Who Are the Shadow Brokers?

In 2013, a mysterious group of hackers that calls itself the Shadow Brokers stole a few disks full of NSA secrets. Since last summer, they've been dumping these secrets on the Internet. They have publicly embarrassed the NSA and damaged its intelligence-gathering capabilities, while at the same time have put sophisticated cyberweapons in the hands of anyone who wants them. They have exposed major vulnerabilities in Cisco routers, Microsoft Windows, and Linux mail servers, forcing those companies and their customers to scramble. And they gave the authors of the WannaCry ransomware the exploit they needed to infect hundreds of thousands of computer worldwide this month.

After the WannaCry outbreak, the Shadow Brokers threatened to release more NSA secrets every month, giving cybercriminals and other governments worldwide even more exploits and hacking tools.

Who are these guys? And how did they steal this information? The short answer is: we don't know. But we can make some educated guesses based on the material they've published.

The Shadow Brokers suddenly appeared last August, when they published a series of hacking tools and computer exploits­ -- vulnerabilities in common software -- ­from the NSA. The material was from autumn 2013, and seems to have been collected from an external NSA staging server, a machine that is owned, leased, or otherwise controlled by the US, but with no connection to the agency. NSA hackers find obscure corners of the Internet to hide the tools they need as they go about their work, and it seems the Shadow Brokers successfully hacked one of those caches.

In total, the group has published four sets of NSA material: a set of exploits and hacking tools against routers, the devices that direct data throughout computer networks; a similar collection against mail servers; another collection against Microsoft Windows; and a working directory of an NSA analyst breaking into the SWIFT banking network. Looking at the time stamps on the files and other material, they all come from around 2013. The Windows attack tools, published last month, might be a year or so older, based on which versions of Windows the tools support.

The releases are so different that they're almost certainly from multiple sources at the NSA. The SWIFT files seem to come from an internal NSA computer, albeit one connected to the Internet. The Microsoft files seem different, too; they don't have the same identifying information that the router and mail server files do. The Shadow Brokers have released all the material unredacted, without the care journalists took with the Snowden documents or even the care WikiLeaks has taken with the CIA secrets it's publishing. They also posted anonymous messages in bad English but with American cultural references.

Given all of this, I don't think the agent responsible is a whistleblower. While possible, it seems like a whistleblower wouldn't sit on attack tools for three years before publishing. They would act more like Edward Snowden or Chelsea Manning, collecting for a time and then publishing immediately­ -- and publishing documents that discuss what the US is doing to whom. That's not what we're seeing here; it's simply a bunch of exploit code, which doesn't have the political or ethical implications that a whistleblower would want to highlight. The SWIFT documents are records of an NSA operation, and the other posted files demonstrate that the NSA is hoarding vulnerabilities for attack rather than helping fix them and improve all of our security.

I also don't think that it's random hackers who stumbled on these tools and are just trying to harm the NSA or the US. Again, the three-year wait makes no sense. These documents and tools are cyber-Kryptonite; anyone who is secretly hoarding them is in danger from half the intelligence agencies in the world. Additionally, the publication schedule doesn't make sense for the leakers to be cybercriminals. Criminals would use the hacking tools for themselves, incorporating the exploits into worms and viruses, and generally profiting from the theft.

That leaves a nation state. Whoever got this information years before and is leaking it now has to be both capable of hacking the NSA and willing to publish it all. Countries like Israel and France are capable, but would never publish, because they wouldn't want to incur the wrath of the US. Countries like North Korea or Iran probably aren't capable. (Additionally, North Korea is suspected of being behind WannaCry, which was written after the Shadow Brokers released that vulnerability to the public.) As I've written previously, the obvious list of countries who fit my two criteria is small: Russia, China, and­ -- I'm out of ideas. And China is currently trying to make nice with the US.

It was generally believed last August, when the first documents were released and before it became politically controversial to say so, that the Russians were behind the leak, and that it was a warning message to President Barack Obama not to retaliate for the Democratic National Committee hacks. Edward Snowden guessed Russia, too. But the problem with the Russia theory is, why? These leaked tools are much more valuable if kept secret. Russia could use the knowledge to detect NSA hacking in its own country and to attack other countries. By publishing the tools, the Shadow Brokers are signaling that they don't care if the US knows the tools were stolen.

Sure, there's a chance the attackers knew that the US knew that the attackers knew -- ­and round and round we go. But the "we don't give a damn" nature of the releases points to an attacker who isn't thinking strategically: a lone hacker or hacking group, which clashes with the nation-state theory.

This is all speculation on my part, based on discussion with others who don't have access to the classified forensic and intelligence analysis. Inside the NSA, they have a lot more information. Many of the files published include operational notes and identifying information. NSA researchers know exactly which servers were compromised, and through that know what other information the attackers would have access to. As with the Snowden documents, though, they only know what the attackers could have taken and not what they did take. But they did alert Microsoft about the Windows vulnerability the Shadow Brokers released months in advance. Did they have eavesdropping capability inside whoever stole the files, as they claimed to when the Russians attacked the State Department? We have no idea.

So, how did the Shadow Brokers do it? Did someone inside the NSA accidentally mount the wrong server on some external network? That's possible, but seems very unlikely for the organization to make that kind of rookie mistake. Did someone hack the NSA itself? Could there be a mole inside the NSA?

