In the long history of hacking, there have been many data breaches that, years or even decades later, remain unsolved. Dozens of hackers and hacker groups behind them have never been identified.
But many hacking groups are caught. This is true whether they are cybercriminals like LAPSUS$, the notorious gang that compromised companies including Microsoft and Nvidia, with many members arrested, or government-backed hacking groups from Russia and China, whose members have been named, indicted, and put on the most wanted list.
Nevertheless, some of the most interesting cases in the history of cybersecurity remain open – there are no culprits, no answers, and in some cases, not even a clear motive. We decided to revisit a few of them in a series of articles, starting with one of the strangest episodes in the history of intelligence leaks.
The first installments are based on the Shadow Brokers – a mysterious group that appeared on the Internet, dropped a bunch of hacking tools believed to be from the NSA, and then disappeared.
In the summer of 2016, among Russian hacks related to the US Presidential election, the group. appeared on Twitter. They linked to Pastebin’s posts and @-tagged several news outlets — a weird, ineffective strategy that meant most of those outlets probably never saw the tweets.
But if anyone had clicked on the link, they would have seen a document titled “Equation Group Cyber Weapons Auction — Invitation” – a reference to a shadowy hacking program believed to be run by the NSA.
“!!! Beware the government sponsors of cyber warfare and those who profit from it!!!! How much are you paying for the cyber weapons of the enemy?” the hackers wrote, claiming to have hacked Equation Group.
The document included download links for other hacking tools, as well as a download link for an encrypted file that interested buyers could remove the encryption by making a bid. “The auction files are better than Stuxnet,” they wrote, referring to the malware used against Iranian nuclear facilities in the 2007 US-Israeli cyberattack. They are asking for at least one million Bitcoin.
The leak immediately attracted media coverage. When security researchers analyzed the tools, they realized that these were highly sophisticated computer weapons, possibly stolen from the NSA – suspicions reinforced by others sharing the names and programs revealed by NSA whistleblower Edward Snowden.
The auction was likely a ruse, as the group ended up disposing of many of the instruments publicly months later. Much about Shadow Brokers made no sense. Their broken English was almost comical, as if they were trying too hard or being deliberately artistic. Despite clearly seeking attention – and getting a lot of press coverage – the group spoke to a reporter only once, giving a brief interview with Joseph Cox of 404 Media, then a reporter at VICE Motherboard.
Ten years later, we know nothing about who was behind the Shadow Brokers persona. Cox and I interviewed former NSA employees at the time, who said that an NSA insider or former insider might be involved. But no one was ever arrested and charged – which is surprising, as this was arguably one of the worst leaks of American intelligence tools ever.
Another possible suspect was Harold T. Martin III, an NSA contractor arrested for stealing classified information from the agency. But the theory has a problem: while Martin was in custody, the Shadow Brokers remained active online. He has never been formally charged in connection with the leak. A widely held theory is that the Shadow Brokers were created by a group of Russian government spies as a propaganda tool.
The impact was huge. Among the released tools, Shadow Brokers published EternalBlue – a family of zero-day vulnerabilities targeting Windows that allowed hackers to enter computers in a hacked network, quickly expand their reach, and release self-propagating worms. (Zero-day vulnerabilities are bugs unknown to the software developer, meaning there isn’t a patch yet.) North Korean hackers used EternalBlue to release the WannaCry ransomware worm. Russian hackers later built on NotPetya, which has gone beyond its initial targets in Ukraine and caused an estimated $10 billion in damage worldwide. For businesses, the lesson was clear: vulnerabilities kept secret by intelligence agencies don’t stay secret forever – and when they leak, the private sector pays the price.
The trove is still yielding finds. Among the leaked tools was one containing a list of project names – including one called Fast16, marked only with the label “NOTHING TO SEE HERE – GO ON.” Last month, researchers announced that they had discovered and tested it, discovering a 2005 malware program designed to disrupt software allegedly used by Iranian nuclear scientists.
If you shop through links in our articles, we may earn a small commission. This does not affect our editorial independence.
