ShadowBrokers Remain an Enigma

As we approach the first anniversary of the ShadowBrokers, their true identity and source of their stolen NSA exploits remains a mystery.

LAS VEGAS—Clarity and the ShadowBrokers are strange bedfellows.

We’re closing in on the first anniversary of the mysterious group’s initial dump of NSA hacking tools and we’re still no closer to understanding who they are, where they got their stuff, and what their true motivations are.

Instead as the dumps have gotten progressively worse since their debut last Aug. 16, and the consequences (WannaCry, NotPetya) impacted companies globally, we’re still forced to speculate whether the ShadowBrokers are Russian intelligence, a disgruntled insider, or whether someone such as former Booz Allen and NSA contractor Hal Martin is the source of their dumps; Martin was arrested in February after it was alleged he stole data from the agency for 20 years.

Today at Black Hat, Matt Suiche of Comae Technologies who has done extensive work analyzing the ShadowBrokers, recapped the last year of activity around the group. Serendipitously, his talk paralleled the ShadowBrokers’ latest announcement regarding their dump of the month service for August. The takeaway is twofold: the price has doubled for August subscriptions, and the group provided two new email addresses for payment address requests.

Suiche had no concrete answers to any outstanding questions, instead provided a comprehensive timeline of events around the group’s activities and a hint at their motivation.

“What we’ve seen in the last year is them publishing tools and documents that undermine the U.S. government and how legitimate they are in the intelligence community,” Suiche said, pointing to the group’s tendency to jab at the NSA’s operational security its failure to protect it’s exploits, and it’s overall insider problem.

“The ShadowBrokers’ leaks were way more significant than the Snowden releases,” Suiche said. “But there was more of a story with Snowden.”

The ShadowBrokers’ first impression was an odd one given that the group’s dump of firewall attacks against older versions of Cisco, Juniper and other vendors’ gear could be had for 1 million Bitcoin or by winning an auction.

“I don’t think money is their motive,” Suiche said. “Asking for 1 million Bitcoin is not reasonable.”

The pace picked up as the ShadowBrokers began releasing more frequent blogposts, ranting against the U.S. government, the intelligence community and anyone else on Twitter who challenged them. The posts were written in admittedly broken English, and while this was eventually understood to be an intentional opsec strategy, it gave some a false sense of security that the ShadowBrokers needn’t be taken seriously. That, however, changed in April with the release of ETERNALBLUE and other Windows attacks that were eventually used to spread WannaCry and NotPetya.

Suiche said today that one of the WannaCry killswitches he registered still gets pinged on a regular basis with more than one million hits between May and July.

It became apparent too that part of the ShadowBrokers strategy was ambiguity about when and what they would release, Suiche said. That was certainly exacerbated by the plans for monthly bug leaks to paid subscribers, indicating that perhaps there isn’t a finite number of bugs at their disposal.

“People kept wondering how many files do they have,” Suice said as to the ambiguity. “We can scare them if they think we have more and more files to release. Otherwise, there is a finite capacity to scare people. Creating that fear, uncertainty and doubt is definitely part of their strategy.”

Another lingering question is whether anyone will actually subscribe to the ShadowBrokers’ monthly service. The group has at times challenged governments, intelligence agencies or even large vendors to subscribe. One individual surfaced on Twitter in June saying they had subscribed, but alleged they received only one file.

“They are following a pattern where the price keeps doubling and they keep emphasizing more files,” Suiche said, adding that it’s likely that any buyers would keep quiet. “If you do that, it could be considered that you are funding terrorism because some have compared them to a terrorist group. If people are buying bugs, they’re not mentioning it.”

Suggested articles