Breach, Threat Management, Data Security, Malware, Ransomware, Vulnerability Management

Shadow Brokers threatens monthly leak of more NSA tools to monthly subscribers

The Shadow Brokers group that has been leaking alleged NSA hacking tools, including an exploit and backdoor used in the May 11 WannaCry ransomware attack, is now threatening to launch a "Dump of the Month" service that will deliver more stolen tools and data to paying subscribers.

In a post on Steemit, the Shadow Brokers teased that content of future dumps could include exploits for web browsers, routers and handsets; exploits for Windows 10; compromised data from banks and the SWIFT financial messaging system; and compromised data from the nuclear and missile programs of Russia, China, Iran or North Korea.

There is no definitive proof that the Shadow Brokers actually possess this information, despite the legitimacy of its previous dumps.

The post also appears to urge a responsible party, such as the U.S. or a security company, to step up and purchase the remaining unpublished data and tools before it falls into the wrong hands.

In its latest communication, the group also taunts Microsoft Corporation, which issued a critical patch in March to address an SMB exploit called EternalBlue, which the Shadow Brokers later published in April. Users who failed to apply this patch were left susceptible to the aforementioned WannaCry campaign.

The timing of Microsoft's patch had led many observers to theorize that Microsoft was tipped off -- a point that was not lost on The Shadow Brokers, which accused Microsoft and other technology companies of working closely with the "Equation Group," a hacking collective that is widely reported to be the NSA. (The group also accuses other foreign intelligence services of employing the same tactic.) At the same time, the Shadow Brokers seems to accuse the NSA of withholding zero-day bugs from Microsoft, essentially pouring salt in the wound just days after Microsoft Chief Privacy Officer Brad Smith sharply criticized nation-states over the practice of stockpiling vulnerabilities.

Written as usual in broken English (likely intentionally to throw off investigators), the post also referenced the recent WannaCry attack, suggesting that the ransomware engaged in "strange behavior" for employing a kill switch. The Shadow Brokers also noted that there will be no dumps this month, because the group is too busy "eating popcorn and watching 'Your Fired' and WannaCry."

"Your Fired" presumably refers to President Donald Trump.

Gabriel Gumbs, vice president of product strategy at STEALTHbits Technologies, said in emailed comments that the Shadow Brokers' continuing campaign to dump and sell zero-days potentially "lessens the efficacy of the NSA and the other agencies that they have stolen exploits from." At the same time, "We also know those same agencies have been buying exploits on the black market and from legit exploit sellers… for years."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.