If it is a mole, my guess is that the person was arrested before the Shadow Brokers released anything. No country would burn a mole working for it by publishing what that person delivered while he or she was still in danger. Intelligence agencies know that if they betray a source this severely, they'll never get another one.

That points to two possibilities. The first is that the files came from Hal Martin. He's the NSA contractor who was arrested in August for hoarding agency secrets in his house for two years. He can't be the publisher, because the Shadow Brokers are in business even though he is in prison. But maybe the leaker got the documents from his stash, either because Martin gave the documents to them or because he himself was hacked. The dates line up, so it's theoretically possible. There's nothing in the public indictment against Martin that speaks to his selling secrets to a foreign power, but that's just the sort of thing that would be left out. It's not needed for a conviction.

If the source of the documents is Hal Martin, then we can speculate that a random hacker did in fact stumble on it -- ­no need for nation-state cyberattack skills.

The other option is a mysterious second NSA leaker of cyberattack tools. Could this be the person who stole the NSA documents and passed them on to someone else? The only time I have ever heard about this was from a Washington Post story about Martin:

There was a second, previously undisclosed breach of cybertools, discovered in the summer of 2015, which was also carried out by a TAO employee [a worker in the Office of Tailored Access Operations], one official said. That individual also has been arrested, but his case has not been made public. The individual is not thought to have shared the material with another country, the official said.

Of course, "not thought to have" is not the same as not having done so.

It is interesting that there have been no public arrests of anyone in connection with these hacks. If the NSA knows where the files came from, it knows who had access to them -- ­and it's long since questioned everyone involved and should know if someone deliberately or accidentally lost control of them. I know that many people, both inside the government and out, think there is some sort of domestic involvement; things may be more complicated than I realize.

It's also not over. Last week, the Shadow Brokers were back, with a rambling and taunting message announcing a "Data Dump of the Month" service. They're offering to sell unreleased NSA attack tools­ -- something they also tried last August­ -- with the threat to publish them if no one pays. The group has made good on their previous boasts: In the coming months, we might see new exploits against web browsers, networking equipment, smartphones, and operating systems -- Windows in particular. Even scarier, they're threatening to release raw NSA intercepts: data from the SWIFT network and banks, and "compromised data from Russian, Chinese, Iranian, or North Korean nukes and missile programs."

Whoever the Shadow Brokers are, however they stole these disks full of NSA secrets, and for whatever reason they're releasing them, it's going to be a long summer inside of Fort Meade­ -- as it will be for the rest of us.

This essay previously appeared in the Atlantic, and is an update of this essay from Lawfare.

Posted on May 30, 2017 at 6:08 AM • 67 Comments

Comments

Anders Reed-Mohn (@itinsecurity)May 30, 2017 6:46 AM

One thing that strikes me is the consistency in the "bad english" language of some of the ShadowBrokers' messages.

I get the sense that whoever is writing is very much on command of their words, just masking just how good their english is, and is really a native English speaker.

Steven C. ButtgereitMay 30, 2017 7:03 AM

More in jest, but perhaps not completely so, I'll put forward: a small group of skilled, but unscrupulous security consultants or security company; including perhaps former members of the intelligence community.

All of the motivations and payoffs that seem to conflict in the blog post, ultimately seem to benefit computer security professionals the most. The releases forces companies to act and act on an emergency basis, the slow staging of releases ensures that there has to be multiple calls for service, and the flow of cash is tied to a legitimate business activity since the nefarious bit isn't tied to a financial transaction directly.

Of course, the flaw in the argument is while any number of good security teams are well paid, I suppose it wouldn't be the most profitable use of the data... but.... just maybe :-)

Matt G.May 30, 2017 7:27 AM

If their mission is simply to render the leaked code useless to the NSA by convincing people to patch their software, then it would seem to be working to some extent.

Puppet MasterMay 30, 2017 7:33 AM

Assuming that NSA knows which server the files have come from, they would also be aware what will be in the next dumps. One would assume that if NSA knows that one or more exploits will be public in the coming months, then they would want to warn the manufacturer in advance.

However there has been no stream of suspicious additional updates to Windows, Linux, etc. in the last few months. So perhaps this is it. Maybe the hackers are bluffing?

WilhelmMay 30, 2017 7:34 AM

From the Shadow Brokers latest message "TheShadowBrokers was very very sad! Story is now sounding like silly children's' book. TheShadowBrokers is writing to audience reading level, thepeoples is having average reading level of 8th grade."

Sounds very American and intentionally broken.

WilhelmMay 30, 2017 7:37 AM

This too, sounds very American - "TheShadowBrokers is launching new monthly subscription model. Is being like wine of month club. Each month peoples can be paying membership fee, then getting members only data dump each month. What members doing with data after is up to members."

Their English is broken, but their references are accurate. Very strange.

mostly harmfulMay 30, 2017 8:13 AM

In the coming months, we might see new exploits against web browsers, networking equipment, smartphones, and operating systems -- Windows in particular. Even scarier,[…]

Wait. Why should anyone be "afraid" of something so utterly predictable?

