Snowden 2.0: “The Shadow Brokers” Stalk the NSA

The latest leak is a blow to national security—and shows that consumers, businesses, and critical infrastructure are all at risk.

AP Photo/Francisco Seco
April 18, 2017, 8:01 p.m.

Their statements are issued in laughably broken English, their name likely ripped from a video game. But as they proved last Friday, the hacker or group of hackers known as “The Shadow Brokers” are deadly serious.

Though not as well known as Edward Snowden, cybersecurity experts say The Shadow Brokers are in the midst of perpetrating the most disastrous national security leak since the rogue contractor walked away with reams of National Security Agency files in 2013. Since first appearing in August 2016, the group has regularly released weaponized computer files stolen from the Equation Group—believed to be an elite subset of the NSA—and designed to exploit previously unknown vulnerabilities in consumer software.

“Last week theshadowbrokers be trying to help peoples. This week theshadowbrokers be thinking f*** peoples,” the group wrote in its trademark Russian-style English on Friday before posting its most alarming leak yet—the release of several dangerous Windows-targeted hacking exploits developed by the NSA. While Microsoft quickly announced that the vulnerabilities had already been patched, experts told National Journal that the millions of consumers, businesses, and institutions using older Windows operating systems remain very vulnerable.

The Shadow Brokers also released step-by-step evidence outlining the NSA’s penetration of secure financial transactions between Middle Eastern banks. Matt Suiche, the founder of cybersecurity firm Comae Technologies, said it’s one the clearest pictures ever of both the United States’s cyber-capabilities and the global financial system’s vulnerabilities.

“What has been released—not only last week, but over the past eight months—is the whole tool kit and offensive division of the most powerful country in the world,” Suiche told National Journal on Monday. “Now that those tools are out, obviously people are going to try to understand how they work.

“Very soon and very shortly, those tools are going to be in the hands of random people,” Suiche added. “So realistically speaking, we will see a lot of infection going on. All the enterprises and legacy systems will be prime targets for that.”

The release will likely prove just as damaging to national security. Several experts said the NSA appears to have just lost a significant portion of its digital arsenal. “It hurts—at least, certainly temporarily it hurts [the NSA] because they have to devise another tool,” said Claude Barfield, a cybersecurity scholar at the American Enterprise Institute. “This is now out in the open, so they have to move on.”

“It’s clear that multiple exploits were still usable by the NSA up until January, when Shadow Brokers revealed they had a copy and the NSA thus had to notify Microsoft, closing these holes,” Nicholas Weaver, a senior researcher at UC Berkeley’s International Computer Science Institute, told National Journal via email.

The identity of The Shadow Brokers, and how they obtained the details of NSA bank penetrations and other classified data, remains a mystery. Though the group loudly laments a lack of financial backers, the continual leaks seem to indicate a motivation beyond money. Several experts suspect Russian involvement, but say it’s impossible to be sure.

Regardless of the group’s intent, there’s no denying the damage that it’s wreaking on private industry and national security. And as the leaks continue, experts believe the rift will widen between the government and Silicon Valley over the NSA’s development of powerful programs to exploit consumer software.

“The NSA has been operating under this assumption that other actors wouldn’t find these vulnerabilities, or that they can protect the vulnerabilities,” said Adam Segal, the director of the Council on Foreign Relations’ Digital and Cyberspace Policy Program. “Clearly, The Shadow Brokers release suggests that’s not true. The NSA and the CIA can’t defend their own exploits, either from outside or insider threats.”

The Shadow Brokers’ first announced its theft of NSA exploits in August 2016 (the theft likely occurred much earlier), when it released several of the files for free and convened a “Cyber Weapon Auction” for the best ones. Over several additional releases, the group became testy as bidders and buyers failed to materialize. They appeared to throw in the towel on Jan. 12, just days before President Trump’s inauguration. “TheShadowBrokers is going dark, making exit,” the group said in a post. “Continuing is being much risk and bullshit, not many bitcoins.”

