The Shadow Brokers

Part One: Auction

In August of 2016, a mysterious hacker collective began releasing files and folders stolen directly from the NSA, which appeared to be legitimate cyber-weapons created by U.S. intelligence. Over the next several months, the unknown entity calling itself “The Shadow Brokers” was prepared to auction off even more of these cyber-weapons to the highest bidder…

Think back to where you were a little over three years ago, in August of 2016.

The 2016 Summer Olympics - held in Rio de Janeiro - had just wrapped up. San Francisco 49ers quarterback Colin Kaepernick was making headlines for kneeling during the National Anthem. The United Kingdom was trying to decide how best to handle Brexit, with Prime Minister David Cameron resigning the month prior and longtime Home Secretary Theresa May taking over. And - of course - there was the US Presidential Election, which was still months away, but dominating news headlines everywhere.

In July of 2016, one of America's two established political parties, the Democratic National Committee - known as the DNC - had been hacked. This hack remains a hot button issue today (over three years later), but I won't discuss the politics of it... rather, the underlying nature of the story, which was the hack itself. This hack had brought the topic of cybersecurity and cyber-intelligence to the forefront of global politics, but the discussion only really scratched the surface of the issue; with liberal and conservative media figures alike focusing solely on how it affected the current political climate.

This was the environment of the world on August 27th, 2016, when a government raid was taking place in Glen Burnie, Maryland, a suburb on the outskirts of Baltimore.

That Saturday, dozens of FBI agents - wearing dark, tactical uniforms and armed with a variety of semi-automatic rifles and pistols - began swarming a quiet neighborhood. This intrusion on the street shut it down to thru-traffic, as the agents began surrounding a single home. Moments later, the piercing crack of a flashbang grenade marked the beginning of a siege, and agents quickly had a man in-custody, who had surrendered peacefully.

The man was Harold T. Martin III, a middle-aged government contractor that was - at the time, at least - employed by Booz Allen Hamilton; an organization that has been dubbed by Bloomberg as "the world's most profitable spy organization." Booz Allen Hamilton employs approximately 25,000 people around the world - many of whom are ex-military. The company handles a lot of different matters for government agencies, but dabbles primarily in intelligence and cyber-intelligence, working closely with organizations like the NSA.

You may recall the name Booz Allen Hamilton for being the company that employed Edward Snowden, the infamous whistleblower who exposed the NSA's global surveillance system.

Well, Harold Martin was another one of the contractors employed by Booz Allen Hamilton, who had maintained his security clearance from years prior, when he had served in the US Navy. Following his service, he had gone into computing, and had since worked for numerous government agencies, including the NSA. There, he had specialized in cyber intelligence, and is believed to have once worked with the Tailored Access Operations unit within the NSA... one of, if not the, most elite cyber-intel group in the world.

Martin had since gone on to the private sector - hence his employment with Booz Allen Hamilton, a contracting firm - and through them, he had continued his work with the Department of Defense. At least, up until August of 2016.

So why exactly were government agents raiding his home on this random Saturday at the end of summer? Well, it turns out that Harold Martin III's story wasn't too different from Edward Snowden himself. Over roughly two decades of working in cyber-intelligence, Martin had been stockpiling secrets: classified information that he was not supposed to disclose, or even acknowledge outside of his workplace. These were the kind of secrets that could change lives... and maybe even end them.

You see, Harold Martin had spent years stockpiling millions of pages of classified intelligence; most of which was stored on more than 50 terabytes of hard drives. He had kept these hard drives and miscellaneous documents in his home, his unlocked shed in the backyard, and even his car... some of the documents could be read by simply looking in his car windows. It was a major gap in national security, made all the more shocking as investigators learned just how brazen Martin had been in this theft. He had hoarded virtually every piece of intelligence he could get his hands on, and the information he possessed was comparable with most other nations' entire cyber-arsenal (if not even more impressive).

It would be several months before the details of Harold Martin's arrest would be publicly disclosed, due to privacy issues with the case itself; which the Justice Department described as posing "exceptionally grave danger" to national security. But by the time the story was disclosed, many had already started to speculate about why this rather-unexceptional government contractor had been arrested and then immediately terminated by Booz Allen Hamilton.

This entire incident was likely related to a major leak from earlier in the month, which had potentially exposed game-changing government secrets to the world at-large... and put even more secrets up for auction to the highest-bidder. This "hack" (if you can call it that) had been perpetrated by a mysterious hacker collective, who identified themselves not as a single person, but an ominous epithet that paid homage to a sci-fi video game series.