Exploits are publicised, and then patches are made and released. That's how it works, is it not? Known-to-be clusterfscked machines are thereby incrementally improved, though very possibly inadequately so (depending on your purposes).

What is remotely scary about that process?

If one seeks something unsettling to contemplate, merely consider that all these Rube Goldberg machines are routinely represented as fit for serious purpose.

But frankly I'm far more concerned about the black hole that seems to have swallowed the unnamed TAO employee refered to in Ellen Nakashima's November 19, 2016 Washington Post article:

But there was a second, previously undisclosed breach of cybertools, discovered in the summer of 2015, which was also carried out by a TAO employee, one official said. That individual also has been arrested, but his case has not been made public. The individual is not thought to have shared the material with another country, the official said.

Is this Washington Post article the only public information available regarding this individual and their present welfare?

Clive RobinsonMay 30, 2017 8:42 AM

@ Bruce,

the Shadow Brokers stole a few disks full of NSA secrets

That is very much an assumption currently. Which when you consider the number of leaks that have been happening may actually be a disgruntaled insider "arranging" for who ever now has the dump to have it or be given it.

It is after all not unknown for inter-agency turf wars to spill out into a more public arena.

I guess time will tell but untile then I'm going to stick with "aquired" rather than "Stolen".

TerryMay 30, 2017 8:52 AM

You keep searching a motive.
Sometimes they just want to watch things burn.

Much Success for Make Benefit Glorious AmericaMay 30, 2017 9:02 AM

This is a silly article, but then it's for the Atlantic, so it has to be. There's nothing perplexing about this leak. It's standard counter-sabotage applied to shared infrastructure.

https://www.cia.gov/library/center-for-the-study-of-intelligence/kent-csi/vol7no2/html/v07i2a06p_0001.htm

It effectively promotes all counter-sabotage objectives (except where corporations collude with NSA tampering, and that works out too, because in that case treacherous US suppliers cede markets to trusted foreign producers.)

It doesn't have to be RUSSIA RUSSIA RUSSIA. It could be civil society, which takes many transnational forms. But the Atlantic propaganda line is that there is no civil society, only enemy nations. Everyone on earth outside the beltway has a stake in stopping NSA and CIA sabotage. Everybody's rights are under threat from the US Stasi.

ab praeceptisMay 30, 2017 9:21 AM

If I may ...

- the entity acting in a publicly visible way (and calling itself Shadow Brokers) may - or may not - be the same entity that got the material.

- the entity - or entities - having taken the data from nsa may - or may not - be the entity that had and passed on, with whatever intention, access to the data.

- the year 2013 might have different reasons. One of which is what Bruce Schneier assumes. Another one might be that they put their material in two baskets, namely a "current high value" one and a "older, lower value" one mainly for marketing purposes. Yet other reasons are conceivable.

- the motives for providing access to and/or taking the data can be entirely different from the motives for publishing/playing the Shadow Brokers games. Any deduction from the latter to the former is highly doubtful.

- *Obviously*, us america isn't a halfway consistent entity anymore; this can be easily seen when looking at how (forgive my lose classification) obamistas, clintonistas and trumpistas fight each other. But it can also be seen from the eu reaction to trump; the eu seems much more linked to obama (albeit an ex-president) than to trump whom they seem to consider more of an enemy than a friend.

It would be surprising if that fractioning and infighting within washington wouldn't be found with intelligence circles, too.

- It seems rather superficial to me to see China as "making friendly" and Russia as evil. *Both* are foremost friendly to each other and *both* want to continue ending the us-american hegemony.
As for China I'd like to remind you that they had (and probably still have) quite some internal conflicts, to. It might hence be quite realistic to assume that the old anti Xi faction stabbed the us american spooks so as to create problems for Xi. Similarly, powerful groups might have stabbed the us spooks *because* they don't like Xi's "making friendly" to washington.

- from what we know and see, Putin is almost obsessed with legality. While it might be quite realistic to assume that russian intelligence services hacked the nsa they would very clearly not be allowed to play the Shadow Broker game.

We can't know. Simple as that. As for guessing my personal take is us-american infighting plus a generous dose of spreading suspicion against Russia and China.

Who?May 30, 2017 9:33 AM

That's not what we're seeing here; it's simply a bunch of exploit code, which doesn't have the political or ethical implications that a whistleblower would want to highlight.

Bruce, are you sure?

Most whistleblowers want to embarrash the agencies that hired them. This is the reason they publish documentation that shows the bad —usually illegal— practices of their IC. I agree with you here. However leaking code is something a whistleblower may do too. Look at it this way, Edward Snowden and Chelsea Manning leaked information about the way the U.S. Government acts that may or may not help changing these activities for the good in the future. Shadow Brokers leaked code that will improve the world helping closing bugs that are being actively exploited by the IC in the software we run each day. Both are different approaches to the same problem.

Who?May 30, 2017 9:41 AM

I want to be more clear: Snowden and Manning took a political approach, Shadow Brokers are more on the technical side. In both cases leaks can be used for the good or for the evil. Snowden leaks provided a long-term overview of how IC acts, and helps developing strategies against global surveillance. Shadow Brokers provide short-term leaks that will help us fixing bugs that are being exploited right now (of course, iff OEMs care enough about their clients security, Cisco will not patch old devices that will remain exploitable forever).

