The Shadow Brokers

Last updated

The Shadow Brokers (TSB) is a hacker group who first appeared in the summer of 2016. [1] [2] They published several leaks containing hacking tools, including several zero-day exploits, [1] from the "Equation Group" who are widely suspected to be a branch of the National Security Agency (NSA) of the United States. [3] [4] Specifically, these exploits and vulnerabilities [5] [6] targeted enterprise firewalls, antivirus software, and Microsoft products. [7] The Shadow Brokers originally attributed the leaks to the Equation Group threat actor, who have been tied to the NSA's Tailored Access Operations unit. [8] [9] [10] [4]

Contents

Name and alias

Several news sources noted that the group's name was likely in reference to a character from the Mass Effect video game series. [11] [12] Matt Suiche quoted the following description of that character: "The Shadow Broker is an individual at the head of an expansive organization which trades in information, always selling to the highest bidder. The Shadow Broker appears to be highly competent at its trade: all secrets that are bought and sold never allow one customer of the Broker to gain a significant advantage, forcing the customers to continue trading information to avoid becoming disadvantaged, allowing the Broker to remain in business." [13]

Leak history

Equation Group leaks

While the exact date is unclear, reports suggested that the preparation of the leak started at least in the beginning of August, [14] and that the initial publication occurred August 13, 2016 with a Tweet from a Twitter account "@shadowbrokerss" announcing a Pastebin page [6] and a GitHub repository containing references and instructions for obtaining and decrypting the content of a file supposedly containing tools and exploits used by the Equation Group. The initial response to the publication was met with some uncertainty about its authenticity. [15]

On October 31, 2016, The Shadow Brokers published a list of servers supposedly compromised by the Equation Group, as well as references to seven supposedly undisclosed tools (DEWDROP, INCISION, JACKLADDER, ORANGUTAN, PATCHICILLIN, RETICULUM, SIDETRACK AND STOICSURGEON) also used by the threat actor. [16]

On April 8, 2017, the Medium account used by The Shadow Brokers posted a new update. [17] The post revealed the password to encrypted files released the previous year, which allegedly had more NSA hacking tools. [18] This posting explicitly stated that the post was partially in response to President Trump's attack against a Syrian airfield, which was also used by Russian forces.

April 14 hacking tool leak

On April 14, 2017, The Shadow Brokers released, amongst other things, the tools and exploits codenamed: DANDERSPRITZ, ODDJOB, FUZZBUNCH, DARKPULSAR, ETERNALSYNERGY, ETERNALROMANCE, ETERNALBLUE, EXPLODINGCAN and EWOKFRENZY. [19] [20] [21]

The leak was suggested to be the "...most damaging release yet" [19] and CNN quoted Matthew Hickey saying, "This is quite possibly the most damaging thing I've seen in the last several years". [22]

Some of the exploits targeting the Windows operating system had been patched in a Microsoft Security Bulletin on March 14, 2017, one month before the leak occurred. [23] [24] Some speculated that Microsoft may have been tipped off about the release of the exploits. [25]

EternalBlue

Over 200,000 machines were infected with tools from this leak within the first two weeks, [26] and in May 2017, the major WannaCry ransomware attack used the ETERNALBLUE exploit on Server Message Block (SMB) to spread itself. [27] The exploit was also used to help carry out the 2017 NotPetya cyberattack on June 27, 2017. [28]

ETERNALBLUE contains kernel shellcode to load the non-persistent DoublePulsar backdoor. [29] This allows for the installation of the PEDDLECHEAP payload which would then be accessed by the attacker using the DanderSpritz Listening Post (LP) software. [30] [31]

Speculations and theories on motive and identity

NSA insider threat

James Bamford along with Matt Suiche speculated [32] that an insider, "possibly someone assigned to the [NSA's] highly sensitive Tailored Access Operations", stole the hacking tools. [33] [34] In October 2016, The Washington Post reported that Harold T. Martin III, a former contractor for Booz Allen Hamilton accused of stealing approximately 50 terabytes of data from the National Security Agency (NSA), was the lead suspect. Martin had worked with the NSA's Tailored Access Operations from 2012 to 2015 in a support role. He pleaded guilty to retaining national defense information in 2019, but it is not clear whether the Shadow Brokers obtained their material from him. The Shadow Brokers continued posting messages that were cryptographically-signed and were interviewed by media while Martin was detained. [35]

Theory on ties to Russia

Edward Snowden stated on Twitter on August 16, 2016 that "circumstantial evidence and conventional wisdom indicates Russian responsibility" [36] and that the leak "is likely a warning that someone can prove responsibility for any attacks that originated from this malware server" [37] summarizing that it looks like "somebody sending a message that an escalation in the attribution game could get messy fast". [38] [39]

