Shadow Brokers threaten to release even more NSA-sourced malware
Late last night, someone claiming to represent Shadow Brokers—the people responsible for releasing stolen NSA hacking tools—posted a new message on the Steemit website. In a hard-to-fathom rant, the group makes several claims and also threatens to release even more damaging material.
I’ve loosely quoted Shadow Brokers’ post below, editing their statement heavily for clarity. Any translation errors are mine. Note that The Equation Group is a well-established “persistent threat” organization, widely thought to be tied to the NSA.
Shadow Brokers feels that it was “being very responsible” about April’s dump—the one that resulted in WannaCrypt/WannaCry, and the potential for many more exploits. Last August, Shadow Brokers warned that The Equation Group had been hacked, and they had the goods. Shadow Brokers offered some of their wares at auction. To prove they had sufficiently interesting goods, they released The Equation Group’s 2013 firewall tools and an old Cisco zero-day exploit. Nobody believed Shadow Brokers.
Why an auction? Shadow Brokers is not interested in bug bounties, selling to “cyber thugs,” or “giving to greedy corporate empires.” They want to pick a worthy opponent. It’s always been about Shadow Brokers vs The Equation Group. But The Equation Group didn’t bid to buy back its wares; nor did any governments, tech companies, or security companies.
In December, Shadow Brokers cancelled the auction, and offered to sell pieces of the trove one at a time. Even then, there were no takers. So Shadow Brokers asked themselves why there were no bids. Perhaps nobody was interested because they didn’t believe Shadow Brokers had the good stuff.
In January, Shadow Brokers posted screenshots taken from programs on The Equation Group’s 2013 Windows Ops disk. When they posted the shots, they knew that The Equation Group would recognize them, and warn Microsoft.
(Shadow Brokers wrangler Matt Suiche acknowledges that “Shadow Brokers seems very well informed that *only* The Equation Group would have identified the vulnerabilities from those screenshots.”)
In February, Microsoft missed Patch Tuesday. Shadow Brokers said that it knows that Microsoft skipped Patch Tuesday to fix the exploits in the 2013 Windows Ops Disk. In March, Microsoft issued the patch for the SMB vulnerabilities. Oracle patched “huge number of vulnerabilities.” Shadow Brokers waited and didn’t release the exploits.
(That matches up precisely with the MS17-010 release, which tackled the SMB security holes, and conjectures many of us have had about the skipped February patches.)
In April, 90 days after the screenshots were posted, and 30 days after the Microsoft patch, Shadow Brokers released the contents of the 2013 Windows Ops Disk. “Because why not? The Shadow Brokers is having many more… This is The Shadow Brokers way of telling The Equation Group, ‘all your base are belong to us.’ Shadow Brokers isn’t interested in stealing grandmothers’ retirement money. This has always been about The Shadow Brokers vs The Equation Group.”
Shadow Brokers waited 30 days after the Windows patch was available before dumping the exploits. Microsoft has a huge contract worth “millions or billions of USD each year” with The Equation Group. The Equation Group has spies inside Microsoft and other tech companies, as do Russia, China, Iran and Israeli intelligence. Even Google Project Zero has a former The Equation Group member. Remember the “Wormable Zero Day” that Project Zero uncovered? Microsoft took two days to fix it. Was that a coincidence?
Is it fake news if we say that The Equation Group is paying US tech companies to NOT PATCH vulnerabilities until they’re revealed publicly? Why was Microsoft patching the SMB vulnerabilities in secret? Is Microsoft embarrassed because The Equation Group is lying to Microsoft, not telling them about the SMB vulnerabilities? Microsoft thinks it knows all the vulnerabilities that The Equation Group has, and it’s being paid to hold off patches.
At this point the post trails off into a diatribe about Brad Smith, Microsoft’s head lawyer, before picking up again.
In May, we didn’t release any new vulnerabilities, but WannaCry appeared. WannaCry is very strange for crimeware. A killswitch? It cares about the target country? “The oracle” told us that North Korea is responsible for WannaCry.
To which Matt Suiche tweets, “Shadow Brokers thinks it’s strange too that there are killswitches in the ransomeware WannaCry.” He has written an extensive side-by-side comparison of code from WannaCry and known code from the Lazarus Group—the shadowy group behind the 2014 attack on Sony Pictures and the $81 million heist at Bangladesh Bank—and concludes that there’s a strong, if coincidental, link between WannaCry and North Korea.
The Shadow Brokers post continues:
In June, Shadow Brokers will announce “The Shadow Brokers Data Dump of the Month” service. We are launching a new monthly subscription model, like the wine of the month club. Each month you pay a membership fee, then members only get a data dump. What members do with it after the dump is up to them.
The Shadow Brokers Monthly Data Dump could include:
- web browser, router, handset exploits and tools
- select items from newer Ops Disks, including newer exploits for Windows 10
- compromised network data from more SWIFT providers and Central banks
- compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs
More details in June.
If a responsible party buys all lost data before it is sold, then Shadow Brokers will have no more financial incentives to be taking continued risks of operation and will go dark permanently. You have our Bitcoin address.
Remarkably, that last part, including the bullet items, reverts to standard English.
Matt Suiche tweets, “Shadow Brokers’ claim on Windows 10 implies they have files later than 2013. Did the NSA have a disagreement with a contractor?”
The Shadow Brokers rant lines up with what we’ve seen from the outside. You have to wonder if they’ve been privy to what’s been happening inside.
Discussion—and speculation—continues on the AskWoody Lounge.