ShadowBrokers threaten to release more NSA tools

Shutterstock image (by Sergey Nivens): Security concept, lock on a digital screen. 

The mysterious organization behind the theft of alleged NSA hacking tools is frustrated that no one has stepped up to buy back the data from them -- some of which was recently used to launch the WannaCry ransomware attack -- and is threatening to continue releasing NSA tools through a subscription service.

The ShadowBrokers appeared in August 2016 and attempted to auction a trove of hacking data they claim was stolen from the NSA's Equation Group. No one purchased the stolen tools, and so the ShadowBrokers began leaking details in an effort to convince people they had what they claimed.

In April, the ShadowBrokers dumped Microsoft exploits that led to the development of the WannaCry ransomware that has infected hundreds of thousands of computers around the world.

Some security researchers say there are indications that WannaCry could have been developed by the Lazarus Group, an alleged North Korean hacking organization, but others have cautioned it is too soon to tell who was behind the attacks.

In a May 16, blog post written in broken English peppered with internet slang, the ShadowBrokers claim they acted responsibly by leaking the NSA tools a month after Microsoft issued a patch for the vulnerability exploited by WannaCry.

"Do thepeoples be preferring theshadowbrokers dump windows in January or August? No warning, no time to patch? this is being theshadowbrokers version of alternative facts," states the blog post.

The post goes on to criticize, often in crude terms, the NSA, other nation states and large tech companies for not purchasing the stolen data and making the group "go dark permanently."

As a result, the group is threatening to launch a new subscription service in June.

Future data dumps could include browser, router and mobile phone exploits and tools; malware that could compromise newer operating systems; compromised network data from more SWIFT providers and central banks; and even information about Russian, Chinese, Iranian or North Korean nuclear and missile programs.

Previous releases have included tools and exploits that are a few years old for which patches already exist, but countless devices and systems around the world have not been updated.

The ShadowBrokers also revealed more of their motivation in the post. They said they are not interested in selling the stolen tools to cybercriminals and this is all about battling "a worthy opponent" in state-sponsored spy agencies, particularly the NSA.

And, the group also claimed in the post that the Equation Group, an advanced persistent threat group identified by cybersecurity researchers as a NSA hacking operation, has spies in large tech firms and is paying them not to patch vulnerabilities until there is public discovery.

The NSA did not respond to a request for comment about the blog post.

About the Author

Sean Carberry is a former FCW staff writer who focused on defense, cybersecurity and intelligence.


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected