Earlier this month, a piece of ransomeware known as WannaCry began spreading quickly across the globe and promptly commanded the world’s attention. Once WannaCry took hold of a machine, it encrypted all of a user’s files and demanded a payment of $300 in Bitcoin in order to retrieve them. Thankfully, an enterprising security researcher managed to inadvertently activate WannaCry’s kill-switch, and in the process, helped stopped it from infecting even more machines. By the time the dust settled, it’s believed that WannaCry infected more than 300,000 computers across more than 150 different countries.
What made WannaCry so interesting is that it was based off of an NSA exploit that was released by a murky and hyper-secretive hacking collective known as the Shadow Brokers. Indeed, just four weeks before WannaCry began to make headlines, the Shadow Brokers released a huge cache of NSA hacking tools and exploits for anyone to pore over and use. In the wake of WannaCry, the Shadow Brokers have promised to release even more NSA exploits in the future. According to a statement the group posted online two weeks ago, the new exploits will be made “as part of a new subscription-based service” it plans to launch in June.
With the Shadow Brokers thrusting themselves into the global spotlight, it’s rather impressive that no one quite knows who the group is or even where they might be located. In an effort to shed some light on the group, The Atlantic recently ran an in-depth piece detailing a number of possible explanations surrounding the group’s identity. And while all we can really work with at this point are educated guesses, the piece still provides a helpful look at how and when the Shadow Brokers came to attract so much attention.
The report does an impressive job of tracking the early beginnings of the hacking group while also explaining ways in which the group may have come into possession of the NSA’s hacking tools to begin with. Interestingly enough, the report relays that the exploits in the Shadow Brokers’ possession are so varied that they likely come from different “sources at the NSA.”
After explaining why the Shadow Brokers are unlikely to be a group of whistleblowers or even random hackers, the report turns its attention towards nation-state actors.
That leaves a nation state. Whoever got this information years before and is leaking it now has to be both capable of hacking the NSA and willing to publish it all. Countries like Israel and France are capable, but would never publish, because they wouldn’t want to incur the wrath of the U.S. Country like North Korea or Iran probably aren’t capable. (Additionally, North Korea is suspected of being behind WannaCry, which was written after the Shadow Brokers released that vulnerability to the public.) As I’ve written previously, the obvious list of countries who fit my two criteria is small: Russia, China, and—I’m out of ideas. And China is currently trying to make nice with the U.S.
But the problem with the Russia theory is, why? These leaked tools are much more valuable if kept secret. Russia could use the knowledge to detect NSA hacking in its own country and to attack other countries. By publishing the tools, the Shadow Brokers are signaling that they don’t care if the U.S. knows the tools were stolen.
Interestingly enough, the report suggests that the treasure trove of NSA hacking tools may have originated from an NSA leak that we don’t know much about. Bolstering this assertion, the report cites this excerpt from a late-2016 Washington Post article
But there was a second, previously undisclosed breach of cybertools, discovered in the summer of 2015, which was also carried out by a TAO employee, one official said. That individual also has been arrested, but his case has not been made public. The individual is not thought to have shared the material with another country, the official said.
Again, there’s no clear-cut answer as to who the Shadow Brokers actually are, but The Atlantic piece does a thorough job of running through all of the possibilities.