Who Are The Shadow Brokers?

The identity of the Shadow Brokers has become one of the biggest questions in the infosec industry this year, and Matt Suiche believes the evidence points to an insider threat rather than an external nation-state attacker.

Suiche, founder of managed threat detection company Comae Technologies, spoke at Black Hat 2017 about the Shadow Brokers, the entity which has been releasing files and hacking tools over the last year from the Equation Group, a hacking outfit connected to the US National Security Agency. 

Suiche explained how the behavior and tactics of the Shadow Brokers have over time revealed some clues about their background and general identity, which suggest the dumps are the work of disgruntled insiders who are either current or former intelligence community contractors.
"There's definitely a huge problem around insider threats," he said. "That's why I, personally, think and I would not be surprised to see the source of those files was another contractor."

While the group's blog posts are written in broken English that suggests Russian-speaking authors, Suiche said the language was likely an operations security (Opsec) tactic to obscure the true identities of the Shadow Brokers. Suiche said the people behind the Shadow Brokers group have "an interesting sense of humor" and demonstrated strong familiarity with the National Security Agency's Tailored Access Operation (TAO), which was the first sign that the Shadow Brokers were, in fact, insiders, rather than Russian threat actors. The group has also expressed anger at former members of TAO and threatened to reveal the identities of current TAO hackers.
"It seems like the Shadow Brokers know a lot about TAO as a team," he said.

Suiche said the US defense and intelligence communities employ tens of thousands of contractors, and a number of disgruntled insiders have come to light in recent years, including Edward Snowden and Harold Martin, both of whom worked as government contractors at Booz Allen Hamilton. "I don't know if we should say the intelligence community has an insider problem or if Booz Allen has an insider problem," he said.

The Shadow Brokers dumps started relatively small, Suiche said; the first batch of free exploits included bugs in many common firewall products. The group later followed up with Solaris operating system exploits, as well as more detailed information on proposed Equation Group targets, which included domains in countries like China and Iran. Another revealing pattern of behavior, according to Suiche, was the group's increased attempts over time to gain attention, and the expressions of anger and frustration when the level of attention didn't meet the group's expectations.

The Shadow Brokers, he said, clearly wanted more than just to dump and sell the Equation Group cyber-weapons; they wanted headlines as well.

Later dumps included detailed operational notes with code names not just for the cyber-weapons, but for prospective targets of hacking operations as well. Suiche mentioned one example where the operational notes indicated Equation Group had targeted different mobile service providers across the globe, likely in an effort to gain access to communications.
The biggest Shadow Brokers dump, which featured Windows exploits like EternalBlue and tools to access the Society for Worldwide Interbank Financial Telecommunication SWIFT messaging system, also contained a large amount of information about hacking operations, including un-redacted metadata, PowerPoint presentations and even the names of Equation Group members. 
"That one was pretty interesting," Suiche said. "It contained some tools but mainly operational notes regarding what happened to one of the SWIFT Service Bureau in the Middle East, and it was extremely detailed."
Suiche said this was when the "narrative of the Shadow Brokers kind of changed," as the level of information about the Equation Group's inner workings was embarrassing for the National Security Agency. "It's hard to believe the most powerful intelligence agency in the world is not doing any opsec," he said.

While the Shadow Brokers recently introduced a monthly service to sell the stolen cyber-weapons, Suiche doesn't believe that money is the group's motive, as asking for 1 million Bitcoin (currently over $2.7 billion) isn't a reasonable request. In his presentation, Suiche also emphasised that it's unclear whether anyone has actually received exploits purchased through the new monthly service.
"They're following a pattern where the price keeps doubling," he said, adding that creating "fear, uncertainty and doubt is definitely part of their strategy."

Suiche closed the presentation by, again, suggesting the Shadow Brokers were either current or former intelligence contractors and warned of the potential risks such individuals could pose to cyber-security. "It's kind of worrying to see the rising threat from some unreliable intelligence agency employees," he said.

TechTarget:

You Might Also Read:

Kasperky Identify The ‘Equation Group’:

Prices For Stolen NSA Exploits Go Higher:

Careless: NSA Hacking Tools Theft Due To Operative's 'Mistake':

 

« The US Power Generation System Is Under Siege
German Police To Hack Suspect Devices »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

FT Cyber Resilience Summit: Europe

FT Cyber Resilience Summit: Europe

27 November 2024 | In-Person & Digital | 22 Bishopsgate, London. Business leaders, Innovators & Experts address evolving cybersecurity risks.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Perforce Software

Perforce Software

Perforce helps companies build complex software products more collaboratively, securely, and efficiently.

Center for a New American Security (CNAS)

Center for a New American Security (CNAS)

CNAS is the nation's leading research institution focused on defense and national security policy. Cyber security issues are an intrinsic element of the national security debate.

Bloombase

Bloombase

Bloombase is the leading innovator in Next-Generation Data Security solutions for Global 2000-scale organizations

Kent Interdisciplinary Research Centre in Cyber Security (KirCCS) - University of Kent

Kent Interdisciplinary Research Centre in Cyber Security (KirCCS) - University of Kent

KirCCS harnesses expertise across Kent University to address current and potential cyber security challenges.

Emerson Electric Co

Emerson Electric Co

Emerson provides industrial automation systems and associated cybersecurity solutions to protect critical process control systems from cyber attack.

CryptTalk

CryptTalk

CryptTalk is an easy-to-use secure communication service.

SafenSoft (SnS)

SafenSoft (SnS)

SafenSoft delivers high-efficiency, low-impact proactive protection against malware, insider threats, and confidential data leakage.

ExpressVPN

ExpressVPN

ExpressVPN is a Virtual Private Network services provider offering secure encrypted access to the internet.

Smarttech247

Smarttech247

Smarttech247 deliver a range of cyber security solutions, including cognitive security services using IBM Watson for Cybersecurity, SIEM, Compliance & Governance, and Penetration Testing.

Purple Security

Purple Security

Purple Security arises from the association of specialists in offensive security (ethical hackers, white hats) and experts in insurance, compliance and implementation of industry standards.

Marcus Donald People

Marcus Donald People

Marcus Donald People is a UK IT recruitment specialist covering the following sectors: Infrastructure & Cloud, Information Security, Development, Business transformation.

Alias Robotics

Alias Robotics

Alias Robotics is a robot cyber security company. We deliver cyber security solutions for robots and robot components.

boxxe

boxxe

boxxe create flexible IT infrastructures, collaborative global workspaces and data clarity, all underpinned by world-leading security.

Moro Hub

Moro Hub

Moro Hub, a subsidiary of Digital DEWA, is a UAE-based digital data hub focused on digital transformation and operational services.

Tozny

Tozny

Tozny offers products with security and privacy in mind that are built on the foundation of end-to-end encryption, and open-source verifiable software.

Bores Security Consultancy

Bores Security Consultancy

Bores Security Consultancy are an established family-run business delivering expertise in security and technology.

JanBask Training

JanBask Training

JanBask Training is a dynamic, highly professional, global online training provider committed to propelling the next generation of technology learners with a whole new way of training experience.