Neha Patil (Editor)

The Shadow Brokers

Updated on
Edit
Like
Comment
Share on FacebookTweet on TwitterShare on LinkedInShare on Reddit

The Shadow Brokers (TSB) is an unknown computer threat actor responsible for several leaks (of specifically, exploits and vulnerabilities targeting enterprise firewalls, anti-virus products and Microsoft products), tied to the Equation Group threat actor; NSA's Tailored Access Operations (TAO).

Contents

Name

Several news sources noted that the groups name was likely in reference to a character from the Mass Effect series. Matt Suiche quoted the following description of that character: "The Shadow Broker is an individual at the head of an expansive organization which trades in information, always selling to the highest bidder. The Shadow Broker appears to be highly competent at its trade: all secrets that are bought and sold never allow one customer of the Broker to gain a significant advantage, forcing the customers to continue trading information to avoid becoming disadvantaged, allowing the Broker to remain in business."

First leak: "Equation Group Cyber Weapons Auction - Invitation"

While the exact date is unclear, reports suggest that preparation of the leak started at least in the beginning of August, and that the initial publication occurred August 13, 2016, with a Tweet from the Twitter account, "@theshadowbrokerss", announcing a Pastebin page and a GitHub repository containing references and instructions for obtaining and decrypting the content of a file, supposedly containing tools and exploits used by Equation Group.

Publication and speculation about authenticity

The Pastebin-page introduces a section titled "Equation Group Cyber Weapons Auction - Invitation", with the following content:

Equation Group Cyber Weapons Auction - Invitation

- ------------------------------------------------

!!! Attention government sponsors of cyber warfare and those who profit from it !!!!

How much you pay for enemies cyber weapons? Not malware you find in networks. Both sides, RAT + LP, full state sponsor tool set? We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files. .

The Pastebin-page includes various references for obtaining the file, "EQGRP-Auction-Files.zip". The zip-file contains seven files, two of which being GPG encrypted archives, listed "eqgrp-auction-file.tar.xz.gpg" and "eqgrp-free-file.tar.xz.gpg", respectively. The "eqgrp-free-file.tar.xz.gpg" archive is encrypted with the password: theequationgroup. The contents of this file is currently the only released material related to this publication. It is unknown whether or not the content of the "eqgrp-auction-file.tar.xz.gpg" file is authentic, as the password for decrypting the archive isn't made public.

The Pastebin-page continues with instructions for obtaining the password to the encrypted auction file:

Auction Instructions

- --------------------

We auction best files to highest bidder. Auction files better than stuxnet. Auction files better than free files we already give you. The party which sends most bitcoins to address: 19BY2XCgbDe6WtTVbTyzM9eR3LYr6VitWK before bidding stops is winner, we tell how to decrypt. Very important!!! When you send bitcoin you add additional output to transaction. You add OP_Return output. In Op_Return output you put your (bidder) contact info. We suggest use bitmessage or I2P-bote email address. No other information will be disclosed by us publicly. Do not believe unsigned messages. We will contact winner with decryption instructions. Winner can do with files as they please, we not release files to public.

The initial response to the publication was met with some skepticism, as to whether or not the content actually would be "...many many Equation Group cyber weapons."

Second Leak: "Message #5 - TrickOrTreat"

This publication contains a list of servers, supposedly compromised by Equation Group as well as references to seven supposedly undisclosed tools (DEWDROP, INCISION, JACKLADDER, ORANGUTAN, PATCHICILLIN, RETICULUM, SIDETRACK AND STOCSURGEON) also used by the threat actor.

Link to message

Link to material (Password = payus)

Third Leak: "Message #6 - BLACK FRIDAY / CYBER MONDAY SALE"

Message #6 reads as follows:

TheShadowBrokers is trying auction. Peoples no like. TheShadowBrokers is trying crowdfunding. Peoples is no liking. Now TheShadowBrokers is trying direct sales. Be checking out ListOfWarez. If you like, you email TheShadowBrokers with name of Warez you want make purchase. TheShadowBrokers is emailing you back bitcoin address. You make payment. TheShadowBrokers emailing you link + decryption password. If not liking this transaction method, you finding TheShadowBrokers on underground marketplaces and making transaction with escrow. Files as always being signed.

This leak contains 60 folders named in a way to serve as reference to tools likely used by Equation Group. The leak doesn't contain executable files, but rather screenshots of the tools file structure. While the leak could be a fake, the overall cohesion between previous and future leaks and references as well as the work required to fake such a fabrication, gives credibility to the theory that the referenced tools are genuine.

NSA insider threat / whistleblower

James Bamford along with Matt Suiche speculated that an insider, "possibly someone assigned to the [NSA’s] highly sensitive Tailored Access Operations", stole the hacking tools. In October 2016, The Washington Post reported that Harold T. Martin III, a former contractor for Booz Allen Hamilton accused of stealing approximately 50 terabytes of data from the National Security Agency (NSA), was the lead suspect. The Shadow Brokers continued posting messages that were cryptographically-signed and were interviewed by media while Martin was detained.

Theory on ties to Russia

Edward Snowden stated on Twitter that "circumstantial evidence and conventional wisdom indicates Russian responsibility" and that the leak "is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server" summarizing that it looks like "somebody sending a message that an escalation in the attribution game could get messy fast".

The New York Times put the incident in the context of the Democratic National Committee cyber attacks and hacking of the Podesta emails. As US intelligence agencies were contemplating counter-attacks, the Shadow Brokers code release was to be seen as a warning: "Retaliate for the D.N.C., and there are a lot more secrets, from the hackings of the State Department, the White House and the Pentagon, that might be spilled as well. One senior official compared it to the scene in The Godfather where the head of a favorite horse is left in a bed, as a warning."

References

The Shadow Brokers Wikipedia