Soufiane TahiriMay 30, 2017 9:47 AM

It doesn't have to be Russia, China , Iran, NK and especially in this fully connected word ; At least I hope its a civil operation which is being conducted.

The scariest story is not knowing what ShadowBrokers will be leaking, to some point the leak is "democratizing" what NSA is capable of, anyway the exploits and the cyber warfare is being widely used against us every single minute why the hell caring about who are SB, the real question is what does NSA really have? What are they really capable of? and Why the hell not caring about stooping.

If the leaks come between "cyber criminals" hands, at least this make things a little bit balanced, not only NSA can use the leaked exploit and this is quit satisfying from a certain point of view.

Fausto CarreraMay 30, 2017 9:59 AM

If the main purpose of the ShadowBrokers is profit from the NSA tools, they would have used any of the numerous dark web markets to handle it. Why they tried to have an auction and now a monthly subscription?

MorgadoMay 30, 2017 10:00 AM

2 farfetched hypotheses:

- "A nation state": Russia, or a "lone hacker", putting these 2 options together... Could it be Mr. Snowden?

- What are the chances that the NSA itself, has a new and so powerfull capability that they decided to leak, both because these leaks are now obsolete to them and to watch who are the other foreign actors who lay behind them at this point, giving themselves up by trying to catch this recent leaks?

As I said, these are farfetched theories, but who knows right?

Who?May 30, 2017 10:14 AM

As with the Snowden documents, though, they only know what the attackers could have taken and not what they did take. But they did alert Microsoft about the Windows vulnerability the Shadow Brokers released months in advance. Did they have eavesdropping capability inside whoever stole the files, as they claimed to when the Russians attacked the State Department? We have no idea.

If I remember right, Shadow Broker published a list of stolen files a few months before releasing them to the public. I think it was last december, perhaps january. NSA does not need eavesdropping capability to alert Microsoft this time.

Who?May 30, 2017 10:43 AM

@ Morgado

- "A nation state": Russia, or a "lone hacker", putting these 2 options together... Could it be Mr. Snowden?

No. Snowden left the NSA on the first months of 2013, some leaks are from the last months of that year.

ScottMay 30, 2017 10:54 AM

The Shadow Brokers' messages have a syntax consistent with a language represented by Cyrillic characters. Their origin isn't exactly a mystery.

SteveMay 30, 2017 11:03 AM

Like mostly harmful, I find perhaps the most disturbing part of this story is the blurblet Dr Schneier quotes from the WaPo: That individual also has been arrested, but his case has not been made public. So much for various bits of the 4th through the 8th Amendments, it would seem.

EvanMay 30, 2017 11:08 AM

@Steven C. Buttgereit
I think it's at least somewhat plausible. Consider this scenario: by plan or by happenstance (investigating cyber attack, doing malware scans, etc) they discover NSA assets that they are able to compromise. Being less than scrupulous, they take everything they can with the intent of finding a way to monetize it later. Unfortunately, not being "true" black hats, they have no big-league criminal or espionage ties, and they're too scared to use the tools to enrich themselves in case it gets tracked back to them. The leaks are to establish a reputation and hook some buyers, and the proposed "subscription model" strikes me as a desperate move to try and get some cash out of the whole thing.

The pros of the theory are that it would explain the amount of time elapsed and why they don't seem to be trying to leverage their exploits for anything. The cons are that it can't be that hard to sell exploits on darknet, can it?

hermanMay 30, 2017 11:11 AM

"That individual also has been arrested, but his case has not been made public."

Who is this poor sod and since when has he been chucked into which dungen?

RachelMay 30, 2017 11:52 AM

Ab Praeceptis

"if I may...."

Bruce could have written a more concise article.

'We don't know who they are, what they look like, or what they want. But we know they are out there..'

ScissorsMay 30, 2017 12:04 PM

@Evan
I find it hard to believe that the Shadow Brokers' main objective is financial gain. With the likes of Zerodium, it's trivial to find legal (or legal enough) avenues of selling 0days anonymously and quietly. Unless the thieves were quite inept they could create seeming original proof-of-concepts based on the stolen tools that wouldn't raise suspicion for the first several 'transactions'. Even if Zerodium had provided the 0days to the NSA, they'd have to pay them to keep them from talking.

ThomasMay 30, 2017 12:37 PM

One thing that had - in my opinion - not discussed extensivly is, that the Shadowbroker really just are ciminals that try to squeeze as much money out of their data as possible. In my opinion that fits to the many "oh we are sad that nobody send us BTC" message from the last month. The subscription-model they now introduced might be a way to sell stuff that they know is getting worthless by every day. What do you think?

NeroTransmitterMay 30, 2017 12:39 PM

I have had jobs where when it looked as if i was no longer going to be working there anymore, i went and pushed all my code over to ZIP drives (it was a long time ago).

I did so because i wrote 10s of thousands of lines of code that i was going to never see again and that would possibly be helpful for whatever my next job was.

The funny thing is i never used any of the old code, just felt like i needed it for whatever reason. Perhaps i wasnt as good at my job back then?

This could simply be a similar case of a person who knew they were going to leave (either contract or otherwise) and didnt want to let go of the code. They dont make Zip drives anymore so pushing to a 'safe' place would be the next best move.

Could be nefarious operators were watching the 'safe' place.

SeanMay 30, 2017 12:59 PM

Not worth reading but: this story's just sounding more and more crazy... Really!

JasonRMay 30, 2017 1:32 PM

Interesting read, and I'll toss in my two cents:

Arrested person (Hal Martin or other) had a dead man's software switch set to release this information to one or more places which would use it maliciously and embarrass the arrested person's [previous] employer.

https://en.wikipedia.org/wiki/Dead_man%27s_switch#Software

It wouldn't even have to be that sophisticated, and could just be an extra Google account with everything encrypted on Google Drive, with the key sitting in the Gmail account's Drafts. 3 months go by and "dead man's" Google account isn't accessed, email goes out automatically to their designated survivor.

GerardMay 30, 2017 2:40 PM

@ ab praeceptis,

"If I may ..."

You may. FACT, FACT, FACT. It's just not there and there never has been. There is a lot of framing.

One FACT however is that the NSA (and CIA, and probably a couple massively funded US institutions more) kept US (that's not the US of A but US ALL) insecure. And for what? It's not for catching the four horsemen. They absolutely stink at that part. They haven't catched ONE terrorist. No, it's much more sinister. It's economical espionage, funding, power and control.

So, let's ask this question. What is more important: The security of state or civilians, companies and infrastructure? If it's state (which it is right now), ... then the road is paved for dictatorial government. Trump could be there for a long time.

moopsMay 30, 2017 3:12 PM

So the commentators' opinion is that Shadow Brokers is unknowable? That hypothesizing from information in the public record cannot work? The only article Bruce could write on the topic of the Shadow Brokers is 'We don't know who they are, what they look like, or what they want. But we know they are out there..'

Pretty weak for a blog about security.

ArclightMay 30, 2017 4:41 PM

I think there are signs that the Shadow Brokers may be an army of one. As some of our previous posters and Mr. Schneier have stated, the behavior of those distributing the material is not consistent with just about anyone who could have gathered it by sophisticated means.

The most plausible explanation so far, is that the person behind the Shadow Brokers came across this data by accident. Maybe they are part of a compliance auditing team. Maybe they work for a large banking organization in IT ops. Maybe they had knowledge that someone at one of their clients was working with an intelligence service. They could be a semi-insider at a defense contractor, who perhaps came across this material improperly stored on a decommissioned system or by some collector like Hal Martin. Maybe some other country's security services had left this inside an org for attribution purposes.

It's also likely that the system involved was touched by a lot of people and by players who reside in one or more "complicated" locales. This would preclude the FBI coming around and dealing with this firmly as a non-public data spillage.

At some point, they acquired the material, and they sat on it long enough to be confident nobody was looking very hard in their direction. Then what? They don't have the skills or time to monetize it with malware or by passing themselves off as a competent vulnerability developer.

They are primarily after money, and aren't politically motivated enough to contact Wikileaks or the Intercept. They aren't going to bring anyone else into this, because that would pretty much assure being caught.

I believe this individual is sophisticated enough to have a large amount of respect for the players they know are after them, but don't have much in the way of capabilities.

The amateurish auction attempt might be the best effort a person with a day job and level 2-3 ops skills could put forth. I think the original intent was to ransom it back to the original owners this way and retire. Now that it didn't break that way, things are getting weird.

They haven't been caught yet, because their attack surface is small, there are lot of potential suspects, they probably live outside a USA-friendly jurisdiction, and they have never communicated in any way about this crime to anyone ever. Perhaps their home government could work with U.S. authorities to help identify the uploader, but they aren't interested or see this "watch it burn" drama as aligned with their interests while also non-attributable to them.

Clive RobinsonMay 30, 2017 5:21 PM

@ Scott,

The Shadow Brokers' messages have a syntax consistent with a language represented by Cyrillic characters. Their origin isn't exactly a mystery.

And exactly how difficult would that be to fake?

Having done that ask just how many linguists do the various US IC agencies employ? And what percentage are they of the total in the US that could "fake it".

A point worth remembering Occam's Razor is not of use with human beings due to "Free Will" especialy if someone is trying to cover their tracks or run a False Flag operations.

Dirk PraetMay 30, 2017 5:28 PM

Whoever the Shadow Brokers are, however they stole these disks full of NSA secrets ...

They

  • totally embarassed the NSA
  • showed the US Vulnerabilities Equities Process (VEP) is a joke
  • demonstrated once again the USG and IC are unable to keep secrets, and that, hence, NOBUS is a myth
  • forced vendors into patching vulnerabilities
  • exposed Microsoft for being extortionists in not providing a timely patch for all XP users
  • exposed managers and other decision makers for failing due diligence to the point of endangering their customers by keeping a no longer supported legacy OS alive in a networked environment
  • painfully reminded ordinary users to keep their systems patched and move off unsupported legacy systems
What exactly is not to like, and - with the exception of those they exposed - who cares who they are or where they come from?

For what it's worth, my bet is still on a turf war within the US IC.

@ Nerotransmitter

They dont make Zip drives anymore so pushing to a 'safe' place would be the next best move.

