The Shadow Brokers publishing the NSA vulnerabilities (2016)

From International cyber law: interactive toolkit
Jump to navigation Jump to search
Date August 2016
Suspected actor A group of hackers called The Shadow Brokers (TBS)[1]
Target The United States National Security Agency (NSA)
Target systems N/A
Method The TBS claimed to have hacked the Equation Group, the attacking team branch believed to be operated by the NSA.[2] The leaking material could come from a compromised NSA staging server (the one used for attacking) or from a mistake of a NSA employee who used the tools and left them exposed on a remote computer.[3] However, as reported by the ENISA, the true origin of the of the leaked file is as hard as the attribution of the attack per se.[4]
Purpose Unknown
Result The TBS group released and auctioned off a series of hacking tools developed by the NSA.[5] The hacking tools leaked by the TBS were intended to exploit a number of vulnerabilities in Cisco routers, Microsoft Windows based systems, Linux mail servers.[6] The leaks also included a working directory of an NSA analyst breaking into the SWIFT banking network.[7]
Aftermath Even though it has been reported that the leaked material has been stolen in 2013,[8], [9] users have been able to update the hacking tools by readapting them. For instance, the “EXTRABACON” exploit has been modified in order to render it effective even for newer version of Cisco’s targeted softwares.[10] Besides, in 2017, TBS published “ETERNALBLUE”, the exploit that has been used as part of the WannaCry campaign during the same year.[11]

The leaking reveals the risk behind the secret development of hacking tools by national security agencies which are not often willing to disclose software vulnerabilities to the software houses. [12]

Analysed in Scenario 07: Leak of State-developed hacking tools

Collected by: Samuele De Tomas Colatin

  1. S Gibbs, “Shadow Brokers threaten to unleash more hacking tools”, (17 May 2017), The Guardian.
  2. T Brewster, “NSA Hacked? 'Shadow Brokers' Crew Claims Compromise of Surveillance Op”, (15 August 2016), Forbes.
  3. J Menn, J Walcott, “Exclusive: Probe of leaked U.S. NSA hacking tools examines operative's 'mistake'”, (23 September 2016), Reuters.
  4. ENISA Cyber Security Info Notes, “The “Shadow Brokers” Story”, (5 October 2016), The European Union Agency for Network and Information Security (ENISA).
  5. S Biddle, “The NSA leak is real, Snowden documents confirm”, (19 August 2016), The Intercept.
  6. B Schneier, “Who are the Shadow Brokers?”, (23 May 2017), The Atlantic.
  7. C Baldwin, J Menn, “Hacker documents show NSA tools for breaching global money transfer system”, (16 April 2016), Reuters.
  8. B Schneier, “Who are the Shadow Brokers?”, (30 May 2017), Schneier on Security Blog.
  9. D Goodin, “Mysterious Microsoft patch killed 0-days released by NSA-leaking Shadow Brokers”, (15 April 2017), Ars Technica.
  10. D Goodin, “NSA-linked Cisco exploit poses bigger threat than previously thought”, (23 August 2016), Ars Technica.
  11. A NG, “Hackers behind stolen NSA tool for WannaCry: More leaks coming”, (16 May 2017), CNET.
  12. E Buzas, “Hackers Hit ‘Some’ Cisco Customers With Leaked NSA Hacking Tools”, (19 September 2016), Motherboard.