This is the story of the Shadow Brokers.

On Monday, August 15th, 2016 - nearly two weeks before the arrest of Harold Martin in Maryland - a mysterious individual had posted on Github (a large software repository used by millions of people). The post itself was long and made in broken English - making it hard to understand at times, reading like a deranged and poorly-translated manifesto - but the message it was trying to get across was clear.

"Attention government sponsors of cyber warfare and those who profit from it. How much you pay for enemies cyber weapons? Not malware you find in networks... We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy! You break many things. You find many intrusions. You write many words. But not all, we auction the best files."

This was the first post made by a mysterious person calling themselves "The Shadow Brokers," and - in addition to taking aim at the all-encompassing "wealthy elites" - they seemed to be targeting a shadowy organization known as the Equation Group.

The Equation Group is a name given to a top-secret threat actor that is believed to be tied to the NSA's Tailored Access Operations... basically, the cyber equivalent of Seal Team 6, another group clouded in secrecy. Among cyber-attack groups in the world, the mysterious Equation Group is among the most well-funded and advanced, who have been involved in some of the most controversial and infamous cyber-attacks in world history (such as Stuxnet, a specially-designed malware which crippled Iran's nuclear weapons program years ago).

This was a surprising target, because - for the most part - Equation Group is and was a classified project, whose details have remained highly-guarded for over two decades. Yet the person who made this post on Github - calling themselves "The Shadow Brokers" - claimed to have infilitrated and hacked the Equation Group... perhaps the most advanced cyber unit in the world, which has been described as "omnipotent" by foreign security firms. They claimed to have done so by simply following their traffic for some time, and managing to steal information with impunity... allegedly, at least.

The Shadow Brokers claimed to have hacked the most secretive wing of the NSA and stolen numerous cyber-weapons: stuff similar to the Stuxnet malware, which had crippled Iran's nuclear program. These were the types of programs that could make or break an entire nation, and could either be utilized by the recipient or repurposed and resold.

Along with the post on Github, the person calling themselves The Shadow Brokers had announced that the entirety of their collection had been uploaded online, but was password-protected and encrypted. Instead of releasing all of the files at-once, they were going to be auctioning off the entire collection to the highest bidder. They provided a link to a Bitcoin address - where interested parties could send in their bids in the anonymous cryptocurrency - but cautioned that there would be no refunds. Once you submitted a bid, that was it - you were hoping to get the entire thing. However, there was a catch...

The Shadow Brokers claimed that if they were to receive one million bitcoins in total bids - not just from one person, but from everybody - they would release the password to the entire folder, which contained all of the information they had stolen from the NSA. This was, however, a pretty unattainable goal, due to the skyrocketing price of bitcoin, meaning that their asking price - 1 million bitcoin - was worth approximately half-a-billion US dollars.

In addition to their announcement, The Shadow Brokers announced that they were releasing a batch of files to prove that this was no hoax. In their post, they linked to a DropBox folder and torrent sites, where they had uploaded a number of minor hacking tools (or, at least, partial samples of these hacking tools). These were files that seemed to have come directly from the NSA itself, and included files that bore the names:

- Egregiousblunder

- Eligiblebachelor

- Epicbanana

- Extrabacon

- Buzzdirection

- Jetplow

- Polarsneeze

While some of those sound like total nonsense - and others sound like menu items from Red Robin - many of these names fit in with the naming conventions used by the NSA's cyber unit. And, in fact, some of them even seemed to correspond with files and document names released by Edward Snowden in 2013.

If so, these files - which, again, were just a small sample of the NSA's tools allegedly stolen by this mysterious hacking group - seemed to point towards unknown exploits in Cisco, Fortinet, Juniper, and Huawai. This would put millions of people's data at-risk - if not billions - and could spell certain doom for countless business and organizations that relied upon these companies for security or networking.

One unnamed employee of Tailored Access Operations - the NSA group targeted by these hackers - told the Washington Post about these leaked files:

"Without a doubt, they're the keys to the kingdom. The stuff you're talking about would undermine the security of a lot of major government and corporate networks both here and abroad."

Over the next several days, numerous experts would weigh in and announce their belief in this breach being legitimate. The small sample of files and folders released by The Shadow Brokers appeared to be real hacking tools developed by the NSA. From there, the question began evolving from 'is this real?' to 'how did this happen?"

The response to this post from the world at-large was mostly shock. A hack of this magnitude had never been seen seen before: the 2013 Snowden leak paled in comparison, as did the 2016 hack of the DNC, which had just hit the news the month prior.

The only thing that really compared were some choice releases by WikiLeaks, the organization set up by Julian Assange, which had had been releasing classified government documents and intel for years at this point. They had not released any cyber-weapons (or anything quite on this level) at this point, but had released content that was just as-destructive in nature.

Immediately, it was believed that this breach could be related to WikiLeaks or the separate hacking collective behind the DNA hack; in which case, this could have been a political ploy by a state actor to influence the upcoming election in some way. Maybe it was even Russia, who were already in the midst of a disinformation campaign to sway voters, and whose involvement in the election has not been fully unveiled as of yet.

Tech bloggers and journalists began to dig into the accounts that had posted this cryptic message; the entity calling itself "The Shadow Brokers," a name that had likely been stolen from the video game series Mass Effect (which, to break the 4th wall for just a moment, is possibly my favorite video game series of all-time). In that series, a singular character named "The Shadow Broker" controls the sale and distribution of information throughout the galaxy, using it to manipulate things to fit his or her purpose. This character seems to have served as a direct inspiration for this mysterious group or individual, who had adopted the name as their own.

In addition to posting their message on Github, they had posted a mirror version on Tumblr, and started spamming links to it on social media sites like Twitter and Reddit (which allowed them to post anonymously, under a Shadow Broker handle). They had created these accounts in the weeks leading up to the post, and had even started trying to build up a buzz for the auction by (unsuccessfully) attracting the attention of tech publications and bloggers.

In the creation of these numerous online accounts, the Shadow Brokers had used a Tutanota email address, which is an encrypted service that does not log IP addresses. This meant that their origin point could not be traced, and neither could their IP address. By their very nature, they existed only in the shadows of the internet.

The original post on Github was removed shortly after its publication, but the information had been screenshotted by many and was still available on sites on Tumblr and Reddit.

The Shadow Brokers - whoever they were - had gotten their wish. The story was everywhere at this point, and was not only being covered by tech bloggers and those in the industry... but major news publications like the AP, CNN, Washington Post, Vice, and the New York Times.

Now that the information was out there, journalists and cyber-security experts began to look it over, hoping to find that this was all a massive hoax of some kind. Surprisingly, though, the files released by the Shadow Brokers seemed legit. They were definitely not just forgeries thrown together by a scammer.

In all likelihood, the files had been stolen directly from a server used by the NSA; in particular, the Equation Group, the super-secret wing of the Tailored Access Operations unit, which the Shadow Brokers had called out in their post. And these files were not just simple tools used by the NSA for collecting information... they were full-on exploits, which could considered cyber-weapons because of the havok they could wreak if put into the wrong hands. A Vice Motherboard article written by Joseph Cox stated about this original batch of files released by the Shadow Brokers:

"A summary written by security researcher Mustafa Al-Bassam suggests some of the exploits allow remote code execution, meaning an attacker could run their own commands on the targeted system, while others grant privilege escalation, so a hacker could potentially get administrative powers on the machine. This means someone who has these exploits could potentially break into a firewall, use one of the tools to install their own software on the target network, and then spy on the users."

In that same article, journalist Joseph Cox goes on to detail other potential uses for these tools, which include implanting on a foreign network, encrypting and sending files without the user noticing, and even firewall exploitation (which could bypass security measures entirely). These were kingmaker-level exploits, which could destroy entire companies or countries if used improperly.

Surprisingly, the most recent files in this batch seemed to be dated to October of 2013, which happened to be right around the time that Edward Snowden had gone public with his own information leak. This would correlate to when the NSA and its affiliates would have started heightening security, making it harder for infiltrators to steal anything (physically or digitally). It was likely that whoever the Shadow Brokers were, they had obtained this information back then, and had been sitting on it for quite some time... which hinted at this not being a for-profit black hat, but rather, a hacktivist, who was releasing this information for a reason. To make a point of some kind.

Funnily enough, Edward Snowden took to Twitter the day after the publication of this leak - August 16th, 2016 - and confirmed that this hack looked legitimate. He said that that hack was "not unprecedented, but the publication of the take is," which seemed to fit in with the hacktivist theory. The information looked real to him (matching up with folder names he had released in 2013), and he personally believed that the release could be politically-motivated. It was likely even Russian hackers, letting the US know that any retaliation for the nation's ongoing cyber campaign could result in an even more embarrassing leak.

Others believed that Chinese hackers could be the source of the stolen information, but Russia made more sense for many, giving the history between the two nations and the ongoing political struggle - which is just as relevant today as it was in the summer of 2016.

