Who Are The Shadow Brokers?

The identity of the Shadow Brokers has become one of the biggest questions in the infosec industry this year, and Matt Suiche believes the evidence points to an insider threat rather than an external nation-state attacker.

Suiche, founder of managed threat detection company Comae Technologies, spoke at Black Hat 2017 about the Shadow Brokers, the entity which has been releasing files and hacking tools over the last year from the Equation Group, a hacking outfit connected to the US National Security Agency. 

Suiche explained how the behavior and tactics of the Shadow Brokers have over time revealed some clues about their background and general identity, which suggest the dumps are the work of disgruntled insiders who are either current or former intelligence community contractors.
"There's definitely a huge problem around insider threats," he said. "That's why I, personally, think and I would not be surprised to see the source of those files was another contractor."

While the group's blog posts are written in broken English that suggests Russian-speaking authors, Suiche said the language was likely an operations security (Opsec) tactic to obscure the true identities of the Shadow Brokers. Suiche said the people behind the Shadow Brokers group have "an interesting sense of humor" and demonstrated strong familiarity with the National Security Agency's Tailored Access Operation (TAO), which was the first sign that the Shadow Brokers were, in fact, insiders, rather than Russian threat actors. The group has also expressed anger at former members of TAO and threatened to reveal the identities of current TAO hackers.
"It seems like the Shadow Brokers know a lot about TAO as a team," he said.

Suiche said the US defense and intelligence communities employ tens of thousands of contractors, and a number of disgruntled insiders have come to light in recent years, including Edward Snowden and Harold Martin, both of whom worked as government contractors at Booz Allen Hamilton. "I don't know if we should say the intelligence community has an insider problem or if Booz Allen has an insider problem," he said.

The Shadow Brokers dumps started relatively small, Suiche said; the first batch of free exploits included bugs in many common firewall products. The group later followed up with Solaris operating system exploits, as well as more detailed information on proposed Equation Group targets, which included domains in countries like China and Iran. Another revealing pattern of behavior, according to Suiche, was the group's increased attempts over time to gain attention, and the expressions of anger and frustration when the level of attention didn't meet the group's expectations.

The Shadow Brokers, he said, clearly wanted more than just to dump and sell the Equation Group cyber-weapons; they wanted headlines as well.

Later dumps included detailed operational notes with code names not just for the cyber-weapons, but for prospective targets of hacking operations as well. Suiche mentioned one example where the operational notes indicated Equation Group had targeted different mobile service providers across the globe, likely in an effort to gain access to communications.
The biggest Shadow Brokers dump, which featured Windows exploits like EternalBlue and tools to access the Society for Worldwide Interbank Financial Telecommunication SWIFT messaging system, also contained a large amount of information about hacking operations, including un-redacted metadata, PowerPoint presentations and even the names of Equation Group members. 
"That one was pretty interesting," Suiche said. "It contained some tools but mainly operational notes regarding what happened to one of the SWIFT Service Bureau in the Middle East, and it was extremely detailed."
Suiche said this was when the "narrative of the Shadow Brokers kind of changed," as the level of information about the Equation Group's inner workings was embarrassing for the National Security Agency. "It's hard to believe the most powerful intelligence agency in the world is not doing any opsec," he said.

While the Shadow Brokers recently introduced a monthly service to sell the stolen cyber-weapons, Suiche doesn't believe that money is the group's motive, as asking for 1 million Bitcoin (currently over $2.7 billion) isn't a reasonable request. In his presentation, Suiche also emphasised that it's unclear whether anyone has actually received exploits purchased through the new monthly service.
"They're following a pattern where the price keeps doubling," he said, adding that creating "fear, uncertainty and doubt is definitely part of their strategy."

Suiche closed the presentation by, again, suggesting the Shadow Brokers were either current or former intelligence contractors and warned of the potential risks such individuals could pose to cyber-security. "It's kind of worrying to see the rising threat from some unreliable intelligence agency employees," he said.

TechTarget:

You Might Also Read:

Kasperky Identify The ‘Equation Group’:

Prices For Stolen NSA Exploits Go Higher:

Careless: NSA Hacking Tools Theft Due To Operative's 'Mistake':

 

« The US Power Generation System Is Under Siege
German Police To Hack Suspect Devices »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

National Cyber Security Centre Finland (NCSC-FI)

National Cyber Security Centre Finland (NCSC-FI)

The NCSC-FI develops and monitors the operational reliability and security of communications networks and services in Finland.

Thermo Systems

Thermo Systems

Thermo Systems is a design-build control systems engineering and construction firm. Capabilties include industrial control system cybersecurity.

Engineering Ingegneria Informatica

Engineering Ingegneria Informatica

Ingegneria Informatica is a leading Italian provider of Information Technology consulting, services and solutions including cyber security.

Nohau

Nohau

Nohau provide services for safe and secure embedded software development.

Exonar

Exonar

We enable organisations to better organise their information, removing risk and making it more productive and secure.

Temasoft

Temasoft

TEMASOFT is a software company focused on developing security and infrastructure products.

Gospel Technology

Gospel Technology

Gospel presents a totally new way of accessing and controlling data which is enterprise grade scalable, highly resilient, and secure.

SHIELD

SHIELD

SHIELD is an established end-to-end fraud management solution that blocks fraudulent activities such as account takeovers, fake accounts creation, fraudulent payments, loyalty fraud and more.

Liberty Mutual

Liberty Mutual

Liberty Specialty Markets offers specialty and commercial insurance and reinsurance products, including Cyber, across the USA, Europe, Middle East and other international locations.

Silicon Labs

Silicon Labs

Silicon Labs are a leader in secure, intelligent wireless technology for a more connected world. We provide award-winning hardware and software security to help safeguard connected devices.

E2E Technologies

E2E Technologies

E2E Technologies are a proactive, SLA-beating, managed service provider that busts the common stereotypes surrounding IT.

DataSixth Security Consulting

DataSixth Security Consulting

DataSixth delivers Cybersecurity Intelligence. With our unique capabilities, we’re able to deliver value, deliver answers, and deliver actionable security intelligence.

Secure Diversity

Secure Diversity

Secure Diversity is an innovative non-profit organization with leaders that think out of the box to create strategies & solutions to increase diversity in the cybersecurity industry.

Project Cypher

Project Cypher

Project Cypher leverages the latest cybersecurity developments, a world class team of hackers and constant R&D to provide you with unparalleled cybersecurity offerings.

RealDefense

RealDefense

RealDefense develops and markets various privacy, security and optimization technologies and services for consumers and small businesses.

Cakewalk

Cakewalk

Cakewalk is the new standard in easy Access Control. Trusted by IT & Security teams. Loved by employees.