with 280-character-long messages known as "tweets". Registered users can post, like, and ...
on August 16, 2016 that "circumstantial evidence and
conventional wisdom The conventional wisdom or received opinion is the body of ideas or explanations generally accepted by the public and/or by experts in a field. In religion, this is known as orthodoxy. Etymology The term is often credited to the economist John K ...
indicates Russian responsibility" and that the leak "is likely a warning that someone can prove responsibility for any attacks that originated from this malware server" summarizing that it looks like "somebody sending a message that an escalation in the attribution game could get messy fast". ''
The New York Times ''The New York Times'' (''the Times'', ''NYT'', or the Gray Lady) is a daily newspaper based in New York City with a worldwide readership reported in 2020 to comprise a declining 840,000 paid print subscribers, and a growing 6 million paid ...
'' put the incident in the context of the
Democratic National Committee cyber attacks The Democratic National Committee cyber attacks took place in 2015 and 2016, in which two groups of Russian computer hackers infiltrated the Democratic National Committee (DNC) computer network, leading to a data breach. Cybersecurity experts, as ...
and hacking of the
Podesta emails In March 2016, the personal Gmail account of John Podesta, a former White House chief of staff and chair of Hillary Clinton's 2016 U.S. presidential campaign, was compromised in a data breach accomplished via a spear-phishing attack, and some ...
. As US intelligence agencies were contemplating counter-attacks, the Shadow Brokers code release was to be seen as a warning: "Retaliate for the D.N.C., and there are a lot more secrets, from the hackings of the State Department, the White House and the Pentagon, that might be spilled as well. One senior official compared it to the scene in ''
The Godfather ''The Godfather'' is a 1972 American crime film directed by Francis Ford Coppola, who co-wrote the screenplay with Mario Puzo, based on Puzo's best-selling 1969 novel of the same title. The film stars Marlon Brando, Al Pacino, James Caan, ...
'' where the head of a favorite horse is left in a bed, as a warning." In 2019, David Aitel, a computer scientist formerly employed by the NSA, summarized the situation with: "I don’t know if anybody knows other than the Russians. And we don’t even know if it’s the Russians. We don’t know at this point; anything could be true."


References

{{DEFAULTSORT:Shadow Brokers Hacker groups Cyberwarfare Hacking in the 2010s