The Shadow Brokers

Audio readout of this entry.

Background and context

The institutional context within which the Shadow Brokers disclosure emerged was the post-2014 environment in which major cyber-tool disclosures had become a recurring institutional pattern. The prior pattern across 2010–16 included the Kaspersky Lab institutional research documenting the Equation Group — the NSA-attributed cohort that operated the major then-known operational cyber-weapons inventory; the 2013 Snowden disclosures of NSA SIGINT operational architecture; and the 2015 Hacking Team breach, which published the Italian commercial-spyware vendor's customer-and-tool inventory. The Shadow Brokers disclosure positioned itself within that recurring pattern.

The defining institutional substance of the Shadow Brokers disclosure was that the disclosed material was operational NSA cyber-weapons — distinct from the Snowden disclosures (SIGINT operational architecture) and the Hacking Team breach (commercial-spyware tools). The disclosed material consisted of working tools that the disclosing party had obtained from NSA institutional infrastructure and was making publicly available. The operational consequence was that the broader criminal and state-actor cohort obtained access to major institutional cyber-weapons that the broader cyber-defence community had no prior preparation for.¹

The disclosure releases

The Shadow Brokers disclosure proceeded through five principal releases between August 2016 and April 2017.

The first, on 13 August 2016, was a public-auction announcement on Twitter and Pastebin. The accompanying free-sample cache included working exploits against Cisco ASA firewalls (EXTRABACON, EPICBANANA, BENIGNCERTAIN), Juniper firewall tools, and additional Linux and Windows operational tools. Cisco confirmed the genuine zero-day status of the EXTRABACON exploit against Cisco ASA firewalls and issued emergency security advisories. The remaining cache was advertised as available to the highest bidder.¹

The second, on 8 April 2017, released the password to the previously encrypted auction archive, decrypting Linux/Unix tools and operational-tradecraft material that established the genuine NSA provenance of the cache.

The third, on 14 April 2017, was the most consequential. It released the principal Windows-platform exploitation tools and the broader operational documentation accompanying them.

Smaller subsequent releases continued across the remainder of 2017.³

Disclosed tools and Microsoft response

The April 2017 release published the principal NSA Windows-exploitation toolkit. The named tools included:

• ETERNALBLUE — exploitation tool against the Microsoft Server Message Block version 1 protocol on Windows. Patched by Microsoft on 14 March 2017 in security update MS17-010 — approximately one month before the public release. Subsequent academic and journalistic commentary suggests Microsoft had advance notice of the impending disclosure.
• DOUBLEPULSAR — Windows-platform backdoor implant paired with ETERNALBLUE.
• ETERNALROMANCE, ETERNALCHAMPION, ETERNALSYNERGY — additional Windows SMB-protocol exploitation tools, all addressed in MS17-010.
• EXPLODINGCAN — exploitation tool against Windows IIS web servers.

The most immediate institutional response was Microsoft's. The 14 March 2017 MS17-010 security update — issued out of band — was followed on 13 May 2017 by additional emergency updates extended to end-of-life Windows systems (Windows XP, Windows 8, Windows Server 2003) that ordinarily would not have received security updates. The end-of-life update extension was itself a significant institutional shift in Microsoft's support practice.⁶

WannaCry — 12 May 2017

The 12 May 2017 WannaCry ransomware attack — attributed by the US Department of Justice in the 6 September 2018 unsealed criminal complaint against Park Jin Hyok to the North Korean Lazarus Group — used the ETERNALBLUE-DOUBLEPULSAR chain as its propagation vector. The malware was self-propagating ransomware that encrypted targeted Windows systems and demanded Bitcoin payment for decryption.

The operational consequences across 12–15 May 2017 reached approximately 200,000 Windows systems in 150 countries. The most significant institutional impact was the disruption of the UK National Health Service: at least 81 of 236 NHS trusts were operationally affected, forcing the cancellation of approximately 19,000 scheduled medical appointments. Other major affected institutions included Telefónica (Spain), Deutsche Bahn rail-transport infrastructure, the Russian Interior Ministry, Renault automotive manufacturing, FedEx, and Hitachi.

The propagation was substantially curtailed by an operational kill-switch. The British cybersecurity researcher Marcus Hutchins, examining the malware's network behaviour, identified that WannaCry queried a hard-coded long-string domain before initiating encryption operations and registered the domain on 12 May 2017 — producing an effective halt to additional rapid propagation across the broader Windows installed base.⁷

NotPetya — 27 June 2017

The 27 June 2017 NotPetya attack — attributed by the US Department of Justice in the 19 October 2020 indictment of GRU officers to Russian GRU Unit 74455, the Sandworm Team — used the ETERNALBLUE-DOUBLEPULSAR chain along with additional Windows-platform persistence mechanisms.

The defining institutional substance of NotPetya was that the attack was destructive rather than financially motivated. The displayed ransomware-style ransom demand was functionally non-recoverable: the encryption keys were not retained, meaning that encrypted material could not be decrypted regardless of payment. NotPetya was destructive malware disguised as ransomware — the institutional pattern that has defined the GRU Sandworm engagement across the Ukraine-related operational period.

