ShadowBrokers threaten to release more NSA tools

Shutterstock image (by Sergey Nivens): Security concept, lock on a digital screen. 

The mysterious organization behind the theft of alleged NSA hacking tools is frustrated that no one has stepped up to buy back the data from them -- some of which was recently used to launch the WannaCry ransomware attack -- and is threatening to continue releasing NSA tools through a subscription service.

The ShadowBrokers appeared in August 2016 and attempted to auction a trove of hacking data they claim was stolen from the NSA's Equation Group. No one purchased the stolen tools, and so the ShadowBrokers began leaking details in an effort to convince people they had what they claimed.

In April, the ShadowBrokers dumped Microsoft exploits that led to the development of the WannaCry ransomware that has infected hundreds of thousands of computers around the world.

Some security researchers say there are indications that WannaCry could have been developed by the Lazarus Group, an alleged North Korean hacking organization, but others have cautioned it is too soon to tell who was behind the attacks.

In a May 16, blog post written in broken English peppered with internet slang, the ShadowBrokers claim they acted responsibly by leaking the NSA tools a month after Microsoft issued a patch for the vulnerability exploited by WannaCry.

"Do thepeoples be preferring theshadowbrokers dump windows in January or August? No warning, no time to patch? this is being theshadowbrokers version of alternative facts," states the blog post.

The post goes on to criticize, often in crude terms, the NSA, other nation states and large tech companies for not purchasing the stolen data and making the group "go dark permanently."

As a result, the group is threatening to launch a new subscription service in June.

Future data dumps could include browser, router and mobile phone exploits and tools; malware that could compromise newer operating systems; compromised network data from more SWIFT providers and central banks; and even information about Russian, Chinese, Iranian or North Korean nuclear and missile programs.

Previous releases have included tools and exploits that are a few years old for which patches already exist, but countless devices and systems around the world have not been updated.

The ShadowBrokers also revealed more of their motivation in the post. They said they are not interested in selling the stolen tools to cybercriminals and this is all about battling "a worthy opponent" in state-sponsored spy agencies, particularly the NSA.

And, the group also claimed in the post that the Equation Group, an advanced persistent threat group identified by cybersecurity researchers as a NSA hacking operation, has spies in large tech firms and is paying them not to patch vulnerabilities until there is public discovery.

The NSA did not respond to a request for comment about the blog post.

About the Author

Sean Carberry is a former FCW staff writer who focused on defense, cybersecurity and intelligence.


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.