Due to the wording of the original Github post, it was not believed that the auction itself was a priority for the Shadow Brokers. Rather, this had likely been a publicity stunt by them that proved itself effective when the story began getting coverage on major news networks. After all, "mysterious hackers auction off state secrets" is a much sexier headline than "mysterious hackers release NSA exploits."

However, despite the story attracting a lot of attention, the auction itself was - by and large - a huge bust. Within 24 hours, the Shadow Brokers had received 13 individual bids which totalled around 2 bitcoin (worth around $1000 US dollars). This was nowhere near the 1 million bitcoin total the Shadow Brokers were hoping to get, which was valued at around $500 million. This was deemed a nearly-impossible sum of money, even for cyber-weapons of this magnitude; and many believed the impossible asking price made the entire thing a big sham. There was no way any self-respecting hacker would try and raise such a huge sum of money through bitcoin, which was not utilized by any known government in the world and could be tracked to the person that attempted to cash out.

Many believed that the auction was a ploy to distract from the leak itself, which was likely orchestrated to damage America's cyber-intelligence community. Thomas Rid, a professor in Department of War Studies at King's College London, told Vice's Motherboard:

"This entire thing is a huge middle finger at America."

This would make sense because, in the original post, the Shadow Brokers explained that they wanted this auction to hurt the Equation Group (the secretive cyber-warfare unit allegedly tied to the NSA). In making this an auction, they wanted the NSA to have to outbid everyone else in order to keep their dirty little secrets.

However, this only reinforced the belief of many in the tech community that this was a foreign entity trying to humiliate or embarrass American cyber-intelligence. Or maybe it was someone that wanted to raise awareness to the potential cyber-weapons of mass destruction that America possessed. Perhaps the data had been stolen and disclosed by an insider working for the government... a la Edward Snowden.

This was the speculation among NSA employees at the time, who spoke to reporters off-the-record and confirmed that the naming conventions used in the leaked files had undoubtedly been copied from internal systems at the NSA. This indicated that the person who had "hacked" the NSA had been able to gain physical access to an NSA server, likely copying the files onto an external drive of some sort.

If so, that implied that the entire rambling manifesto (which you only heard a part of, and was full of broken English), had been written to simply mislead anyone looking for them. They had seemed to intentionally insert errors into the writing, in an effort to appear foreign. In fact, one Associated Press article described the writing of the Shadow Brokers as "Borat-like," which I find to be an apt description.

This theory - that an insider at the NSA had personally made away with the information and then intentionally disclosed it - was the most realistic possibility at the time. And that theory would continue to look more and more likely when an NSA contractor was arrested just days later, having been charged with illegally removing classified information.

Harold Thomas Martin III, who worked at the NSA's headquarters in Fort Meade, Maryland, was arrested at his home in Glen Burnie on August 27th, 2016 - just 12 days after The Shadow Brokers had appeared and started posting to numerous websites.

I detailed Martin's arrest in the episode introduction, but the details of his arrest would not be publicly released until October of 2016, roughly two months later, due to issues pertaining to national security. He was believed to have more than 50 terabytes of classified information, which included at least six highly-classified documents that contained sensitive intelligence (intel that was top-secret, and may have put lives in jeopardy if disclosed).

In case you're not well-versed in security clearances and why it's illegal for Martin to have kept this information at his home, well... working in a government position often gives you a certain level of security clearance, which means you are trusted to view sensitive intelligence, but only up to a point. It is oftentimes unethical - if not illegal - to make copies of this information or even talk about it to others that are not similarly cleared. Like I said just a moment ago: that's because this information is often critical to ongoing investigations or operations, and - if it gets into the wrong hands - it can often lead to adverse affects, and even get someone killed in certain situations.

In this case, Martin had disregarded all of that, and had literally just copied everything he could get his hands on for a period of years. Not days, weeks, or even months... years. He held a security clearance from 1996 to 2016, and the information in his possession spanned that entire time-frame. He had stolen decades of state secrets, which he kept around haphazardly in his house, his shed, and his vehicle. As such, he was charged under the Espionage Act, which meant that he could face decades behind bars if convicted.

As investigators learned more about Harold Martin, they discovered that there was incriminating evidence pointing towards his involvement in the Shadow Brokers leak. For starters, it was estimated that he had stolen approximately 75% of the NSA's Tailored Access Operations' hacking tools - many of which ended up in the Shadow Broker leak. Secondly, he had started speaking Russian in online communications, having downloaded information on learning the language in June of 2016 (two months before the leak). He had also started communicating with unnamed sources in Russia, who were later determined to be tied to Russian-based security firm Kaspersky.

