Pandora's box busts open
The latter half of the 2010s proved to be equally as formative for the future of cyber warfare as the earlier half of that decade. In this case, though, it would not be solely because of the back and forth between nation-states that cyber weapons were revealed; it would be due to rogue hacker groups aimed at causing chaos.
The Shadow Brokers came to the forefront of these operations in 2015 and 2016. The name Shadow Brokers was a reference to the popular video game at the time – Mass Effect. In that game, the Shadow Broker was said to be the head of an organization that trades in information, selling to the highest bidder. The Shadow Broker unit in cyberspace appeared to be highly competent at their chosen trade. The first leak that the Shadow Broker unit posted on the internet was one aimed directly at the US government, and specifically its cyber weapons creator, the NSA.
On August 13, 2016, the Shadow Brokers posted a Pastebin notice that stated that they had procured, via unknown means, access to specific tools that came from the Equation Group. The Equation Group is known to be either a part of, or directly related to, the Tailored Access Operations team at Ft Meade Maryland, that is, the base of operations for the NSA.
This is the unit that evolved out to the establishment of US Cyber Command in 2010 and is thought to be directly responsible for the design and deployment of Stuxnet. It is the digital weapons foundry for the US government. This Pastebin notice started with the following text:
"Equation Group Cyber Chase Weapons Auction – Invitation
- ------------------------------------------------
!!! Attention government sponsors of cyber warfare and those who profit from it !!!!
How much you pay for enemies cyber weapons? Not malware you find in networks. Both sides, RAT+ LP, full state sponsor tool set? We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files."
The posting follows up with the below:
"The Pastebin continues with instructions for obtaining the password to the encrypted auction file:
Auction Instructions
- --------------------
We auction best files to highest bidder. Auction files better than stuxnet. Auction files better than free files we already give you. The party which sends most bitcoins to address: 19BY2XCgbDe6WtTVbTyzM9eR3LYr6VitWK
before bidding stops is winner, we tell how to decrypt. Very important!!! When you send bitcoin you add additional output to transaction.
You add OP_Return
output. In Op_Return
output you put your (bidder) contact info. We suggest use bitmessage or I2P-bote email address. No other information will be disclosed by us publicly. Do not believe unsigned messages. We will contact winner with decryption instructions. Winner can do with files as they please, we not release files to public."
Following that posting on Pastebin in October 2017, the Shadow Brokers would again post that they had access to specific NSA-level tooling, again tools built by or used by the Equation Group.
Another posting by the Shadow Brokers emerged later that year, wherein access and screenshots for a variety of advanced exploitation tools were offered to whoever would contact the Shadow Brokers. The most impactful leak by the Shadow Brokers came in April of 2017 when they posted a tweet linked to their @Shadowbrokers
account wherein there were links to codeword exploits. The most powerful of which was EternalBlue. That exploit directly resulted in over 200,000 machines being infected within the first two weeks of its posting online. Remnants of the EternalBlue exploit appeared in the WannaCry and NotPetya ransomware attacks that would follow, in which millions of machines would be affected and billions of dollars of loss would be incurred by organizations all over the world.
While the specific motivations behind the Shadow Brokers will never be known with much real specificity, the outcomes of their actions certainly became known. There has to date been no owner of the Shadow Broker leaks, probably due to the very real fear of reprisal by the US federal government. There were instances of individuals that the press noted who might be affiliated with those leaks. One of which was a former Booz Allen Hamilton contractor named Harold T. Martin who was thought to be a likely culprit, as he was found with over 50 terabytes of stolen NSA tooling and exploits during an FBI raid of his home, but those claims were never substantiated and the Shadow Brokers continued to post even after his apprehension. Edward Snowden stated on his Twitter feed that "circumstantial evidence and conventional wisdom indicates Russian responsibility," but that was also never validated.
Regardless of who the Shadow Brokers were, Russian moles, disgruntled employees, nation state hackers, or political activists, the fact remains that those leaks were the equivalent of tactical government-designed weapons being offered freely to every man, woman, and child on the planet.