The New York Times put the incident in the context of the Democratic National Committee cyber attacks and hacking of the Podesta emails. As US intelligence agencies were contemplating counter-attacks, the Shadow Brokers code release was to be seen as a warning: "Retaliate for the D.N.C., and there are a lot more secrets, from the hackings of the State Department, the White House and the Pentagon, that might be spilled as well. One senior official compared it to the scene in The Godfather where the head of a favorite horse is left in a bed, as a warning." [40]

In 2019, David Aitel, a computer scientist formerly employed by the NSA, summarized the situation with: "I don't know if anybody knows other than the Russians. And we don't even know if it's the Russians. We don't know at this point; anything could be true." [41]


Related Research Articles

Cisco PIX was a popular IP firewall and network address translation (NAT) appliance. It was one of the first products in this market segment.

Ransomware is a type of cryptovirological malware that permanently blocks access to the victim's personal data unless a "ransom" is paid. While some simple ransomware may lock the system without damaging any files, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem, and difficult-to-trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

Trellix is a privately held cybersecurity company that was founded in 2022. It has been involved in the detection and prevention of major cybersecurity attacks. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks.

<span class="mw-page-title-main">Kaspersky Lab</span> Russian multinational cybersecurity and anti-virus provider

Kaspersky Lab is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky and Alexey De-Monderik. Kaspersky Lab develops and sells antivirus, internet security, password management, endpoint security, and other cybersecurity products and services.

Stuxnet is a malicious computer worm first uncovered in 2010 and thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition (SCADA) systems and is believed to be responsible for causing substantial damage to the nuclear program of Iran. Although neither country has openly admitted responsibility, multiple independent news organizations recognize Stuxnet to be a cyberweapon built jointly by the United States and Israel in a collaborative effort known as Operation Olympic Games. The program, started during the Bush administration, was rapidly expanded within the first months of Barack Obama's presidency.

Cyberweapons are commonly defined as malware agents employed for military, paramilitary, or intelligence objectives as part of a cyberattack. This includes computer viruses, trojans, spyware, and worms that can introduce malicious code into existing software, causing a computer to perform actions or processes unintended by its operator.

<span class="mw-page-title-main">Tailored Access Operations</span> Unit of the U.S. National Security Agency

The Office of Tailored Access Operations (TAO), now Computer Network Operations, and structured as S32, is a cyber-warfare intelligence-gathering unit of the National Security Agency (NSA). It has been active since at least 1998, possibly 1997, but was not named or structured as TAO until "the last days of 2000," according to General Michael Hayden.

<span class="mw-page-title-main">ANT catalog</span> Classified catalog of hacking tools by the NSA

The ANT catalog is a classified product catalog by the U.S. National Security Agency (NSA) of which the version written in 2008–2009 was published by German news magazine Der Spiegel in December 2013. Forty-nine catalog pages with pictures, diagrams and descriptions of espionage devices and spying software were published. The items are available to the Tailored Access Operations unit and are mostly targeted at products from US companies such as Apple, Cisco and Dell. The source is believed to be someone different than Edward Snowden, who is largely responsible for the global surveillance disclosures during the 2010s. Companies whose products could be compromised have denied any collaboration with the NSA in developing these capabilities. In 2014, a project was started to implement the capabilities from the ANT catalog as open-source hardware and software.

<span class="mw-page-title-main">Matt Suiche</span> French computer scientist (born 1988)

Matthieu Suiche, also known as Matt and under the username msuiche, is a French hacker and entrepreneur. He is widely known as the founder of MoonSols and co-founder of CloudVolumes, which was acquired by VMWare in 2014. In March 2014, Suiche was highlighted as one of the 100 key French developers in a report for French minister Fleur Pellerin.

HackingTeam was a Milan-based information technology company that sold offensive intrusion and surveillance capabilities to governments, law enforcement agencies and corporations. Its "Remote Control Systems" enable governments and corporations to monitor the communications of internet users, decipher their encrypted files and emails, record Skype and other Voice over IP communications, and remotely activate microphones and camera on target computers. The company has been criticized for providing these capabilities to governments with poor human rights records, though HackingTeam states that they have the ability to disable their software if it is used unethically. The Italian government has restricted their licence to do business with countries outside Europe.

The Equation Group, classified as an advanced persistent threat, is a highly sophisticated threat actor suspected of being tied to the Tailored Access Operations (TAO) unit of the United States National Security Agency (NSA). Kaspersky Labs describes them as one of the most sophisticated cyber attack groups in the world and "the most advanced (...) we have seen", operating alongside the creators of Stuxnet and Flame. Most of their targets have been in Iran, Russia, Pakistan, Afghanistan, India, Syria and Mali.

NOBUS is a term used by the United States National Security Agency (NSA) to describe a known security vulnerability that it believes the United States (US) alone can exploit.