I still have a couple of those (and a JAZ drive too), including a strategic reserve of disks. I still occasionally use them to move data to and from airgapped machines.

moopsMay 30, 2017 5:36 PM

Reading the auction text I don't get the impression this is an honest translation foible of a foreign speaker. It is hard to tell, but the people from Russia I work with don't mess up verb tense this haphazardly.


Q: Is Zcash safe and reliable?
F___ no! If you caring about loosing $20k+ Euro then not being for you. Monthly dump is being for high rollers, hackers, security companies, OEMs, and governments. Playing “the game” is involving risks. Zcash is having connections to USG (DARPA, DOD, John Hopkins) and Israel. Why USG is “sponsoring” privacy version of bitcoin? Who the fuck is knowing? In defense, TOR is originally being by similar parties. TheShadowBrokers not fully trusting TOR either. Maybe USG is needing to be sending money outside from banking systems? If USG is hacking and watching banking systems (SWIFT) then adversaries is also hacking and watching banking systems. Maybe is for sending money to deep cover foreign assets? Maybe is being trojan horse with cryptographic flaw or weakness only NSA can exploit? Maybe is not being for money? Maybe is being for Zk-SNARKs research? Maybe f__k it, lets be finding out. This month theshadowbrokers using Zcash. If being not good, then maybe theshadowbrokers doing different for July?
Q: What is going to be in the next dump?
TheShadowBrokers is not deciding yet. Something of value to someone. See theshadowbrokers’ previous posts. The time for “I’ll show you mine if you show me yours first” is being over. Peoples is seeing what happenings when theshadowbrokers is showing theshadowbrokers’ first. This is being wrong question. Question to be asking “Can my organization afford not to be first to get access to theshadowbrokers dumps?”


I'm inclined to agree with Arclight. Lone op sec person stumbled upon misplaced cache, or got gifted the cache by someone that is already caught (maybe via deadman switch, the detail is less important).

gordoMay 30, 2017 6:01 PM

The Shadow Brokers auction wallet has been emptied:

https://twitter.com/mikko/status/869071264316522496

First comment at the above tweet may have identified why:

New conversation

DΔRΔMULUΠ‏ @Daramulun May 29
More
Replying to @mikko
Ohh look, someone payed the subscription fee for the new June zero days packages... 😈

$24K out, $21K in.

In a manner of speaking, maybe the Shadow Brokers have deployed a repatriation or self-funding-subscription bot.

See also:

TRUE DETECTIVE
Follow the Bitcoin From the Shadow Brokers NSA Hacking Tool Auction
Is the hacking group finally cashing out?
JORDAN PEARSON | Vice Motherboard | May 29 2017

There's also the question of who is receiving the coin. A quick look at the blockchain shows that the coin in the auction address is being moved through a series of addresses in increasingly smaller denominations. This might indicate that the coins are being sent through a "mixer"—a service that moves coins through a byzantine series of addresses until they can't be directly traced back to the original address.

https://motherboard.vice.com/en_us/article/follow-the-bitcoin-from-the-shadow-brokers-nsa-hacking-tool-auction

-------

https://bitcoin.stackexchange.com/questions/18850/in-what-respect-is-bitcoin-programmable-cash

http://bitcoin.automationsoftware.club/btc/zcash/

Nick PMay 30, 2017 7:00 PM

@ Dirk Praet

"For what it's worth, my bet is still on a turf war within the US IC."

Why is that?

Joshua BowmanMay 30, 2017 8:15 PM

My (uneducated) guess is that the Russians never intended to let the tools go at all, because they're still far more powerful and useful in secret, regardless of the propaganda value. I think someone else (insider, outside hacker?) exfiltrated them to the Shadow Brokers or to a broker the Shadow Brokers in turn bought it from. That neatly explains both problems.

Joshua BowmanMay 30, 2017 8:26 PM

@Wilhelm • May 30, 2017 7:37 AM

This too, sounds very American - "TheShadowBrokers is launching new monthly subscription model. Is being like wine of month club. Each month peoples can be paying membership fee, then getting members only data dump each month. What members doing with data after is up to members."

Their English is broken, but their references are accurate. Very strange.

You realize that Russia has wine of the month clubs, right? They're called Вино месячного клуба, literally "wine of month club." You'd think people commenting on Russian attacks would at least bother to familiarize themselves enough with Russia before claiming that their references are too American to be believable.

CarpetCatMay 30, 2017 8:59 PM

Shadow Brokers is be teaching the people of USA a lesson. The bare that is Yogi can be telling you!

Honestly, the stuff about the exploits and the computer security is not the issue here. The Shadow Brokers have practially BEGGED you to put coin in there wallet. The packages, the manuals, were all just an incentive. They have no value to the Shadow Brokers, who would just as soon give them away. (as they did when no one funded their experiment).

So what's the real deal here? This is a trap. Not for you or me, but for the NSA. They're getting baited hard to overextended and reveal themselves. The key to understanding this is the blockchain. Just wait and see.

ps. Notice that huge spike in blockchain trades and value/crash latey? Hmmm?

SpookyMay 30, 2017 9:06 PM

@ Dirk Praet,

I've got a little USB magneto-optical drive (and plenty of spare disks) that I use for much the same purpose. Very handy size, durable media. Wish they were still in common use...