In addition, he had been a doctoral candidate who specialized in internet security, and had been accessing the internet anonymously through an encrypted Linux-based operating system called Tails. Through this, he might have provided the information to an outside source without leaving any kind of a trace.

Because of this last point, investigators could find no smoking gun linking him to the mysterious Shadow Brokers. They could also find no trace of him having disclosed the information to a third party, which made it hard to confirm that he had committed any other crime than widespread theft of classified intelligence over several years.

While Martin continued to sit in jail, awaiting trial, it would become harder to confirm that he had any involvement in the Shadow Brokers leaks... especially when they started to surface with more cryptic messages, which began to become more deranged and immature as time went on.

Two days after Harold Martin was arrested - on August 29th, 2016 - the mysterious Shadow Brokers surfaced yet again with another post. This time, they posted to the website Pastebin, and seemed to take on a more taunting, mocking tone; replacing all of their L's with R's in an attempt to sound as immature and racist as possible.

The group would go quiet for the next several weeks, but surfaced again on October 1st with a post on the website Medium. In that post, they complained about the incredibly low number of bitcoin that had been sent to them so far, which was indicative of the auction not being taken seriously by... pretty much everyone.

"TheShadowBrokers Equation Group Auction is being real. If you peoples is being easily confuse, you be stopping here. If you peoples be wanting to know more then keeping reading."

As you just heard, this post continued on in the same broken English style as the first post, and was followed by a lengthy FAQ section.

Roughly two weeks later - on October 15th - the Shadow Brokers seemed to have reached their tipping point. Still, nobody was taking the auction seriously, and in their anger, the Shadow Brokers called off the auction entirely. Their childish temper seemed to get the better of them, due to very few people actually sending any bids to their bitcoin address.

"Auction off. Auction finish. Auction done. No winners. So who is wanting password? TheShadowBrokers is publicly posting the password when receive 10,000 btc"

This was then followed by a graphic and sexually explicit rendition of a real-life event that had taken place a short time prior to this: the meeting of former-President Bill Clinton and Attorney General Loretta Lynch, who met aboard an airplane on a tarmac in June of 2016. This entire post read like immature, perverted fanfic, so I won't subject you to it (if that's your thing, you can look it up yourself). But I think the context of it provides the kind of mindset that went into these posts, which continued to show some hint of a political motivation.

Despite calling off the auction, these messages seemed to indicate that whoever the Shadow Brokers were, they were still out there; not, as suspected, in police custody. This seemed to rule out former-NSA contractor Harold Martin as a suspect in the leak, as it was impossible for him to have been making the posts while awaiting trial.

It's worth mentioning that all of these posts were connected together by the usage of the same PGP key, which confirmed that all of these posts were made by the same person. They were not just a copycat using the same name for their own benefits; they were the same individual or group, who had grown agitated by the apathetic response to their auction of NSA exploits.

This seemed to allude to the Shadow Brokers calming down and quietly fading away, but that would change at the end of October, when they returned for their second major leak.

"TheShadowBrokers is having special trick of treat for Amerikanskis tonight."

That was the first line in a post made by the Shadow Brokers on October 31st, 2016. This time, instead of just hinting at more to come, the mysterious entity had released another trove of information stolen from NSA servers. This came along with another long and bizarre message in broken English, which railed against the media for blaming Russia for the NSA hack. The Shadow Brokers claimed that they were not Russian, but at the same time threatened to disrupt the pending US presidential election if they felt like it.

As you probably noticed, the opening line included the usage of the word 'Amerikanski,' which is a Cyrillic expression that translates roughly to the adjective 'American.' However, the pluralization of it indicates someone who is not familiar with Cyrillic languages, as this person seemed to use the word as a noun. It'd be like saying "Frenchs" (or really, any adjective with an 's' at the end). But I digress.

"How bad do you want it to get? When you are ready to make the bleeding stop, payus, so we can move onto the next game. The game where you try to catch us cashing out! Swag us out!"

The Shadow Brokers made it clear in this post that they weren't going to go away without getting some kind of payday, and to really drive their point home, they linked to another batch of files that they had uploaded to Dropbox and torrent sites. These files contained extensive server data, which seemed to correspond with different domains and IP addresses from 49 separate countries. In the post, the Shadow Brokers indicated that these were servers that had been penetrated by the NSA's Equation Group during their operations abroad.

Unlike the first leak - which had pointed out how the NSA had gathered their intel - this leak seemed to be about highlighting who had fallen prey to their cyber-weapons. This included IP addresses and domains from nations such as Russia, China, India, Sweden, and numerous others (like I said, there were 49 separate countries included in this leak, including many adversaries of America).

