Snowden 2.0: “The Shadow Brokers” Stalk the NSA

The latest leak is a blow to national security—and shows that consumers, businesses, and critical infrastructure are all at risk.

AP Photo/Francisco Seco
April 18, 2017, 8:01 p.m.

Their statements are issued in laughably broken English, their name likely ripped from a video game. But as they proved last Friday, the hacker or group of hackers known as “The Shadow Brokers” are deadly serious.

Though not as well known as Edward Snowden, cybersecurity experts say The Shadow Brokers are in the midst of perpetrating the most disastrous national security leak since the rogue contractor walked away with reams of National Security Agency files in 2013. Since first appearing in August 2016, the group has regularly released weaponized computer files stolen from the Equation Group—believed to be an elite subset of the NSA—and designed to exploit previously unknown vulnerabilities in consumer software.

“Last week theshadowbrokers be trying to help peoples. This week theshadowbrokers be thinking f*** peoples,” the group wrote in its trademark Russian-style English on Friday before posting its most alarming leak yet—the release of several dangerous Windows-targeted hacking exploits developed by the NSA. While Microsoft quickly announced that the vulnerabilities had already been patched, experts told National Journal that the millions of consumers, businesses, and institutions using older Windows operating systems remain very vulnerable.

The Shadow Brokers also released step-by-step evidence outlining the NSA’s penetration of secure financial transactions between Middle Eastern banks. Matt Suiche, the founder of cybersecurity firm Comae Technologies, said it’s one the clearest pictures ever of both the United States’s cyber-capabilities and the global financial system’s vulnerabilities.

“What has been released—not only last week, but over the past eight months—is the whole tool kit and offensive division of the most powerful country in the world,” Suiche told National Journal on Monday. “Now that those tools are out, obviously people are going to try to understand how they work.

“Very soon and very shortly, those tools are going to be in the hands of random people,” Suiche added. “So realistically speaking, we will see a lot of infection going on. All the enterprises and legacy systems will be prime targets for that.”

The release will likely prove just as damaging to national security. Several experts said the NSA appears to have just lost a significant portion of its digital arsenal. “It hurts—at least, certainly temporarily it hurts [the NSA] because they have to devise another tool,” said Claude Barfield, a cybersecurity scholar at the American Enterprise Institute. “This is now out in the open, so they have to move on.”

“It’s clear that multiple exploits were still usable by the NSA up until January, when Shadow Brokers revealed they had a copy and the NSA thus had to notify Microsoft, closing these holes,” Nicholas Weaver, a senior researcher at UC Berkeley’s International Computer Science Institute, told National Journal via email.

The identity of The Shadow Brokers, and how they obtained the details of NSA bank penetrations and other classified data, remains a mystery. Though the group loudly laments a lack of financial backers, the continual leaks seem to indicate a motivation beyond money. Several experts suspect Russian involvement, but say it’s impossible to be sure.

Regardless of the group’s intent, there’s no denying the damage that it’s wreaking on private industry and national security. And as the leaks continue, experts believe the rift will widen between the government and Silicon Valley over the NSA’s development of powerful programs to exploit consumer software.

“The NSA has been operating under this assumption that other actors wouldn’t find these vulnerabilities, or that they can protect the vulnerabilities,” said Adam Segal, the director of the Council on Foreign Relations’ Digital and Cyberspace Policy Program. “Clearly, The Shadow Brokers release suggests that’s not true. The NSA and the CIA can’t defend their own exploits, either from outside or insider threats.”

The Shadow Brokers’ first announced its theft of NSA exploits in August 2016 (the theft likely occurred much earlier), when it released several of the files for free and convened a “Cyber Weapon Auction” for the best ones. Over several additional releases, the group became testy as bidders and buyers failed to materialize. They appeared to throw in the towel on Jan. 12, just days before President Trump’s inauguration. “TheShadowBrokers is going dark, making exit,” the group said in a post. “Continuing is being much risk and bullshit, not many bitcoins.”

But the group reemerged earlier this month, in an apparent response to Trump’s decision to bomb a Syrian government airfield. In a rambling rant accompanying the April 8 release of a new file of auctionable NSA exploits, The Shadow Brokers excoriated Trump for abandoning “the peoples who getting you elected.”

They were back six days later with an April 14 release, this time dumping a massive trove of NSA exploits designed to target Windows operating systems. Microsoft said it had patched the most damaging vulnerabilities back in March, but in an official statement would not say whether the NSA gave them the heads-up. The NSA did not respond to a request for comment.

Even with the patches, experts say the exploits still constitute a grave risk to infrastructure and private industry. “Enterprises, critical infrastructure—airports, hospitals—don’t really update their systems much,” said Suiche. “They are afraid to do any change.”

“We know that the rates of patching are very, very low even when people have learned about vulnerabilities,” said Segal.

While there’s still no clear indication on who’s behind the leaks, the expert consensus appears to be shifting toward Russian involvement with a probable assist from an NSA insider. Though The Shadow Brokers expressly deny any ties to Russia, several observers said the timing and nature of the dumps are probably too convenient to be a coincidence.

“It smacks of a pretty strategic, orchestrated effort to just continually undermine the perceived legitimacy of these organizations and the U.S.,” said Steve Weber, a professor at UC Berkeley’s School of Information. “It’s part and parcel of the whole Russian disinformation campaign.”

It also appears unlikely to stop anytime soon. “Maybe if all surviving WWIII theshadowbrokers be seeing you next week,” the group wrote at the conclusion of last Friday’s exploits dump. “Who knows what we having next time?”

Segal is taking the group at its word. “I definitely think there’s more dumping coming,” he said.

What We're Following See More »
Criminal Justice Reform Bill Clears Senate
1 hours ago

"The Senate passed a bipartisan criminal justice reform bill on Tuesday night, handing a significant victory to President Trump and senators who lobbied to advance the legislation before the end of the year. Senators voted 87-12 on the legislation, which merges a House-passed prison reform bill aimed at reducing recidivism with a handful of changes to sentencing laws and mandatory minimum prison sentences." The House aims to vote on the measure when it reconvenes later this week.

Judge Delays Flynn Sentencing
6 hours ago

Federal Judge Emmet Sullivan "agreed Tuesday to postpone Michael Flynn’s sentencing after a hearing to decide the punishment for President Donald Trump’s former national security adviser went awry." Sullivan gave Flynn a chance to reconsider his decision to plead guilty, adding that he could not "guarantee a sentence without prison time, even after the special counsel’s office recommended that Flynn not be incarcerated. After a brief recess, Sullivan and prosecutors agreed to delay sentencing so that Flynn could "eke out the last modicum of cooperation."

Ducey To Appoint Martha McSally To Senate
10 hours ago
Is White House Caving on Government Shutdown?
10 hours ago

"White House Press Secretary Sarah Huckabee Sanders seemed to endorse a potential spending deal that would include all of the remaining appropriations, including a Senate Homeland Homeland Security bill with $1.6 billion in wall-related funding. But as usual, there was a catch—President Donald Trump might insist on flexibility to use other funds already identified to get closer to his desired $5 billion."

VOTE IS 82-12
Senate Advances Criminal Justice Reform
10 hours ago

Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.