@ re: Shadow Brokers,

I wonder how many NSA civilian employees practice shockingly poor personal opsec during their off-work hours? Most, probably. Or, let's say an adversary acquired a day's worth of vehicular plate traffic (using your choice of cameras) at the entrance of Ft. Meade; they could eventually match it against records from the DMV (operated by unvetted, low-paid, non-technical staff, with temporary access gained through direct hacks, social engineering, bribes, etc) to unmask the vehicle owners. Using a shell company, those identities could then be matched against staggering volumes of commercially available "marketing" data, allowing you to build an extremely detailed profile of every single NSA employee. Income, credit, title, education and length of govt. service might be effective proxies for presumed level-of-access (though, with everything being compartmented, it might only indicate relative rank in a given box, of which there are a great many). Sort all records for psychological profiles of individuals likely to exhibit predictable, exploitable weaknesses; rank by access. Go to work. Sounds a bit like Metasploit for human beings, lol. Still, the resources required are not unreasonable and at the end of the day, you are likely to short-list a handful of people potentially subject to varying degrees of compromise. Is that what actually happened? Probably not. But as others have shown with their own pet theories, there are a great many believable ways that this could have played out--and sadly, we'll never know the whole truth, as the only source of information is the NSA itself (gong!) and these ridiculous jokers known as the Shadow Brokers...


Cheers,
Spooky

TMMay 30, 2017 10:41 PM

Broken English is a masking technique, probably a product of a tool to convert a native-written English text to a version that would be impossible to link to someone by a stylometric signature. https://bits.blogs.nytimes.com/2012/01/03/software-helps-identify-anonymous-writers-or-helps-them-stay-that-way/

And IMO they are who they are saying they are: ex-NSA (TAO veterans?) / IC employees badly pissed off with some internal issue(s). Not afraid of being captured (they know exactly how NSA would try to search for them and how to prevent being uncovered), having the internal insight & access to the docs/tools to leak (probably being authors of those tools), trying to cause maximum damage to NSA without any additional specific aim. At the same time considering to make additional activist/civil moves (beyond NSA issues) if enough financing is received.

MarkMay 31, 2017 1:14 AM

I'm a big fan of anyone who embarrasses the Yanks. Long may it continue.

Clive RobinsonMay 31, 2017 3:35 AM

People are possibly making a mistake with thinking this is a money making venture.

It was the audacity of the initial auction that attracted the attention of the more general press and got the "Shadow brokers" MSM coverage and lots of buzz in circles that are not mainly frequented by the "nerds nerds" (who find the minutiae of malware engrossing).

Who ever came up with WanaCry has also given the Shadow Brokers yet more publicity. Likewise the "auction of the month" is getting more media attention. I should think Anonymous are starting to get jealous ;-)

But now we have the puzzle of the BitCoin, making yet more news with the coins getting split and split again and going around and around.

I suspect it will not be long before there is a yet more news worthy story about the Shadow Brokers causing instability in the BitCoin market...

As the old line has it "This is publicity you just can't buy!"

And the longer it goes on the more the NSA look like "The Muppets Show". If it's not another IC agency doing it you can bet they wish they were, or had concessions in the popcorn business.

I would make a small wager that some script writer is already putting this together to hawk around as a film proposal.

65535May 31, 2017 3:46 AM

I don’t know who the Shadow Brokers are but I suspect it will become clear in time. There will be a leak, OPSec slip or some type or in-fighting or the like and the Shadows Brokers will eventually be exposed.

One, fact I do know is to get funding for the NSA/CIA/FBI there needs to be an adversary to fight. Without an adversary funding for said agencies will dry up.

Thus, we have the “War On Terror,” the “War On Drugs,” the “Cyber War” and so on. I wonder to what extent the “War on Shadow Brokers” plays into this discussion [if at all].

Dirk PraetMay 31, 2017 4:46 AM

@ Nick P

Why is that?

It makes little sense for any foreign SIGINT agency or associated group of "freelancers" to give up an entire stash of perfectly good exploits just for the heck of it. Neither do I believe in a lone hacker or a LulzSec type of group. Unless they're being counseled in proper OPSEC and the like by @Clive, they would have compromised themselves ages ago.

In theory, it could also be some EU agency retaliating for the spying on allies Snowden revealed, but which is rather unlikely as it would mean getting cut off from any US intel feeds if ever they were found out about. For similar reasons, I don't think a US private sector organisation like BAH or Palantir would be behind it. Way too many commercial interests at stake.

Which only leaves one or more former employees (or contractors) that ran off with the data and delivered them to some domestic entity that has an axe to grind with the NSA and skilled enough to keep under the radar for years. In essence, either the NSA is utterly incompetent, or they know darn well who's behind it and are actively propagating the "Russia Inside" story because the truth behind the entire affair is even more embarrassing than the heist itself.

Most infrastructures under my control - for starters my home network - keep detailed audit logs on sensitive data access, including real-time alerts. It's not even that hard to set up, so I'm having a rather difficult time believing the NSA and their contractors would be unable to do the same.

@ Clive

And the longer it goes on the more the NSA look like "The Muppets Show"

(Chuckle) Being pictured as The Great Gonzo is probably the last thing Rogers had in mind when he took over.