It was later found out that many of these domains and IPs were still in-use and had been infected with undetectable malware - similar to what the Shadow Broker had described. This was likely due to ongoing operations, which were now essentially outed by this leak from the Shadow Brokers. This leaked information highlighted breaches in networks, and meant that operatives with the NSA would have to start from scratch on the operations themselves.

This leak was incredibly similar to the first, but damaging in an entirely different way. And it happened roughly one week before the US presidential election, meaning that it got very little news coverage... but was incredibly impactful to American intelligence.

The Shadow Brokers would go quiet for over a month, with them having called off the auction for hacking tools. However, their offer still stood for 10,000 bitcoin; which they claimed would get them to dump the entire collection of stolen NSA data to the rest of the world.

In December, it came to light that the Shadow Brokers might have returned in a quiet way, choosing to forego the idea of an auction for the collected data. Instead, people began to notice suspicious files being sold individually on a website named ZeroNet, and many of the files used the same naming conventions used by the NSA's Equation Group: these included files such as:

- Electricslide

- Catflap

- Englandboggy

- Eternalblue (remember the name on that one, because it'll come into play later)

These files ranged from simple exploits to full-on implants, which could forcefully install malware on a foreign PC. These were all being sold for varying prices - everything from 1 to 100 bitcoin - which equalled anything from $700 to $75,000. The Shadow Brokers would later confirm that they were indeed selling items on the black market, but even this individual sale seems to have gone poorly for them. Records show that between August and December of 2016, the bitcoin address provided by the Shadow Brokers possessed a grand total of 10 bitcoin (1/1000th of their original goal, and only worth about $7,800).

The following month - January of 2017 - the Shadow Brokers announced that they were quitting entirely with yet another post.

"So long, farewell peoples. TheShadowBrokers is going dark, making exit. Continuing is being much risk and bullshit, not many bitcoins. TheShadowBrokers is deleting accounts and moving on so don't be trying communications. Despite theories, it always being about bitcoins for TheShadowBrokers. Free dumps and bullshit political talk was being for marketing attention. There being no bitcoins in free dumps and giveaways. You are being disappointed? Nobody is being more disappointed than TheShadowBrokers."

With this announcement that they were going away, the Shadow Brokers posted a final batch of mostly-outdated exploit files in a password-protected folder, and then gave away the password in another immature insult to the rest of the world.

"Password is FuckTheWorld Is being final fuck you, you should have been beleiving TheShadowBrokers"

The Shadow Brokers popped up in the time period between the hack of the Democratic National Committee and the US presidential election - both of which are still fresh in our collective memories three years later.

In their long-winded and bizarre posts, which were always written in a type of broken English, the Shadow Brokers often took aim at "wealthy elites" and even name-dropped figures like Bill Clinton and Loretta Lynch. They seemed to buy in to many of the conspiracy theories that were raging at the time - propagated by individuals such as Alex Jones or the anonymous QAnon - and had a knowledge for American pop culture that was relevant if not misguided.

However, this final leak - which came roughly one week before the inauguration of President Donald Trump - seemed to be the final gasp of life for the Shadow Brokers (at least, at the time). Jake Williams, a malware expert that founded Rendition Infosec, told the publication Ars Technica at the time:

"This farewell message is kind of a burn-it-to-the-ground moment. Russian ties make sense given the inauguration [of Donald Trump] happens in a short time. If that narrative is correct and Shadow Brokers is Russian, they wouldn't be able to release those tools after Trump takes office. If you roll with that narrative, [the burn-it-to-the-ground theory] certainly works."

This idea that the Shadow Brokers were Russian hackers - or simply hacktivists with Russian ties - seemed to be the major theory circulating at the time, given the political landscape at the time. This included the long and shaky history between the US and Russia, which had evolved from Cold War to cyber war seemingly overnight.

This theory about Russian involvement in the Shadow Brokers also seemed to fit in with what investigators knew about Harold Martin, the NSA contractor who had been arrested in August for stockpiling decades worth of intel. He had been learning Russian in the months prior to his arrest, and had been communicating with unnamed Russian sources in the days before The Shadow Brokers dropped their first leak. If he had been feeding Russian sources the intel stolen from the NSA, they could have published it in an effort to embarrass or humiliate the US intel community.

