The Shadow Brokers (TSB) is a group of hackers that appeared in the summer of 2016. They shared information that included tools used for hacking, such as zero-day exploits, which were believed to belong to the "Equation Group." This group is widely thought to be connected to the National Security Agency (NSA) of the United States. The tools and weaknesses revealed by the Shadow Brokers were aimed at company firewalls, antivirus programs, and products made by Microsoft. The Shadow Brokers first said the leaked information came from the Equation Group, which is linked to the NSA's Tailored Access Operations unit.
Name and alias
Several news sources said the group's name probably comes from a character in the Mass Effect video game series. Matt Suiche quoted a description of this character: "The Shadow Broker is a person who leads a large organization that sells information to the highest bidder. The Shadow Broker is very skilled at their job. All secrets bought and sold do not give any customer a big advantage, so customers keep buying and selling information to stay even. This helps the Shadow Broker's business stay successful."
Leak history
The exact date when the leak began is not known, but reports suggest that preparation started in early August 2016. On August 13, 2016, a Twitter account named "@shadowbrokerss" posted a message announcing a Pastebin page and a GitHub repository. These pages contained information and instructions for accessing and decrypting a file that supposedly included tools and methods used by the Equation Group. At first, people were unsure if the information was true.
On October 31, 2016, The Shadow Brokers shared a list of servers that were allegedly hacked by the Equation Group. They also listed seven tools (DEWDROP, INCISION, JACKLADDER, ORANGUTAN, PATCHICILLIN, RETICULUM, SIDETRACK, and STOICSURGEON) that the group reportedly used.
On April 8, 2017, The Shadow Brokers posted an update on their Medium account. The post provided a password to access encrypted files from the previous year. These files were said to contain additional tools used by the NSA. The post mentioned that this action was partly a response to President Trump's attack on a Syrian airfield, which was also used by Russian forces.
On April 14, 2017, The Shadow Brokers released several tools and methods, including DANDERSPRITZ, ODDJOB, FUZZBUNCH, DARKPULSAR, ETERNALSYNERGY, ETERNALROMANCE, ETERNALBLUE, EXPLODINGCAN, and EWOKFRENZY.
Experts described this leak as "the most damaging release yet." CNN quoted Matthew Hickey, who said, "This might be the most harmful event in recent years."
Some tools targeting Microsoft Windows had already been fixed in a Microsoft security update from March 14, 2017, one month before the leak. Some people believed Microsoft may have learned about the leak from the NSA.
Within two weeks of the leak, over 200,000 systems were infected with tools from the leak. In May 2017, the WannaCry ransomware attack used the ETERNALBLUE exploit to spread. The same exploit was also used in the NotPetya cyberattack on June 27, 2017.
ETERNALBLUE includes code that allows attackers to install the DoublePulsar backdoor. This backdoor can then be used to access systems through the DanderSpritz Listening Post software.
Speculations and theories on motive and identity
James Bamford and Matt Suiche suggested that an insider, possibly someone working with the NSA's special unit called Tailored Access Operations, may have stolen the hacking tools. In October 2016, The Washington Post reported that Harold T. Martin III, a former worker for Booz Allen Hamilton who was accused of stealing about 50 terabytes of data from the National Security Agency (NSA), was the main suspect. Martin had helped the NSA's Tailored Access Operations from 2012 to 2015 in a support role. In 2019, he admitted to keeping national defense information, but it is unclear if the Shadow Brokers obtained their materials from him. The Shadow Brokers continued to share messages that were signed with special security codes and spoke with the media while Martin was in custody.
Edward Snowden wrote on Twitter on August 16, 2016, that "clues and common beliefs suggest Russia is responsible" and that the leak "may be a warning that someone could prove U.S. involvement in attacks linked to this malware server." He summarized that it seemed "someone is sending a message that a bigger conflict over who is responsible could quickly become complicated."
The New York Times connected the event to the hacking of the Democratic National Committee and the emails of John Podesta. As U.S. intelligence agencies considered responding to attacks, the Shadow Brokers' release of code was seen as a warning: "If you retaliate for the D.N.C. attack, there are many more secrets, such as those from hacks of the State Department, the White House, and the Pentagon, that could also be revealed." A government official compared the situation to a scene in The Godfather where a horse's head is placed in a bed as a warning.
In 2019, David Aitel, a computer scientist who once worked for the NSA, said, "I don’t know if anyone knows for sure, and we don’t even know if it’s the Russians. At this point, many possibilities exist."