<span class="mw-page-title-main">Vault 7</span> CIA files on cyber war and surveillance

Vault 7 is a series of documents that WikiLeaks began to publish on 7 March 2017, detailing the activities and capabilities of the United States Central Intelligence Agency (CIA) to perform electronic surveillance and cyber warfare. The files, dating from 2013 to 2016, include details on the agency's software capabilities, such as the ability to compromise cars, smart TVs, web browsers including Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera, the operating systems of most smartphones including Apple's iOS and Google's Android, and computer operating systems including Microsoft Windows, macOS, and Linux. A CIA internal audit identified 91 malware tools out of more than 500 tools in use in 2016 being compromised by the release. The tools were developed by the Operations Support Branch of the CIA.

<span class="mw-page-title-main">WannaCry ransomware attack</span> 2017 worldwide ransomware cyberattack

The WannaCry ransomware attack was a worldwide cyberattack in May 2017 by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. It was propagated by using EternalBlue, an exploit developed by the United States National Security Agency (NSA) for Windows systems. EternalBlue was stolen and leaked by a group called The Shadow Brokers a month prior to the attack. While Microsoft had released patches previously to close the exploit, much of WannaCry's spread was from organizations that had not applied these, or were using older Windows systems that were past their end of life. These patches were imperative to cyber security, but many organizations did not apply them, citing a need for 24/7 operation, the risk of formerly working applications breaking because of the changes, lack of personnel or time to install them, or other reasons.

EternalBlue is a computer exploit software developed by the U.S. National Security Agency (NSA). It is based on a vulnerability in Microsoft Windows that allowed users to gain access to any number of computers connected to a network. The NSA knew about this vulnerability but did not disclose it to Microsoft for several years, since they planned to use it as a defense mechanism against cyber attacks. In 2017, the NSA discovered that the software was stolen by a group of hackers known as the Shadow Brokers. Microsoft was informed of this and released security updates in March 2017 patching the vulnerability. While this was happening, the hacker group attempted to auction off the software, but did not succeed in finding a buyer. EternalBlue was then publicly released on April 14, 2017.

DoublePulsar is a backdoor implant tool developed by the U.S. National Security Agency's (NSA) Equation Group that was leaked by The Shadow Brokers in early 2017. The tool infected more than 200,000 Microsoft Windows computers in only a few weeks, and was used alongside EternalBlue in the May 2017 WannaCry ransomware attack. A variant of DoublePulsar was first seen in the wild in March 2016, as discovered by Symantec.

<span class="mw-page-title-main">Sandworm (hacker group)</span> Russian hacker group

Sandworm is an advanced persistent threat operated by Military Unit 74455, a cyberwarfare unit of the GRU, Russia's military intelligence service. Other names for the group, given by cybersecurity researchers, include Telebots, Voodoo Bear, IRIDIUM, Seashell Blizzard, and Iron Viking.

<span class="mw-page-title-main">2020 United States federal government data breach</span> US federal government data breach

In 2020, a major cyberattack suspected to have been committed by a group backed by the Russian government penetrated thousands of organizations globally including multiple parts of the United States federal government, leading to a series of data breaches. The cyberattack and data breach were reported to be among the worst cyber-espionage incidents ever suffered by the U.S., due to the sensitivity and high profile of the targets and the long duration in which the hackers had access. Within days of its discovery, at least 200 organizations around the world had been reported to be affected by the attack, and some of these may also have suffered data breaches. Affected organizations worldwide included NATO, the U.K. government, the European Parliament, Microsoft and others.