The operational consequences across June–July 2017 included documented damages at Maersk (approximately $300 million), Merck (approximately $870 million), FedEx subsidiary TNT Express (approximately $400 million), Mondelez International (approximately $100 million), and Ukrainian government infrastructure — the primary operational target. Total documented damages exceeded $10 billion, the most costly single cyber-attack event in the public record.⁴⁵

Attribution of the Shadow Brokers

The identity of the entity itself has been the subject of substantial subsequent investigative reporting and institutional commentary. Three principal attribution hypotheses have been advanced.

The first, and most substantially supported, is Russian intelligence services. The hypothesis rests on analysis of the operational tradecraft of the disclosure releases, characteristics of the English-language disclosure communications, and the subsequent FBI investigation institutional record.

The second is insider compromise. The principal case is that of NSA contractor Hal Martin, arrested in 2016 and subsequently convicted for the extensive improper removal of classified material from NSA institutional infrastructure across the 1996–2016 period. Whether the Martin case is connected to the Shadow Brokers disclosure remains unresolved in the public institutional record.

The third is a combination pattern — the hypothesis that the disclosure involved multiple sources combined.

The settled subsequent institutional position is that the question of attribution remains unresolved in the public institutional record.²³

Institutional response and reform

The institutional response across the post-2017 period has included three principal threads.

The first is the Trump-administration reform of the Vulnerability Equities Process — the institutional process for balancing the government's offensive operational interest in retaining knowledge of unpatched vulnerabilities against the broader defensive interest in disclosing those vulnerabilities to the relevant vendor for patch development. The Shadow Brokers disclosure crystallised the policy question: government-held vulnerabilities can leak, and when they do, the cost of having retained rather than disclosed them is borne by the broader civilian computing infrastructure.

The second is the cyber-defence landscape shift, with substantially developed patch-management discipline across major institutional cohorts. The NotPetya case has become the defining institutional reference for how major private-sector institutions can protect themselves against state-actor cyber-attack.

The third is the broader institutional commentary on cyber policy — the unresolved question of how government cyber-tool inventory positioning should be balanced against the broader cyber-defence posture. The Vulnerability Equities Process reform is an institutional response to the question; the broader question itself remains unresolved in the public record.

Legacy and implications

The institutional consequences of the Shadow Brokers disclosure across the post-2017 period have been substantial.

The operational consequence has been the significant institutional shift in the cyber-defence landscape — the developed patch-management discipline, the developed vulnerability-management institutional pattern, and the broadened public engagement with cyber-security questions. The NotPetya case in particular has become the defining reference for the institutional question of how major private-sector cohorts can defend against state-actor cyber-attack patterns.

The political consequence has been institutional reform of the government's Vulnerability Equities Process. The institutional position that emerged is that government offensive interest in retaining knowledge of unpatched vulnerabilities must be balanced against the defensive interest in disclosure — a position the Shadow Brokers disclosure substantially developed.

The continuing institutional question — how government cyber-tool inventory positioning should be balanced against the broader cyber-defence posture — remains a continuing thread in post-2017 cyber-policy literature. The Vulnerability Equities Process is an institutional response; the broader question is unresolved in the public record.

Related agencies

• National Security Agency — the institutional source of the disclosed cyber-tool inventory
• Federal Bureau of Investigation — the principal investigative agency on the source-attribution question

Sources and further reading

1. Iain Thomson, NSA-pwned Cisco ASA boxes are still on the menu, The Register, 16 August 2016 — early coverage of the initial Shadow Brokers disclosure.
2. Ellen Nakashima and Adam Goldman, NSA contractor charged with stealing classified data, The Washington Post, 5 October 2016 — the principal disclosure of the Hal Martin case.
3. Scott Shane, Nicole Perlroth, and David E. Sanger, Security Breach and Spilled Secrets Have Shaken the N.S.A. to Its Core, The New York Times, 14 April 2017 — the principal Shadow Brokers institutional reconstruction.
4. Andy Greenberg, The Untold Story of NotPetya, the Most Devastating Cyberattack in History, Wired, August 2018 — the principal NotPetya institutional reconstruction.
5. Andy Greenberg, Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers, Doubleday, 2019 — the principal book-length reconstruction of the Sandworm Team and NotPetya.
6. Microsoft Security Response Center, Microsoft Security Bulletin MS17-010: Security Update for Microsoft Windows SMB Server, 14 March 2017 — the principal Microsoft institutional response.
7. Marcus Hutchins, How to Accidentally Stop a Global Cyber Attack, MalwareTech blog, 13 May 2017 — the principal WannaCry kill-switch reconstruction.
8. United States Department of Justice, criminal complaint against Park Jin Hyok, unsealed 6 September 2018 — the principal federal charging document in the WannaCry attribution to the Lazarus Group.
9. United States Department of Justice, Indictment of GRU Officers in NotPetya and Adjacent Cyber Operations, 19 October 2020 — the federal indictment in the NotPetya attribution to GRU Unit 74455.
10. Symantec Corporation, What you need to know about the WannaCry Ransomware, 23 May 2017 — the principal commercial-vendor reconstruction.