The data started trickling out onto the internet in the summer of 2016 and, at first, no one knew quite what to make of it. A Twitter account, which largely went unnoticed, tweeted out links to anonymous public repositories that contained references and instructions for obtaining access to an encrypted file purportedly containing information about and tools belonging to a shadowy NSA-linked organization dubbed The Equation Group.
Most cybersecurity professionals were already aware at that point that The Equation Group, so named by Russian information security firm Kaspersky, was actually a group of state-sponsored hackers run by the NSA. The more-or-less official name for the group was already known by then as well: Tailored Access Organization, or TAO. Data leaked in 2013 by Edward Snowden, a one-time NSA contractor, had confirmed the existence of the group and described some of its targets and techniques.
But what Snowden had exposed was scrubbed to avoid disclosing specific technical vulnerabilities that the agency had discovered, in order not to inadvertently provide tools to criminal groups or other APTs (Advanced Persistent Threats)…. but The Shadow Brokers, the group claiming to have compromised TAO, were willing to auction off the NSA file to the highest bidder.
But most observers were skeptical. Claims of having hacked the NSA were common, and commonly just hot air. The group found no takers; two more messages tried different sales tactics, including a crowdfunding effort that claimed the files would be widely released if 10,000 BTC (Bitcoin) were donated. At the deadline, all of 2 BTC were actually contributed. It was starting to look like just another prank with nothing behind it.
But by spring 2017, the claims gained more heft. Shadow Brokers dumped another set of files. This time, they included actual tools and exploits. A number of these, including one called EternalBlue, were quickly put into action by black hat hackers and infected over 200,000 Windows machines.
The threat turned real, and questions began swirling about the extent of the penetration of the NSA, America’s most secretive cyber intelligence agency.
NSA Origins Quickly Confirmed And Enormously Inconvenient For American Cybersecurity
In addition to being effective and consistent with Equation Group coding patterns, the tools were named along lines that conformed with nomenclature previously exposed by the Snowden documents. A number of the exploits were identified as having been used against targets in China, Russia, and the Middle East that would align with expected areas of interest for TAO. Even more embarrassing, the dump included alleged target lists that also contained networks of supposed American allies, including Germany, Spain, and Japan. These clues provided a strong indication to outsiders that Shadow Brokers had more than just bluster in their back pockets.
Although the NSA is required by law to pursue only overseas targets, in today’s world a router in China is as likely to be manufactured by Cisco as one in the United States. It’s long been speculated that American technology manufacturers (though they have vociferously denied it) have assisted the NSA at times in developing compromises for use against foreign targets. In exchange for revealing vulnerabilities in their products uncovered by NSA experts, it’s thought that companies sometimes delay patching those vulnerabilities to allow TAO to use the zero-day exploits against foreign targets.
This allegation was lent some support during the Shadow Brokers releases, when a set of claimed zero-day Windows exploits released by the crew turned out to have been secretly patched by Microsoft only a month earlier. It appeared very much as though someone at NSA had informed the company that the exploits were likely compromised and about to be widely released.
This alleged collusion has already cost U.S. technology companies an estimated $35 million in foreign sales, but now it may also be hitting other corporations relying on that technology as exploits and hacking tools developed by the NSA fall into the hands of hackers around the world.
These compromises have placed American cybersecurity professionals in an awkward position. Ostensibly working with and being defended by the NSA, the agency has actually exposed American consumers and corporations to considerable danger.
Uncertain Origins Make Defense Difficult Against Shadow Brokers
Although the NSA is notoriously tight-lipped about internal operations and doubly so regarding internal counterintelligence matters, a November 12, 2017 article published in the New York Times suggests a considerable amount of alarm inside the agency. While the initial Shadow Brokers leaks could be passed off as bluster or the results of a minor leak, insiders say the more recent exposures indicate significant and deep compromises within the agency.
Whether these are the result, as Shadow Brokers claim, of electronic penetration or from a double agent inside the organization, former NSA staff believe that the implication is that Shadow Brokers have a far larger cache of tools and information that they are still sitting on.
This is particularly troubling since the group has largely been quiet since early 2017. Although it offers what it calls a Monthly Dump Service to anyone interested in paying, no further large-scale public disclosures have been made. Insiders, and the American cybersecurity community, are left waiting for the other shoe to drop… or worry that it is already happening, behind the scenes and in their production systems that may be completely exposed to still-unrevealed stolen exploits.
A number of knowledgeable sources, including Edward Snowden, believe that the Shadow Brokers are likely connected with Russian intelligence, noting that the timing and the capabilities indicated by the leak can be seen as an implicit threat against further U.S. cyberespionage activities. In this scenario, the welfare of civilian U.S. networks is seen as being threatened by the possibility of additional leaks if the Equation Group continues to pursue or expose foreign adversaries.
The 2016 hacks of the Democratic National Committee associated with the Russian-aligned APT 28 (Fancy Bear) were accomplished, in part, using EternalBlue. Although the Russian hackers could have purchased it separately from Shadow Brokers, the fact that they used it almost a year before it was publicly disclosed suggests an association between the groups.
On the other hand, linguistic analysis of messages posted by the group have suggested native English speakers attempting to disguise their messages as those of non-native speakers. This does not rule out foreign involvement, but also opens up the possibility that the group is more Snowden-like… insiders at odds with NSA leadership and goals, striking out with their own agenda.
In either case, the implications for other American information security professionals are disturbing. The uncertainty will continue to hover over the industry and the seeds of distrust in government agencies will continue to grow.