• United States



Shadow Brokers announce monthly data dump service

May 16, 20175 mins
CybercrimeData and Information SecurityInternet Security

The group claims the dump of the month club may include NSA-linked Equation Group exploits for Windows 10, routers, web browsers, compromised data from nuke programs and SWIFT providers

online hacker
Credit: Thinkstock

The Shadow Brokers are back once again, offering buyers not just exploits, but also “compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs.”

Seemingly capitalizing on the success of WannaCry ransomware, which used EternalBlue and DoublePulsar—tools developed by the NSA’s Equation Group—the Shadow Brokers want to sell new exploits every month to people who pay a membership fee.

The hacking group dubbed its new monthly subscription model “TheShadowBrokers Data Dump of the Month;” the service kicks off in June. The Shadow Brokers claim not to care what Data Dump of the Month service members do with the exploits. The group teased:

TheShadowBrokers Monthly Data Dump could be being:

  • web browser, router, handset exploits and tools
  • select items from newer Ops Disks, including newer exploits for Windows 10
  • compromised network data from more SWIFT providers and Central banks
  • compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs

The group followed that with a statement in all capital letters, which is likely aimed at the NSA, claiming there would be no dump of the month and the group would permanently go dark “if a responsible party” buys all the stolen data before it is sold.

After all, the group claims that every failed attempt at making money has really “always being about theshadowbrokers vs theequationgroup.”

The latest Shadow Brokers’ post criticizes global tech corporations, as well as governments, for not buying exploits in the past and thereby saving the public from an attack such as WannaCry. In particular, the group called out the following for not caring about security and public safety by buying the Equation Group’s “lost warez:”

But theequationgroup didn’t buy back lost warez. The Five Eyes, Russia, China, Iran, Korea, Japan, Israel, Saudi, the UN, NATO, no government or countries didn’t buy lost warez. Cisco, Juniper, Intel, Microsoft, Symantec, Google, Apple, FireEye, any other bullshit security companies didn’t buy lost warez.

Conspiracies: NSA paying U.S. tech companies not to patch?

Conspiracy plays a central theme in the post, as the Shadow Brokers claim the NSA is paying U.S. tech companies not to patch. Except the Equation Group didn’t let Microsoft know about all the zero days, the group claims. At least not until the Shadow Brokers released screenshots of the Equation Group’s stolen “2013 Windows Ops Disk.” That holding back of exploits, in theory, is the reason why Microsoft’s Chief Legal Officer, Brad Smith, was so mad about WannaCry and the U.S. government stockpiling vulnerabilities.

The Shadow Brokers used several colorful insults for Microsoft’s top attorney, accusing Microsoft of being BFFs with the Equation Group and having huge contracts that result in Microsoft getting paid millions or billions each year.

The Shadow Brokers made the screenshots available in January. The NSA supposedly realized what the Shadow Brokers had and told Microsoft. Microsoft took the unprecedented step of skipping Patch Tuesday in February and then released the SMB (Server Message Block) fix in March that was used by WannaCry and not dumped by the Shadow Brokers until April.

A similar situation happened with Oracle, the group claims, but it didn’t list the timeline of Oracle patching a “huge number of vulnerabilities” after purportedly being given a heads-up by the NSA about the Shadow Brokers-held exploits.

The group wrote:

In April, 90 days from theequationgroup show and tell, 30 days from Microsoft patch, theshadowbrokers dumps old Linux (auction file) and windows ops disks. Because why not? TheShadowBrokers is having many more where coming from? “75% of U.S. cyber arsenal

TheShadowBrokers dumped 2013 OddJob from ROCTOOLS and 2013 JEEPFLEAMARKET from /TARGETS. This is theshadowbrokers way of telling theequationgroup “all your bases are belong to us”. TheShadowBrokers is not being interested in stealing grandmothers’ retirement money. This is always being about theshadowbrokers vs theequationgroup.

(emphasis mine)

NSA allegedly has ‘spies’ inside U.S. tech corporations

But wait, there’s more, as the group claims the Equation Group has spies inside Microsoft and other U.S. tech corporations. The NSA’s hacking group also supposedly has former employees “working in high up security jobs” at those top tech companies.

The Shadow Brokers added:

TheShadowBrokers is thinking Google Project Zero is having some former TheEquationGroup member. Project Zero recently releasing “Wormable Zero-Day” Microsoft patching in record time, knowing it was coming? coincidence?

Last but not least, before announcing its monthly data dump club, the Shadow Brokers pointed out how odd WannaCry is for crimeware. “Is being very strange behavior for crimeware? Killswitch? Crimeware is caring about target country?”

It’s unknown if the Shadow Brokers actually have more NSA-linked Equation Group exploits to start selling off every month to members in its latest attempt to get the NSA to pay up make money. The threat to release monthly data dumps, like a wine of the month club, starts in June.

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.