The ShadowBrokers are no more.
The group or individual responsible for multiple leaks of exploits and attack tools believed to belong to the NSA said today they have closed up shop and deleted all of their online accounts.
“Despite theories, it always being about bitcoins for TheShadowBrokers. Free dumps and [BS] political talk was being for marketing attention,” the ShadowBrokers’ message reads. “There being no bitcoins in free dumps and giveaways. You are being disappointed? Nobody is being more disappointed than TheShadowBrokers.”
The note brings at least a temporary end to the group’s activities without any closure as to their identities. What began in August with a cryptic auction seeking millions of dollars in Bitcoin for a cache of exploits in high-end enterprise and telco networking gear, ended with dumps on back-to-back days of Windows exploits and the group collecting less than $10,000 USD as a final tally.
That, however, didn’t stop the group from making one last plea for 10,000 BTC ($8.1 million) for more Linux and Windows hacking tools.
“TheShadowBrokers offer is still being good, no expiration,” the message reads.
In the meantime, the final dump of Windows attacks includes 58 files corresponding to the Equation Drug attack platform discovered by researchers at Kaspersky Lab and disclosed in February 2015 at the Security Analyst Summit. The ShadowBrokers said they dropped the files onto a system running Kaspersky security software that triggered alerts from equationdrug.generic and equationdrug.k.
Researchers at Kaspersky today confirmed the files as those belonging to the Equation Group.
“We have received a copy of the archive from the latest ShadowBrokers post and performed a quick analysis. Most of the samples in the archive are EquationDrug plugins, GrayFish modules and EquationVector modules,” Kaspersky Lab said in a statement provided to Threatpost. “These three are known malware platforms used by the Equation group, which we have described in Feb 2015. From the list provided of 61 files, our products already detect 44 of them. We are updating our products to detect the missed samples.”
On Wednesday, the ShadowBrokers surfaced after a period of silence with a leak of the first set of Windows attacks, which they said could be had for 750 BTC. The group did not provide any free files for analysis as it had done in the past, but from screenshots posted to the group’s Twitter feed, it would appear they had access to remote administration tools, remote code execution exploits and tools for fuzzing Windows machines.
One researcher, Jacob Williams, also said the cache could contain a Windows Server Message Block zero-day exploit and a tool called EventLogEdit, which would be an advanced capability giving attackers the means by which to clear or edit event logs.
As for the ShadowBrokers’ identity, it’s never been confirmed whether the attackers were able to penetrate NSA infrastructure to steal these tools, whether an NSA admin mistakenly left them on a staging server as has been suggested, or whether a rogue insider(s) is the ShadowBrokers. Researcher Matt Suiche has stood firm that this the work of an insider, writing immediately after the first leaks in August, debunking a number of other claims.
This would mean #ShadowBrokers may be a third insider. The files in the new dump are old, nothing very exciting.
— Matt Suiche (@msuiche) January 12, 2017
It sounds like #ShadowBroker was indeed an insider like I said last summer https://t.co/p7ylZBSVuv, and that he left several years ago
— Matt Suiche (@msuiche) January 12, 2017
In December, researchers at Flashpoint said an insider with access to an intelligence agency code repository was the likely source of the leak. Their research pointed away from an attack against NSA infrastructure and toward an insider or two.
In October, the group posted links to downloads of lists of hacked Sun Solaris and Linux servers allegedly compromised by the Equation Group. The servers listed were old, some compromised 15 years ago, and mostly in Iran, Russia, China and Pakistan.
