News Stay informed about the latest enterprise technology news and product updates.

Who are the Shadow Brokers? Signs point to an intelligence insider

At Black Hat 2017, security researcher Matt Suiche analyzed the Shadow Brokers dumps, postings and behavior to get to the bottom of one of the infosec industry's biggest questions.

CONFERENCE COVERAGE:

Black Hat 2017: Special conference coverage

COVERAGE SECTIONS

  1. News
  2. Cyberattacks
  3. Hot topics
+ Show More

LAS VEGAS -- The identity of the Shadow Brokers has become one of the biggest questions in the infosec industry...

this year, and Matt Suiche believes the evidence points to an insider threat rather than an external nation-state attacker.

Suiche, founder of managed threat detection company Comae Technologies, spoke at Black Hat 2017 about the Shadow Brokers, the entity which has been releasing files and hacking tools over the last year from the Equation Group, a hacking outfit connected to the U.S. National Security Agency. Suiche explained how the behavior and tactics of the Shadow Brokers have over time revealed some clues about their background and general identity, which suggest the dumps are the work of disgruntled insiders who are either current or former intelligence community contractors.

"There's definitely a huge problem around [insider threats]," he said. "That's why I, personally, think and I would not be surprised to see the source of those files was another contractor."

While the group's blog posts are written in broken English that suggests Russian-speaking authors, Suiche said the language was likely an operations security (opsec) tactic to obscure the true identities of the Shadow Brokers. Suiche said the people behind the Shadow Brokers group have "an interesting sense of humor" and demonstrated strong familiarity with the National Security Agency's Tailored Access Operation (TAO), which was the first sign that the Shadow Brokers were, in fact, insiders, rather than Russian threat actors. The group has also expressed anger at former members of TAO and threatened to reveal the identities of current TAO hackers.

"It seems like the Shadow Brokers know a lot about TAO as a team," he said.

I don't know if we should say the intelligence community has an insider problem or if Booz Allen has an insider problem.
Matt Suichefounder, Comae Technologies

Suiche said the U.S. defense and intelligence communities employ tens of thousands of contractors, and a number of disgruntled insiders have come to light in recent years, including Edward Snowden and Harold Martin -- both of whom worked as government contractors at Booz Allen Hamilton. "I don't know if we should say the intelligence community has an insider problem or if Booz Allen has an insider problem," he said.

The Shadow Brokers dumps started relatively small, Suiche said; the first batch of free exploits included bugs in many common firewall products. The group later followed up with Solaris operating system exploits, as well as more detailed information on proposed Equation Group targets, which included domains in countries like China and Iran.

Another revealing pattern of behavior, according to Suiche, was the group's increased attempts over time to gain attention -- and the expressions of anger and frustration when the level of attention didn't meet the group's expectations. The Shadow Brokers, he said, clearly wanted more than just to dump and sell the Equation Group cyberweapons; they wanted headlines as well.

Later dumps included detailed operational notes with code names not just for the cyberweapons, but for prospective targets of hacking operations as well. Suiche mentioned one example where the operational notes indicated Equation Group had targeted different mobile service providers across the globe, likely in an effort to gain access to communications.

The biggest Shadow Brokers dump featured Windows exploits like EternalBlue, as well as material indicating the exploits were used by the Equation Group to gain unauthorized access to a service bureau for the Society for Worldwide Interbank Financial Telecommunication (SWIFT) [A SWIFT spokesperson told SearchSecurity there is no evidence indicating a breach of SWIFT’s network or messaging services]. The dump also contained a large amount of information about hacking operations, including unredacted metadata, PowerPoint presentations and even the names of Equation Group members. "That one was pretty interesting," Suiche said. "It contained some tools but mainly operational notes regarding what happened to one of the SWIFT Service Bureau in the Middle East, and it was extremely detailed."

Matt Suiche, founder of Comae Technologies
Matt Suiche at Black Hat USA 2017

Suiche said this was when the "narrative of the Shadow Brokers kind of changed," as the level of information about the Equation Group's inner workings was embarrassing for the National Security Agency. "It's hard to believe the most powerful intelligence agency in the world is not doing any opsec," he said.

While the Shadow Brokers recently introduced a monthly service to sell the stolen cyberweapons, Suiche doesn't believe that money is the group's motive, as asking for 1 million bitcoin (currently over $2.7 billion) isn't a reasonable request. In his presentation, Suiche also emphasized that it's unclear whether anyone has actually received exploits purchased through the new monthly service.

"They're following a pattern where the price keeps doubling," he said, adding that creating "fear, uncertainty and doubt is definitely part of their strategy."

Suiche closed the presentation by, again, suggesting the Shadow Brokers were either current or former intelligence contractors and warned of the potential risks such individuals could pose to cybersecurity. "It's kind of worrying to see the rising threat from some unreliable intelligence agency employees," he said.

Next Steps

Read more on addressing Shadow Brokers vulnerabilities and zero-day threat

Find out how the SHA-1 collision attack breaks the hash function

Learn about the risks posed to industrial control systems security by WannaCry ransomware

PRO+

Content

Find more PRO+ content and other member only offers, here.

Conference Coverage

Black Hat 2017: Special conference coverage

COVERAGE SECTIONS

  1. News
  2. Cyberattacks
  3. Hot topics

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Who do you think is behind the Shadow Brokers, and why?
Cancel
I agree with Matt and have believed this for awhile, the reasoning behind this are like what you had in the article with Snowden, Martin and also Winner being traitors but if you go and read what a lot of security people write on social media (blogs, twitter, etc) a majority of them are not happy with the way the USA does things and its only worsened since Trump was elected (The White House can't even keep people from leaking things), I would say that these types of incidents are only going to get worse as its a way for them to speak out and make an impact. As for stopping it they need to profile people for these positions a lot better, because after the snowden and winner incidents and looking at how they approached life there is no way I would have put them in those positions.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close