But the group reemerged earlier this month, in an apparent response to Trump’s decision to bomb a Syrian government airfield. In a rambling rant accompanying the April 8 release of a new file of auctionable NSA exploits, The Shadow Brokers excoriated Trump for abandoning “the peoples who getting you elected.”

They were back six days later with an April 14 release, this time dumping a massive trove of NSA exploits designed to target Windows operating systems. Microsoft said it had patched the most damaging vulnerabilities back in March, but in an official statement would not say whether the NSA gave them the heads-up. The NSA did not respond to a request for comment.

Even with the patches, experts say the exploits still constitute a grave risk to infrastructure and private industry. “Enterprises, critical infrastructure—airports, hospitals—don’t really update their systems much,” said Suiche. “They are afraid to do any change.”

“We know that the rates of patching are very, very low even when people have learned about vulnerabilities,” said Segal.

While there’s still no clear indication on who’s behind the leaks, the expert consensus appears to be shifting toward Russian involvement with a probable assist from an NSA insider. Though The Shadow Brokers expressly deny any ties to Russia, several observers said the timing and nature of the dumps are probably too convenient to be a coincidence.

“It smacks of a pretty strategic, orchestrated effort to just continually undermine the perceived legitimacy of these organizations and the U.S.,” said Steve Weber, a professor at UC Berkeley’s School of Information. “It’s part and parcel of the whole Russian disinformation campaign.”

It also appears unlikely to stop anytime soon. “Maybe if all surviving WWIII theshadowbrokers be seeing you next week,” the group wrote at the conclusion of last Friday’s exploits dump. “Who knows what we having next time?”

Segal is taking the group at its word. “I definitely think there’s more dumping coming,” he said.

What We're Following See More »
Trump Signs Border Deal
2 days ago

"President Trump signed a sweeping spending bill Friday afternoon, averting another partial government shutdown. The action came after Trump had declared a national emergency in a move designed to circumvent Congress and build additional barriers at the southern border, where he said the United States faces 'an invasion of our country.'"

Trump Declares National Emergency
2 days ago

"President Donald Trump on Friday declared a state of emergency on the southern border and immediately direct $8 billion to construct or repair as many as 234 miles of a border barrier. The move — which is sure to invite vigorous legal challenges from activists and government officials — comes after Trump failed to get the $5.7 billion he was seeking from lawmakers. Instead, Trump agreed to sign a deal that included just $1.375 for border security."

House Will Condemn Emergency Declaration
2 days ago

"House Democrats are gearing up to pass a joint resolution disapproving of President Trump’s emergency declaration to build his U.S.-Mexico border wall, a move that will force Senate Republicans to vote on a contentious issue that divides their party. House Judiciary Committee Chairman Jerrold Nadler (D-N.Y.) said Thursday evening in an interview with The Washington Post that the House would take up the resolution in the coming days or weeks. The measure is expected to easily clear the Democratic-led House, and because it would be privileged, Senate Majority Leader Mitch McConnell (R-Ky.) would be forced to put the resolution to a vote that he could lose."

Where Will the Emergency Money Come From?
2 days ago

"ABC News has learned the president plans to announce on Friday his intention to spend about $8 billion on the border wall with a mix of spending from Congressional appropriations approved Thursday night, executive action and an emergency declaration. A senior White House official familiar with the plan told ABC News that $1.375 billion would come from the spending bill Congress passed Thursday; $600 million would come from the Treasury Department's drug forfeiture fund; $2.5 billion would come from the Pentagon's drug interdiction program; and through an emergency declaration: $3.5 billion from the Pentagon's military construction budget."

House Passes Funding Deal
3 days ago

"The House passed a massive border and budget bill that would avert a shutdown and keep the government funded through the end of September. The Senate passed the measure earlier Thursday. The bill provides $1.375 billion for fences, far short of the $5.7 billion President Trump had demanded to fund steel walls. But the president says he will sign the legislation, and instead seek to fund his border wall by declaring a national emergency."


Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.