Their statements are issued in laughably broken English, their name likely ripped from a video game. But as they proved last Friday, the hacker or group of hackers known as “The Shadow Brokers” are deadly serious.
Though not as well known as Edward Snowden, cybersecurity experts say The Shadow Brokers are in the midst of perpetrating the most disastrous national security leak since the rogue contractor walked away with reams of National Security Agency files in 2013. Since first appearing in August 2016, the group has regularly released weaponized computer files stolen from the Equation Group—believed to be an elite subset of the NSA—and designed to exploit previously unknown vulnerabilities in consumer software.
“Last week theshadowbrokers be trying to help peoples. This week theshadowbrokers be thinking f*** peoples,” the group wrote in its trademark Russian-style English on Friday before posting its most alarming leak yet—the release of several dangerous Windows-targeted hacking exploits developed by the NSA. While Microsoft quickly announced that the vulnerabilities had already been patched, experts told National Journal that the millions of consumers, businesses, and institutions using older Windows operating systems remain very vulnerable.
The Shadow Brokers also released step-by-step evidence outlining the NSA’s penetration of secure financial transactions between Middle Eastern banks. Matt Suiche, the founder of cybersecurity firm Comae Technologies, said it’s one the clearest pictures ever of both the United States’s cyber-capabilities and the global financial system’s vulnerabilities.
“What has been released—not only last week, but over the past eight months—is the whole tool kit and offensive division of the most powerful country in the world,” Suiche told National Journal on Monday. “Now that those tools are out, obviously people are going to try to understand how they work.
“Very soon and very shortly, those tools are going to be in the hands of random people,” Suiche added. “So realistically speaking, we will see a lot of infection going on. All the enterprises and legacy systems will be prime targets for that.”
The release will likely prove just as damaging to national security. Several experts said the NSA appears to have just lost a significant portion of its digital arsenal. “It hurts—at least, certainly temporarily it hurts [the NSA] because they have to devise another tool,” said Claude Barfield, a cybersecurity scholar at the American Enterprise Institute. “This is now out in the open, so they have to move on.”
“It’s clear that multiple exploits were still usable by the NSA up until January, when Shadow Brokers revealed they had a copy and the NSA thus had to notify Microsoft, closing these holes,” Nicholas Weaver, a senior researcher at UC Berkeley’s International Computer Science Institute, told National Journal via email.
The identity of The Shadow Brokers, and how they obtained the details of NSA bank penetrations and other classified data, remains a mystery. Though the group loudly laments a lack of financial backers, the continual leaks seem to indicate a motivation beyond money. Several experts suspect Russian involvement, but say it’s impossible to be sure.
Regardless of the group’s intent, there’s no denying the damage that it’s wreaking on private industry and national security. And as the leaks continue, experts believe the rift will widen between the government and Silicon Valley over the NSA’s development of powerful programs to exploit consumer software.
“The NSA has been operating under this assumption that other actors wouldn’t find these vulnerabilities, or that they can protect the vulnerabilities,” said Adam Segal, the director of the Council on Foreign Relations’ Digital and Cyberspace Policy Program. “Clearly, The Shadow Brokers release suggests that’s not true. The NSA and the CIA can’t defend their own exploits, either from outside or insider threats.”
The Shadow Brokers’ first announced its theft of NSA exploits in August 2016 (the theft likely occurred much earlier), when it released several of the files for free and convened a “Cyber Weapon Auction” for the best ones. Over several additional releases, the group became testy as bidders and buyers failed to materialize. They appeared to throw in the towel on Jan. 12, just days before President Trump’s inauguration. “TheShadowBrokers is going dark, making exit,” the group said in a post. “Continuing is being much risk and bullshit, not many bitcoins.”
But the group reemerged earlier this month, in an apparent response to Trump’s decision to bomb a Syrian government airfield. In a rambling rant accompanying the April 8 release of a new file of auctionable NSA exploits, The Shadow Brokers excoriated Trump for abandoning “the peoples who getting you elected.”
They were back six days later with an April 14 release, this time dumping a massive trove of NSA exploits designed to target Windows operating systems. Microsoft said it had patched the most damaging vulnerabilities back in March, but in an official statement would not say whether the NSA gave them the heads-up. The NSA did not respond to a request for comment.
Even with the patches, experts say the exploits still constitute a grave risk to infrastructure and private industry. “Enterprises, critical infrastructure—airports, hospitals—don’t really update their systems much,” said Suiche. “They are afraid to do any change.”
“We know that the rates of patching are very, very low even when people have learned about vulnerabilities,” said Segal.
While there’s still no clear indication on who’s behind the leaks, the expert consensus appears to be shifting toward Russian involvement with a probable assist from an NSA insider. Though The Shadow Brokers expressly deny any ties to Russia, several observers said the timing and nature of the dumps are probably too convenient to be a coincidence.
“It smacks of a pretty strategic, orchestrated effort to just continually undermine the perceived legitimacy of these organizations and the U.S.,” said Steve Weber, a professor at UC Berkeley’s School of Information. “It’s part and parcel of the whole Russian disinformation campaign.”
It also appears unlikely to stop anytime soon. “Maybe if all surviving WWIII theshadowbrokers be seeing you next week,” the group wrote at the conclusion of last Friday’s exploits dump. “Who knows what we having next time?”
Segal is taking the group at its word. “I definitely think there’s more dumping coming,” he said.