TheShadowBrokers Continue to Leak Exploits and Generate Profits

A few weeks ago, our team at SurfWatch Labs released its mid-year threat intelligence report, which largely focused on how leaked exploits have helped to fuel cybercrime over the first half of the year. While the leak of exploits and hacking tools is not new — 2016’s surge of IoT-powered DDoS attacks were propelled by the release of the Mirai source code, for example — several high-profile global attacks leveraging leaked exploits in 2017 have helped to once again push the conversation to the forefront.

At the heart of that conversation is a group known as TheShadowBrokers. TheShadowBrokers is best known for its April 2017 release of stolen NSA exploits such as EternalBlue, an exploit that was leveraged, along with other leaked exploits, into May’s outbreak of WannaCry and June’s outbreak of NotPetya.

However, TheShadowBrokers first made headlines nearly a year ago when it announced that it was auctioning off a cache of tools stolen from the NSA’s Equation Group:

How much you pay for enemies cyber weapons? Not malware you find in networks. Both sides, RAT + LP, full state sponsor tool set? We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. …

At this point, it remains unclear exactly how the sensitive hacking tools and exploits were stolen from the NSA, although investigators are pursuing several theories. What is clear is that multiple individuals were in possession of that data — including NSA contractor Harold T. Martin III, who was arrested two weeks after TheShadowBrokers announced its auction of NSA tools.

Timeline of NSA breach.

Although officials have not linked TheShadowBrokers and Martin, both of them were in possession of stolen NSA tools. Martin’s lawyer said that Martin’s intention was to use the data to get better at his job, not to ever release it. That is not true with TheShadowBrokers, who appear to enjoy toying with the media and have used the publicity around the WannaCry and NotPetya attacks to promote its new monthly exploit service.

What’s in TheShadowBrokers’ Monthly Exploit Service?

TheShadowBrokers claim to have released two sets of data dumps related to its monthly service so far — one for June and one for July — and each month they have continued to jack up the price of the data.

  • The June dump sold for 100 ZEC (Zcash) or 500 XMR (Monero).
  • The July dump sold for 200 ZEC or 1000 XMR.
  • The upcoming August dump is selling for 500 ZEC or 2000 XMR.

At today’s prices, that equates to more than $121,000 worth of Zcash or $101,000 worth of Monero for the August dump. Naturally, security researchers and organizations would like to know if the exploits and other data being released by the group is on par with EternalBlue, something less worrisome, or an elaborate troll job — but that’s a hefty price to pay a malicious actor just find out.

There was a brief crowdfunding effort by security researchers to purchase the exploits, but that was pulled after shortly after it was announced due to “legal reasons.”

However, at least one alleged purchaser of the June data dump was not satisfied with the 500 XMR purchase, writing under the name “fsyourmoms” on Steemit:

TheShadowBrokers ripped me off. I paid 500 XMR for their “Wine of the Month Club” and only they sent me a single tool that already requires me to have a box exploited. A tool, not even an exploit! The tool also looks to be old, and not close to what theShadowBrokers said could be in their subscription service.

An anonymous researcher that has been attempting to track Monero transactions associated with TheShadowBrokers, who posts on Steemit under the name “wh1sks,” later verified that “fsyourmoms” did, in fact, send 500 XMR to TheShadowBrokers’ June monthly dump address.

Image from “wh1sks” on Steemit.

The same researcher has confirmed that TheShadowBrokers likely received three Monero payments for its June data dump (including “fsyourmoms”) and two Monero payments for its July data dump.

“We know that TSB received no more than 2000 XMR [for its July dump],” the researcher wrote last week, although it is possible the group sent itself transactions to make it appear as though sales were occurring.

Like TheDarkOverlord, TheShadowBrokers appears to be trying to project an image of great success — perhaps to entice more people to purchase its services. As the group wrote in its August monthly dump announcement:

July is being good month for TheShadowBrokers Monthly Data Dump Service, make great benefit to theshadowbrokers. … Due to popular demand theshadowbrokers is raising prices for August to 500 ZEC or 2000 XMR.

TheShadowBrokers is also accepting Zcash, which cannot be tracked using the same methods as Monero. Therefore, it’s unclear how many transactions have been made using Zcash, and its possible that a larger number of users may have purchased the group’s data dumps.

If we take “fsyourmoms” at his or her word — who is the only individual to have publicly confirmed a purchase from TheShadowBrokers, as far as I can tell — we know that the June dump contained only one tool, but we don’t know what that tool even was. Was it worth more than $20,000 worth of cryptocurrency? At least one buyer says no. It remains unclear what was in the July dump, and what will be included in the upcoming August dump.

A lot remains unanswered when it comes to TheShadowBrokers, but it appears likely that other users have purchased or will purchase TheShadowBrokers’ data dumps. That means more dangerous tools and exploits could make their way into the hands of malicious actors in the near future, which is bad news for organizations. As we noted in our mid-year report, the impact of these leaked tools and exploits is often more dangerous and has a longer-lasting effect than perhaps any other type of cyber incident.

Author: Adam Meyer

Adam Meyer has served in leadership positions in the defense, technology, and critical infrastructure sectors for more than 15 years. Prior to joining SurfWatch Labs, Mr. Meyer was the Chief Information Security Officer (CISO) for the Washington Metropolitan Area Transit Authority, one of the largest public transportation systems in the United States. Preceding his role as a CISO, Mr. Meyer served as the Director of Information Assurance and Command IA Program Manager for the Naval Air Warfare Center, Naval Air Systems Command one of the Navy's premier engineering and acquisition commands.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s