To-date, it is not known that Russians carried out these malicious leaks - or were even involved in any capacity. However, it is still the most popular theory by many in the cyber-intelligence community, due to the number of coincidences that seem almost too-good-to-be-true. Jake Williams, another malware expert, surmised the exact same thing in an interview with Ars Technica:

"They may not be Russian. But it is inexplicable they would release the dump without understanding the timing and how it would be read. Anyone smart enough to steal these tools understands the conclusion that will be drawn by most."

With the announcement that they were calling it quits, many expected the mysterious entity known as the Shadow Brokers to simply fade into obscurity. But - as you can imagine - that was not the case.

Whoever this person or persons were, they decided to make their return months later - long after anyone suspected that they would ever return. And when they did, they returned to create more chaos than ever before.

That's on the next episode of Unresolved.



Episode Information

Episode Information

Written, hosted, and produced by Micheal Whelan

Published on September 29th, 2019

Producers: Maggyjames, Ben Krokum, Roberta Janson, Matthew Brock, Quil Carter, Peggy Belarde, Evan White, Laura Hannan, Katherine Vatalaro, Damion Moore, Amy Hampton Miller, Scott Meesey, Steven Wilson, Scott Patzold, Marie Vanglund, Lori Rodriguez, Emily McMehen, Jessica Yount, Aimee McGregor, Lauren Harris, Danny Williams, Cody Ketterling, Brian Rollins, and Sue Kirk

Special thanks to the following individuals for contributing their voices to this episode:

Music Credits

Original music created by myself through Amper Music

Other music created and composed by Ailsa Traves

Sources and further reading

Wikipedia - The Shadow Brokers

Wikipedia - Equation Group

Wikipedia - Booz Allen Hamilton

Wikipedia - Harold T. Martin III

Wikipedia - WannaCry

Wikipedia - Petya (malware)

Wikipedia - 2017 cyberattacks on Ukraine

Wikipedia - EternalBlue

Risk Based Security - “The Shadow Brokers: Lifting the Shadows of the NSA’s Equation Group?”

Comae Technologies (Blog by Matt Suiche) - “Shadow Brokers: NSA Exploits of the Week”

Vice Motherboard - “Hackers Say They Hacked NSA-Linked Group, Want 1 Million Bitcoins to Share More”

The Daily Dot - “Hackers claim to be selling NSA cyberweapons in online auction”

Business Insider - “‘Shadow Brokers’ claim to have hacked an NSA-linked elite computer security unit”

ABC News - “Hackers claim to Hit NSA-Linked Super-Cyberespionage Group”

The Washington Post - “Powerful NSA hacking tools have been revealed online”

Vice Motherboard - “Email Provider Linked to Alleged NSA Dumps: We Can’t Help”

Vice Motherboard - “Why Github Removed Links to Alleged NSA Data”

Vice Motherboard - “Hack of NSA-Linked Group Signals a Cyber Cold War”

Business Insider - “EDWARD SNOWDEN: Russia might have leaked alleged NSA cyberweapons as a ‘warning’”

Ars Technica - “Confirmed: hacking tool leak came from ‘omnipotent’ NSA-tied group”

Vice Motherboard - “The Current Highest Bid for Alleged NSA Data is 999,998.371 Bitcoin Short”

Vice Motherboard - “What We Know ABout the Exploits Dumped in NSA-Linked Hack”

Vice Motherboard - “Former NSA Staffers: Rogue Inside Could Be Behind NSA Data Dump”

AP - “‘Auction’ of NSA tools sends security companies scrambling”

Vice Motherboard - “The NSA Data Leakers Might Be Faking Their Awful English To Deceive Us”

ABC News - “In ‘Bizarre’ NSA-Linked Hacking Saga, Some Exploits Prove Real”

The Intercept - “The NSA Leak Is Real, Snowden Documents Confirm”

Extreme Tech - “The ‘Shadow Brokers’ NSA theft puts the Snowden leaks to shame”

Ars Technica - “Hints suggest an insider helped the NSA ‘Equation Group’ hacking tools leak”

Reuters - “Commentary: Evidence points to another Snowden at the NSA”

Vice Motherboard - “NSA Targeted Chinese Firewall Maker Huawei, Leaked Documents Suggest”

The New York Times - “N.S.A. Contractor Arrested In Possible New Theft of Secrets”

AP - “NSA contractor arrest highlights challenge of insider threat”

AP - “Ex-contractor committed ‘breathtaking’ theft of secrets”

The Washington Post - “NSA contractor thought to have taken classified material the old-fashioned way”

AP - “US: Contractor in NSA case had intelligence officers’ names”

Vice Motherboard - “While Alleged NSA Thief Sits in Detention, Shadow Brokers Post Messages”

Medium - “TheShadowBrokers Message #3”

Pastebin - “TheShadowBrokers Message #4 Bill Clinton/Lynch Conversation”

Vice Motherboard - “NSA Hackers The Shadow Brokers Dump More Files”

Medium - “Message #5 - Trick or Treat?”

