A mysterious hacking group has been bedeviling the U.S. intelligence community for months, releasing a tranche of secret National Security Agency hacking tools to the public while offering to sell even more for the right price. Now with barely a week to go before Donald Trump’s inauguration, the self-styled “Shadow Brokers” on Thursday announced that they were packing it in.
“So long, farewell peoples. TheShadowBrokers is going dark, making exit,” the group wrote on its darknet site. “Continuing is being much risk and bullshit, not many bitcoins.” The message was accompanied by a parting gift, described by the group as a “final fuck you”: an apparently complete NSA backdoor kit targeting the Windows operating system. The kit is comprised of 61 malicious Windows executables, only one of which was previously known to antivirus vendors.
The Shadow Brokers emerged in August with the announcement that they’d stolen the hacking tools used by a sophisticated computer-intrusion operation known as the Equation Group, and were putting them up for sale to the highest bidder. It was a remarkable claim, because the Equation Group is generally understood to be part of the NSA’s elite Tailored Access Operations program and is virtually never detected, much less penetrated. The Equation Group was, in a sense, the rough equivalent to the Russian “Cozy Bear” crew, now blamed for the DNC hacks. Except the American hackers operated for at least 14 years as virtual ghosts, until 2015 when the Russia-based cybersecurity firm Kaspersky Labs gathered enough evidence to prove that they exist.
It soon emerged that the Shadow Brokers really had the goods. Released along with the announcement was a huge cache of specialized malware, including dozens of backdoor programs and 10 exploits, two of them targeting previously unknown security holes in Cisco routers—a basic building block of the internet. While Cisco and other companies scrambled for a fix, security experts pored over the Shadow Brokers tranche like it was the Rosetta Stone. “It was the first time, as threat-intelligence professionals, that we’ve had access to what appears to be a relatively complete toolkit of a nation-state attacker,” says Jake Williams, founder of Rendition Infosec. “It was excitement in some circles, dismay in other circles, and panic and a rush to patch if you’re running vulnerable hardware.”
Virtually nobody, though, believed the Shadow Brokers’ claim that they were mere hackers trying to sell the exploits for a quick fortune. For one thing, the group had released far more material for free than necessary to prove their bona fides. And the mechanics of their bitcoin “auction” were laughable—losing bidders, the group said, would not get their money back. The Shadow Brokers would release the whole cache to the public for the arbitrary, Dr. Evil-esque price of 1 million bitcoins, nearly $600 million at the time. They group later broke down the hacking tools into a revised al la carte buy-it-now price list, but the prices weren’t low enough to attract buyers. As of Thursday, the Shadow Brokers had pulled in a total of 10 bitcoins.
In an email interview with The Daily Beast early this week, the Shadow Brokers expressed frustration that they weren’t getting rich off the code, and hinted that they might be retiring soon. “Many rich hackers. Many rich hacker companies. $100k, $1,000,000, $10,000,000 is pennies to theritepeoples [sic]… TheRitePeoples who not caring about money. TheRitePeoples who just caring about really cool shit. Equation Group really cool shit. Equation Group really cool shit only theshadowbrokers is selling.”
The group also explained they are not activists, and they gave away the initial tranche of files purely as a marketing move. “NOT for [a] silly cause. Douchebags uses causes for trying to get laid. TheShadowBrokers is getting plenty laid, no need for cause douchbaggery. Leaving that to those straight men who looking, acting like gay men, thinking its called hipsters.”
The most popular Shadow Brokers theories in computer-security and intelligence circles have nothing to do with money or getting laid. In one, the Shadow Brokers is an NSA insider gone rogue; on the other, it’s the Russian government. Last year the FBI investigated and arrested an NSA contractor named Hal Martin, who had allegedly been illegally stockpiling agency secrets in his house. But as Martin cooled his heels in federal custody, the Shadow Brokers continued to post messages and files, and the rogue-insider theory withered.
The more persuasive theory, supported by no less than Edward Snowden, is that the Shadow Brokers are one of the same Russian government hacking groups now accused of targeting the U.S. election. Coincidently, the same day the Shadow Brokers said goodbye, the hacker who claimed responsibility for penetrating the DNC suddenly re-emerged after nearly two months of silence.
In the spy-versus-spy world of hacks and counterhacks, both the U.S. and Russia sometimes lose their code to the other side. The risk is unavoidable, because NSA malware has little value sitting safely on the agency’s classified network. Just as a spy plane must fly, even at risk of being shot down and reverse-engineered, the NSA’s exploits must be fired at targeted networks to be of use. Its backdoor “implants” must be installed in other people’s servers. As the first step in this process, the NSA sets up its tools on special “staging” servers on the internet—machines that are owned, leased, or otherwise controlled by the U.S., but with no connection to the NSA. From there, the individual programs are smuggled to wherever they’re needed. The Russians could have traced a U.S. hacking campaign back to one or more of these staging servers, and collected the massive Shadow Brokers cache.
Under this theory, the Shadow Brokers were part of a tit-for-tat in the intelligence world. The group emerged just as the U.S. began confronting Russia over its election hacking, and then seemed to release its secrets in time with the public thrusts and parries between the two countries. On Dec. 15th, for example, Obama announced to NPR that the U.S. would retaliate for the election hacks—“we need to take action.” On the 16th, the Shadow Brokers broke six weeks of silence to publish a tweetstorm of screenshots showing off its unreleased NSA files. The message: Russia would do to the NSA what it was doing to the Democratic Party. It would dump sensitive stolen files to the internet, while hiding behind just enough of a cover story that it could maintain public deniability.
Now, with a new, friendlier administration coming in, Vladimir Putin may be pressing the reset button. “The timing is interesting,” says Williams.
The Shadow Brokers, though, insist they have nothing to do with global affairs.
“TheShadowBrokers is dumb asses thinking found golden ticket sitting on server and just wanting cash out without dying or go to prison,” the group wrote. “TheShadowBrokers is wanting to win and exit. Starting to looking like epic fail. TheShadowBrokers still proud of very large balls for to taking risk. Is not many peoples can be saying same? Mostly cattle fed just enough by masters.”