References

  1. 1 2 Ghosh, Agamoni (April 9, 2017). "'President Trump what the f**k are you doing' say Shadow Brokers and dump more NSA hacking tools". International Business Times UK . Retrieved April 10, 2017.
  2. "'NSA malware' released by Shadow Brokers hacker group". BBC News . April 10, 2017. Retrieved April 10, 2017.
  3. Brewster, Thomas. "Equation = NSA? Researchers Uncloak Huge 'American Cyber Arsenal'". Forbes. Retrieved November 25, 2020.
  4. 1 2 Sam Biddle (August 19, 2016). "The NSA Leak is Real, Snowden Documents Confirm". The Intercept . Retrieved April 15, 2017.
  5. Nakashima, Ellen (August 16, 2016). "Powerful NSA hacking tools have been revealed online". The Washington Post.
  6. 1 2 "Equation Group - Cyber Weapons Auction - Pastebin.com". August 16, 2016. Archived from the original on August 15, 2016.
  7. Dan Goodin (January 12, 2017). "NSA-leaking Shadow Brokers lob Molotov cocktail before exiting world stage". Ars Technica . Retrieved January 14, 2017.
  8. Goodin, Dan (August 16, 2016). "Confirmed: hacking tool leak came from "omnipotent" NSA-tied group". Ars Technica. Retrieved January 14, 2017.
  9. "The Equation giveaway - Securelist". August 16, 2016.
  10. "Group claims to hack NSA-tied hackers, posts exploits as proof". August 16, 2016.
  11. "The 'Shadow Brokers' NSA theft puts the Snowden leaks to shame - ExtremeTech". Extremetech. August 19, 2016.
  12. "Shadow Brokers: Hackers Claim to have Breached NSA's Equation Group". The Daily Dot . August 15, 2016.
  13. "Shadow Brokers: NSA Exploits of the Week". Medium.com. August 15, 2016.
  14. "The Shadow Brokers: Lifting the Shadows of the NSA's Equation Group?". August 15, 2016.
  15. Rob Price (August 15, 2016). "'Shadow Brokers' claim to have hacked an NSA-linked elite computer security unit". Business Insider . Retrieved April 15, 2017.
  16. "'Shadow Brokers' Reveal List Of Servers Hacked By The NSA; China, Japan, And Korea The Top 3 Targeted Countries; 49 Total Countries, Including: China, Japan, Germany, Korea, India, Italy, Mexico, Spain, Taiwan, & Russia". Fortuna's Corner. November 1, 2016. Retrieved January 14, 2017.
  17. theshadowbrokers (April 8, 2017). "Don't Forget Your Base". Medium. Retrieved April 9, 2017.
  18. Cox, Joseph (April 8, 2017). "They're Back: The Shadow Brokers Release More Alleged Exploits". Motherboard. Vice Motherboard. Retrieved April 8, 2017.
  19. 1 2 "NSA-leaking Shadow Brokers just dumped its most damaging release yet". Ars Technica. Retrieved April 15, 2017.
  20. "Latest Shadow Brokers dump — owning SWIFT Alliance Access, Cisco and Windows". Medium. April 14, 2017. Retrieved April 15, 2017.
  21. "misterch0c". GitHub. Retrieved April 15, 2017.
  22. Larson, Selena (April 14, 2017). "NSA's powerful Windows hacking tools leaked online". CNNMoney. Retrieved April 15, 2017.
  23. "Microsoft says users are protected from alleged NSA malware". AP News. Retrieved April 15, 2017.
  24. "Protecting customers and evaluating risk". MSRC. Retrieved April 15, 2017.
  25. "Microsoft says it already patched 'Shadow Brokers' NSA leaks". Engadget. April 15, 2017. Retrieved April 15, 2017.
  26. "Leaked NSA tools, now infecting over 200,000 machines, will be weaponized for years". CyberScoop. April 24, 2017. Retrieved April 24, 2017.
  27. "An NSA-derived ransomware worm is shutting down computers worldwide". May 12, 2017.
  28. Perlroth, Nicole; Scott, Mark; Frenkel, Sheera (June 27, 2017). "Cyberattack Hits Ukraine Then Spreads Internationally". The New York Times . p. 1. Retrieved June 27, 2017.
  29. Sum, Zero (April 21, 2017). "zerosum0x0: DoublePulsar Initial SMB Backdoor Ring 0 Shellcode Analysis". zerosum0x0. Retrieved November 15, 2017.
  30. "Shining Light on The Shadow Brokers". The State of Security. May 18, 2017. Retrieved November 15, 2017.
  31. "DanderSpritz/PeddleCheap Traffic Analysis" (PDF). Forcepoint. February 6, 2018. Retrieved February 7, 2018.
  32. "Shadow Brokers: The insider theory". August 17, 2016.
  33. "Commentary: Evidence points to another Snowden at the NSA". Reuters. August 23, 2016.
  34. "Hints suggest an insider helped the NSA "Equation Group" hacking tools leak". Ars Technica. August 22, 2016.
  35. Cox, Joseph (January 12, 2017). "NSA Exploit Peddlers The Shadow Brokers Call It Quits". Motherboard.
  36. "Circumstantial evidence and conventional wisdom indicates Russian responsibility. Here's why that is significant". Twitter . August 16, 2016. Retrieved August 22, 2016.
  37. "This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server". August 16, 2016. Retrieved August 22, 2016.
  38. "TL;DR: This leak looks like a somebody sending a message that an escalation in the attribution game could get messy fast". twitter.com. Retrieved August 22, 2016.
  39. Price, Rob (August 16, 2016). "Edward Snowden: Russia might have leaked alleged NSA cyberweapons as a 'warning'". Business Insider . Retrieved August 22, 2016.
  40. Eric Lipton; David E. Sanger; Scott Shane (December 13, 2016). "The Perfect Weapon: How Russian Cyberpower Invaded the U.S." New York Times . Retrieved April 15, 2017.
  41. Abdollah, Tami; Tucker, Eric (July 6, 2019). "Mystery of NSA leak lingers as stolen document case winds up". Associated Press. Archived from the original on July 6, 2019.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.