ShadowBrokers threaten to release more NSA tools

Shutterstock image (by Sergey Nivens): Security concept, lock on a digital screen. 

The mysterious organization behind the theft of alleged NSA hacking tools is frustrated that no one has stepped up to buy back the data from them -- some of which was recently used to launch the WannaCry ransomware attack -- and is threatening to continue releasing NSA tools through a subscription service.

The ShadowBrokers appeared in August 2016 and attempted to auction a trove of hacking data they claim was stolen from the NSA's Equation Group. No one purchased the stolen tools, and so the ShadowBrokers began leaking details in an effort to convince people they had what they claimed.

In April, the ShadowBrokers dumped Microsoft exploits that led to the development of the WannaCry ransomware that has infected hundreds of thousands of computers around the world.

Some security researchers say there are indications that WannaCry could have been developed by the Lazarus Group, an alleged North Korean hacking organization, but others have cautioned it is too soon to tell who was behind the attacks.

In a May 16, blog post written in broken English peppered with internet slang, the ShadowBrokers claim they acted responsibly by leaking the NSA tools a month after Microsoft issued a patch for the vulnerability exploited by WannaCry.

"Do thepeoples be preferring theshadowbrokers dump windows in January or August? No warning, no time to patch? this is being theshadowbrokers version of alternative facts," states the blog post.

The post goes on to criticize, often in crude terms, the NSA, other nation states and large tech companies for not purchasing the stolen data and making the group "go dark permanently."

As a result, the group is threatening to launch a new subscription service in June.

Future data dumps could include browser, router and mobile phone exploits and tools; malware that could compromise newer operating systems; compromised network data from more SWIFT providers and central banks; and even information about Russian, Chinese, Iranian or North Korean nuclear and missile programs.

Previous releases have included tools and exploits that are a few years old for which patches already exist, but countless devices and systems around the world have not been updated.

The ShadowBrokers also revealed more of their motivation in the post. They said they are not interested in selling the stolen tools to cybercriminals and this is all about battling "a worthy opponent" in state-sponsored spy agencies, particularly the NSA.

And, the group also claimed in the post that the Equation Group, an advanced persistent threat group identified by cybersecurity researchers as a NSA hacking operation, has spies in large tech firms and is paying them not to patch vulnerabilities until there is public discovery.

The NSA did not respond to a request for comment about the blog post.

About the Author

Sean Carberry is a former FCW staff writer who focused on defense, cybersecurity and intelligence.


  • FCW Perspectives
    zero trust network

    Can government get to zero trust?

    Today's hybrid infrastructures and highly mobile workforces need the protection zero trust security can provide. Too bad there are obstacles at almost every turn.

  • Cybersecurity
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    NDAA process is now loaded with Solarium cyber amendments

    Much of the Cyberspace Solarium Commission's agenda is being pushed into this year's defense authorization process, including its crown jewel idea of a national cyber director.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.