Vladimir StimsonMay 31, 2017 8:11 AM

"It makes little sense for any foreign SIGINT agency or associated group of "freelancers" to give up an entire stash of perfectly good exploits"

Everyone seems to discount the possibility that states committed to rule of law might choose to enforce it. Publishing exploits has two salutary effects: it exposes US violations of international and municipal law; and it stimulates countermeasures against illegal surveillance. Believe it or not, there was a time when open covenants openly arrived at meant that gentlemen do not read each others' mail. Even in America. In fact America led the world in developing those norms. Course that was the ancien régime, before CIA took over. In the free world - outside the US satellite states - those principles are acknowledged as customary and conventional international law.

RuthieMay 31, 2017 8:46 AM

Shadowbrokers could certainly be an intentional US government disclosure. If the state's purpose is to intimidate, surveillance does not need to be carried out in secret. When an organ of state is sufficiently lawless, it may benefit by parading its contempt for its powerless subjects.

"They were informing me of their extensive power of surveillance. Rather than being secretive about their tracking me, they were informing me that they were so powerful that they were willing to have me know..."

https://www.therussophile.org/after-more-than-a-half-century-the-historical-truth-of-the-assassination-of-john-f-kennedy.html/

nobodyMay 31, 2017 8:56 AM

@Bruce

The individual is not thought to have shared the material with another country, the official said.

Of course, "not thought to have" is not the same as not having done so.


Bruce is correct, of course, although in this case the statement was also about not having shared "with another country".

So they could have shared with someone in USA. And of course they ended up having to give the tools back to the members of the "law enforcement" that came to arrest them...who knows what some of those folks actually did with them...

Dirk PraetMay 31, 2017 10:19 AM

@ Vladimir Stimson

Everyone seems to discount the possibility that states committed to rule of law might choose to enforce it.

Attention Dan Brown and Tom Hanks: some ancient Catholic order operating from the Vatican catacombs for unknown reasons has taken on both the NSA and the CIA. The first clue to solving this new puzzle is the mysterious word covfefe.

HermanMay 31, 2017 11:27 AM

My guess is it is a guy in central Europe who bought a second hand disk from Ebay

SeanMay 31, 2017 12:33 PM

Who are going to be the ShadowBrokers customers, excepted cybercriminal and terrorists ?

Megan PrentyMay 31, 2017 12:51 PM

But the problem with the Russia theory is, why? These leaked tools are much more valuable if kept secret.

Russian FSB & GRU doesn't care about value of the tools. They care to be visible and prominent to get more funding. "Look what we can do, give us funding!"

Dan HJune 1, 2017 7:27 AM

"Chelsea Manning"

Bradley Manning. That pair of chromosomes can't be changed, so no matter what you call yourself or think you are, like Rachel Dolezal, it doesn't make you that. You can't change your biological gender or race.

RachelJune 1, 2017 7:57 AM

@ Dan H

and was your unwarranted, unnecessary irrelevant, disrespectful observation for any purpose other than to demonstrate how bigotry is hard coded into your personal chromosomes and can't be changed? Thanks for the science lesson. I'll file it along side your history lesson.

As Ab Praeceptis would say , you are officially, permanently irrevecably disqualified

Have a nice day

ModeratorJune 1, 2017 8:16 AM

@Dan H, Private Manning's name was legally changed to Chelsea three years ago. Manning's gender is not an appropriate topic for this forum.

ModeratorJune 2, 2017 12:08 PM

@Alex, @All: To be more precise, neither Private Manning's gender nor sexual orientation are appropriate topics for this forum. Comments on the subject will be deleted; please take the discussion elsewhere.

Alexander VollmerJune 2, 2017 6:25 PM

It might be a ruse to turn down the credibility and influence of the NSA inside the branches of the government. Such damage is now real and could transform an independent agency into a mere tool. This could be the work of a faction inside the political system of the US. The reason? Image neurosis, revenge, gaining influence themselves, form conspiracy theory to personal motives, there is a lot of room for imagination. Someone with access and contacts or with the right amount of authority should investigate this possibility.

John PJune 2, 2017 7:49 PM

@ Clive Robinson said,


People are possibly making a mistake with thinking this is a money making venture.
...
Who ever came up with WanaCry has also given the Shadow Brokers yet more publicity.
...
I suspect it will not be long before there is a yet more news worthy story about the Shadow Brokers causing instability in the BitCoin market...

What we cannot discount is that there are most probably a few hands full of individuals who possess the know-how to operate under radar. As we already know, everying is stored, indexed, and watched. Thus, there is most probably a schindler's list of sorts, because the system is weighted towards profiling techniques. Eventually, the list can and will be narrowed down, so the entity known as Shadow Brokers is most probably the work of a single individual, at most 2 if grouped. By this logic, it has to be an insider, who had insights to the bigger picture, or who had figured it almost all out.

May we all live in interesting times... and enjoy popcorns.

Someone out thereJune 4, 2017 4:53 PM

@Joshua Bowman • May 30, 2017 8:26 PM

Believe it or not, there's no wine of the month club concept in Russia.
And the way you google-translated the term into some Russian-looking gibberish does not make it proper Russian even.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.