Shadow Brokers teases more Windows exploits and cyberespionage data

The group plans to sell more Equation exploits and cyberespionage data through a subscription-based service

The Shadow Brokers are trying to sell what's left of the Equation cyber arsenal.
Credit: Michael Kan

A group of hackers that previously leaked alleged U.S. National Security Agency exploits claims to have even more attack tools in its possession and plans to release them in a new subscription-based service.

The group also has intelligence gathered by the NSA on foreign banks and ballistic missile programs, it said.

The Shadow Brokers was responsible for leaking EternalBlue, the Windows SMB exploit that was used by attackers in recent days to infect hundreds of thousands of computers around the world with the WannaCry ransomware program.

The group first appeared online in August and claimed that it had access to the arsenal of a cyberespionage group known in the security industry as the Equation, widely believed to be a hacking division of the NSA.

On Tuesday, following the WannaCry attacks, the Shadow Brokers posted a new message online in which they claim to have many more Equation exploits that haven't been leaked yet. The group wants to make them available as part of a new subscription-based service that it plans to launch in June.

The group initially released a set of hacking tools for routers and firewall products but claimed it had much more it was willing to sell for 10,000 bitcoins or more -- around US$12 million. After failing to attract any bids, the group dumped more information, including IP addresses of systems targeted by the Equation.

The Shadow Brokers eventually called it quits in January and disabled its online accounts, only to return in April in a surprise move that involved publishing the password for an encrypted archive containing many Linux and Windows exploits, as well as malware implants supposedly used by the Equation.

Most of the vulnerabilities targeted by the leaked exploits had already been patched by that time, including EternalBlue, which Microsoft fixed in March.

According to the hackers, data that will be leaked monthly through the new subscription service could include exploits for web browsers, routers, mobile devices, and Windows 10, as well as data extracted by the Equation during its cyberespionage operations. The information is supposed to include data stolen from SWIFT providers and central banks and data from "Russian, Chinese, Iranian, or North Korean nukes and missile programs."

What subscribers will do with these exploits and data will be up to them, the group said.

No one appears to have paid the Shadow Brokers for access to the Equation arsenal in the past, at least as far as it's publicly known. The group has even expressed its frustration about this lack of interest in its offers.

It's unclear if a subscription-based model will attract more interest, with no price announced yet. However, given the group's track record of leaking legitimate information that many believe to be sourced from the NSA, it is likely that at some point, this data will become public, one way or another.

Tease us with your comments on our Facebook page.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Healthcare records for sale on Dark Web