Fortuna’s Corner - “‘Shadow Brokers’ Reveal List of Servers Hacked by the NSA…”

The New York Times - “The Perfect Weapon: How Russian Cyberpower Invaded the U.S.”

Vice Motherboard - “Newly Uncovered Site Suggests NSA Exploits for Direct Sale”

Vice Motherboard - “A Brief Interview with The Shadow Brokers, The Hackers Selling NSA Exploits”

Vice Motherboard - “NSA Exploit Peddlers The Shadow Brokers Call It Quits”

Ars Technica - “NSA-leaking Shadow Brokers lob Molotov cocktail before exiting world stage”

Medium - “Don’t Forget Your Base”

Vice Motherboard - “They’re Back: The Shadow Brokers Release More Alleged Exploits”

International Business Times - “‘President Trump what the f**k are you doing’ say Shadow Brokers and dump more NSA hacking tools”

BBC News - “‘NSA malware’ released by Shadow Brokers hacker group”

Steemit - “Lost in Translation”

Vice Motherboard - “Shadow Brokers Dump Alleged Windows Exploits and NSA Presentations on Targeting Banks”

Ars Technica - “NSA-leaking Shadow Brokers just dumped its most damaging release yet”

Ars Technica - “Mysterious Microsoft patch killed 0-days released by NSA-leaking Shadow Brokers”

Vice Motherboard - “Alleged NSA Victim Denies Hackers Ever Broke In”

Vice Motherboard - “The Latest Dump of Alleged NSA Tools Is ‘The Worst Thing Since Snowden’”

Vice Motherboard - “Newly Leaked Hacking Tools Were Worth $2 Million on the Gray Market”

CNN Business - “NSA’s powerful Windows hacking tools leaked online”

DoublePulsar (blog by Kevin Beaumont) - “Latest Shadow Brokers dump - owning SWIFT Alliance Access, Cisco and Windows”

Engadget - “Microsoft says it already patched ‘Shadow Brokers’ NSA leaks”

AP - “Microsoft says users are protected from alleged NSA malware”

Vice Motherboard - “This Is How the NSA Infiltrated a Huge Banking Network in the Middle East”

AP - “White House: Blame cyberattack on hackers, not spy agencies”

CBS News - “Shadow Brokers hacker group says more NSA leaks to come”

The Atlantic - “Who Are the Shadow Brokers?”

The State of Security (Tripwire) - “Shining Light on The Shadow Brokers”

Vice Motherboard - “Hackers Are Crowdfunding Cryptocurrency to Buy Alleged NSA Exploits”

CBS News - “Mysterious Shadow Brokers group re-emerges to taunt U.S. intelligence”

Vice Motherboard - “The Shadow Brokers Have Made Almost $90,000 Selling Hacking Tools by Subscription, Researcher Says”

The Wall Street Journal - “Russian Hackers Stole NSA Data on U.S. Cyber Defense”

Vice Motherboard - “Ex-NSA Hackers Are Not Surprised by Bombshell Kaspersky Report”

The New York Times - “Security Breach and Spilled Secrets Have Shaken the N.S.A. to Its Core”

Vice Motherboard - “Cryptocurrency Transactions May Uncover Sales of Shadow Broker Hacking Tools”

DarkReading - “Ex-NSA Contractor Was a Suspect In Shadow Brokers Leak”

Politico - “Suspect’s Twitter messages played role in NSA hacking-tools leak probe”

Gizmodo - “The Strange Case of Kaspersky Lab Just Got Messier”

Politico - “Feds lack digital proof alleged NSA hoarder opened classified docs”

The New York Times - “N.S.A. Contractor Arrested in Biggest Breach of U.S. Secrets Pleads Guilty”

Ars Technica - “Stolen NSA hacking tools were used in the wild 14 months before Shadow Brokers leak”

Cyberscoop - “Ex-NSA contractor set to plead guilty for theft of top secret information”

AP - “Mystery of NSA leak lingers as stolen document case winds up”

The New York Times - “N.S.A. Contractor Who Hoarded Secrets at Home Is Sentenced to Nine Years in Prison”

The Washington Post - “NSA contractor sentenced to nine years in theft of massive amounts of classified material”

The New York Times - “In Baltimore and Beyond, a Stolen N.S.A. Tool Wreaks Havoc”