Uncovering the Shadow Brokers

Origin country: Unknown
Other names: “TSB”, “TheShadowBrokers”
First seen: 2016
Famous attacks: “Attack on Equation group – NSA”
TTP’s: Data Leakage, Vulnerability Exploit

About the group

The Shadow Brokers is a group of hackers that were able to successfully hack one of the elite cyber intelligence units of the NSA, also known as the Equation Group. Shadow Brokers were considered dominant in 2017, as they exposed several major vulnerabilities and tools that led to some of the biggest attacks in 2016.

Famous attack

In August 2016, Shadow Brokers claimed to have breached the computer systems used by the Equation Group and released a sample of stolen data, as well as other encrypted files whose decryption key they offered for sale in a bitcoin auction.The code leaked by TSB belongs to an offensive hacking tool used by the Equation Group, claimed to be a more potent cyber-weapon than Stuxnet and the like.In the late October 2016, Shadow Brokers published yet another leak. This time it contained a list of foreign servers allegedly compromised by Equation Group in various countries in order to expand its espionage operations.In April 2017, the group leaked information on a NSA campaign which targeted financial institutions in the Middle East. The campaign, called JeepFlee_Market, compromised a SWIFT bureau named Eastnets, that collected information on the transactions of several banks and financial institutions that used its services.

“EternalBlue” vulnerability connection to “WannaCry” ransomware attack

Eternal Blue was developed by the NSA - reportedly by the Tailored Access Operations unit. This unit, which has since had its name changed, is tasked with infiltrating foreign computer networks. Eternal Blue originally allowed US spy agencies to hack Windows computers by utilizing vulnerabilities found in the system’s file sharing and printing protocol. Shadow Brokers leaked this tool online in the second half of 2016, along with other tools developed by the US government. It was prominently used in a global cyber attack, where hackers redesigned it as a ransomware called ‘WannaCry’. WannaCry hit many organizations, one of the largest being the British NHS. Though Microsoft had already released patches for said vulnerabilities in March 2017, many users, mainly in the government and education sectors, failed to update their computers and thus remained vulnerable.

Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.