Popcorn in hand, the ShadowBrokers say they’re taking in the WannaCry outbreak from the sidelines before starting in June a subscription service for new exploits and stolen data akin to a wine of the month club.
In what’s become a signature periodic rant from the unknowns behind the leak of offensive NSA hacking tools, the ShadowBrokers today expressed their dismay that neither the U.S. government nor technology companies bit at their August 2016 auction of Equation Group hacking tools. The consequences, they said, were April’s massive leak of Windows attack tools, some of which have been co-opted by those behind the WannaCry attacks.
The WannaCry story, meanwhile, took an unexpected turn in the past 24 hours when Google researcher Neel Mehta found shared code between WannaCry and an older sample used by the Lazarus Group, a North Korea APT thought to be behind the SWIFT banking attacks in Bangladesh and also the Sony hack of 2014.
9c7c7149387a1c79679a87dd1ba755bc @ 0x402560, 0x40F598
ac21c8ad899727137c4b94458d7aa8d8 @ 0x10004ba0, 0x10012AA4#WannaCryptAttribution
— Neel Mehta (@neelmehta) May 15, 2017
The ShadowBrokers had their theories on that as well.
“In May, No dumps, theshadowbrokers is eating popcorn and watching ‘Your Fired’ and WannaCry,” the ShadowBrokers wrote. “Is being very strange behavior for crimeware? Killswitch? Crimeware is caring about target country? The oracle is telling theshadowbrokers North Korea is being responsible for the global cyber attack Wanna Cry. Nukes and cyber attacks, America has to go to war, no other choices! (Sarcasm) No new ZeroDays.”
The ShadowBrokers took particular aim at Microsoft, alleging the Equation Group/NSA has spies inside the company and other U.S. tech companies. They also alleged that Google could be harboring NSA spies and that U.S. adversaries are doing the same, offering up as evidence the recent Tavis Ormandy discovery of a zero day in the Microsoft Malware Protection Engine, and Microsoft’s quick response in patching that bug and patching the ShadowBrokers’ SMB tools one month before the leak.
“If theshadowbrokers is telling thepeoples theequationgroup is paying U.S technology companies NOT TO PATCH vulnerabilities until public discovery, is this being Fake News or Conspiracy Theory?” the ShadowBrokers continued. “Why Microsoft patching SMB vulnerabilities in secret? Microsoft is being embarrassed because theequationgroup is lying to Microsoft. TheEquationGroup is not telling Microsoft about SMB vulnerabilities, so Microsoft not preparing with quick fix patch. More important theequationgroup not paying Microsoft for holding vulnerability. Microsoft is thinking it knowing all the vulnerabilities TtheEquationGroup is using and paying for holding patch.”
As for its upcoming monthly dumps, the ShadowBrokers said they could include anything from browser, router and mobile exploits, to newer exploits for Windows 10 systems. They also claim to have compromised network data from SWIFT providers and central banks available, as well as compromised network data from Russian, Chinese, Iranian and North Korean nuclear and missile programs.
“TheShadowBrokers is not being interested in bug bounties, selling to cyber thugs, or giving to greedy corporate empires. TheShadowBrokers is taking pride in picking adversary equal to or better than selves, a worthy opponent,” the ShadowBrokers wrote. “Is always being about theshadowbrokers vs theequationgroup.”