Shadow Brokers

The Shadow Brokers are a mysterious group of hackers that stole sensitive data from the National Security Agency (NSA) in 2013 and dumped these secrets online.

Identity of the Shadow Brokers

The Shadow Brokers appeared in August 2016, when they leaked several hacking tools and computer exploits from the National Security Agency (NSA). The group released documents that were gotten from a server connected to the NSA. The U.S. reportedly owned, leased, and controlled the server. But it had no connection to the agency. 

The group wrote in broken English on their blog posts. That suggested they might have not been from an English-speaking country. But security experts have dismissed that, saying the language hackers use could be an OpSec tactic. 

Based on speculations, this group could be disgruntled NSA insiders. That is because of their strong familiarity with the National Security Agency’s Tailored Access Operation (TAO). That is similar to disgruntled insiders who became whistleblowers in recent years, like Edward Snowden, who worked as a government security contractor.

Another speculation is that the files came from Hal Martin. He’s an NSA contractor arrested in August 2017 for hoarding agency secrets in his house. It is possible that the Shadow Brokers received the records from Martin. However, in the public indictment against Martin, there was nothing that came up regarding selling secrets to a group. 

According to another speculation, a rival country orchestrated the hack against the U.S. But there’s also no proof for any of these claims.

Alleged Activities of the Shadow Brokers

The Shadow Brokers started with dumping bugs in many common firewall products. Then they followed up with releasing the exploits of the Solaris operating system, and more detailed information on Equation Group, a hacking group connected to the US National Security Agency.

Early 2017, after been active for months, the group released exploits for Windows systems. At that time, the materials put lots of computers in danger. Another group of anonymous hackers repurposed some of those materials. That enabled the spread of destructive ransomware known as WannaCry.

Other dumps included code names for cyber-weapons and prospective targets of hacking operations. Parts of the data indicated Equation Group had targeted several mobile service providers around the world.

However, the biggest dump from the Shadow Brokers featured Windows exploits like EternalBlue. It also had tools to access the Society for Worldwide Interbank Financial Telecommunication (SWIFT) messaging system. Added to that, the dumps contained a substantial amount of information about hacking operations. It included PowerPoint presentations, un-redacted metadata, and the names of Equation Group members. 

The group continued to dump more information in what most people saw as an attempt to gain attention. Some experts believe the Shadow Brokers became frustrated because the level of attention given did not meet the group’s expectations. Instead, they started monetizing their materials.

Financing & Funding

The Shadow Brokers introduced a monthly subscription service to sell the stolen information and cyber-weapons. They initially asked for one million bitcoin (around $600 million at the time). However, no one paid that amount. According to Wh1sks, they netted around $88,000 in Monero and a little over 10 BTC (worth around $35,000 at the time.)

It is impossible to know exactly what the Shadow Brokers have been sending around but most speculate it is hacking tools and ransomware for evil hackers. These could include highly valuable exploits for Windows systems and other systems hacking tools.

What we know is that some of those materials the Shadow Brokers dumped had been used by other black hat hackers.

The WannaCry ransomware, for example, spread rapidly across a number of computer networks in May of 2017. It hit a number of high-profile systems, including many in Britain’s National Health Service.