Shadow Brokers return to taunt U.S. government after ransomware spread

A mysterious group known for publishing highly classified computer code developed by the National Security Agency returned to the limelight Tuesday with a cryptic message concerning the future release of other government hacking tools and secretive information, including “network data from Russian, Chinese, Iranian, and North Korean nuclear missile programs.”

“TheShadowBrokers is having many more where coming from?” a lengthy message posted Tuesday morning by the peculiar group reads, claiming they own “75% of U.S. cyber arsenal.”

The message also cites the Equation Group, which has been observed operating in the wild by cybersecurity firm Kaspersky Lab and is believed to associated with an elite hacking unit within the NSA.

“This is theshadowbrokers way of telling theequationgroup ‘all your bases are belong to us.’ TheShadowBrokers is not being interested in stealing grandmothers’ retirement money. This is always being about theshadowbrokers vs theequationgroup.”

Since the Shadow Brokers posted their first message to the internet last August, they’ve repetitively talked about the Equation Group’s role in U.S. cyber-espionage efforts.

As part of the most recent message, Shadow Brokers promised to share additional government secrets on a monthly basis.

Via SB blog post

It remains unclear who is behind the Shadow Brokers or what their motive is. Some cybersecurity experts have speculated that the elaborate personality may be the work of Russian intelligence services.

A spokesperson for Swiss intelligence service, the Federal Intelligence Services, or FIS, told CyberScoop earlier this month that, “there is no strong indication that the person or group behind ShadowBrokers is an entity linked to a nation state actor, in particular to the Russian government.”

While some analysts originally theorized that the Shadow Brokers had stolen spy-agency-linked cyberweapons by breaking into a misconfigured, off-premise attack server, the subsequent and recent publication of an internal NSA PowerPoint slide effectively proved that the group acquired information that would only exist within a closed, classified environment. In other words, there is evidence to suggest the Shadow Brokers hold information that would only be available to an individual with previous access to interior databases.

On Tuesday, the group seemingly confirmed those suggestions by writing, “theshadowbrokers is deciding to show screenshots of lost theequationgroup 2013 Windows Ops Disk,” speaking in reference to an older blog post revealing technical capabilities. An “ops disk” in this context translates to a physical piece of hardware — likely a USB thumb drive — which was used to store hacking tools.

This latest message by the Shadow Brokers comes just days after the massive WannaCry ransomware campaign compromised upwards of 300,000 computers globally. The outbreak was able to quickly spread across the globe because it leveraged malicious computer code that was shared by the Shadow Brokers in April and likely developed by the NSA.