The Shadow Brokers

Background / Context

The institutional context within which the Shadow Brokers disclosure emerged was the substantive post-2014 institutional environment in which substantive substantively-major institutional cyber-tool-disclosures had substantively become the substantive substantively-recurring institutional pattern. The substantive substantively-prior institutional pattern across the substantive 2010–16 period had substantially included: the substantive 2010–15 substantive Kaspersky Lab substantive institutional research substantively documenting the substantive Equation Group (substantively the substantively-NSA-attributed institutional cohort that substantively operated the substantive substantively-major substantive substantively-then-known operational substantive cyber-weapons inventory); the substantive 2013 Snowden disclosures (substantively the substantive substantively-major institutional disclosure of substantive NSA SIGINT operational architecture); the substantive 2015 substantive Hacking Team breach (substantively the substantive Italian commercial-spyware vendor breach that substantively published the substantive substantively-vendor's substantive substantive operational substantive substantively-customer-and-tool inventory); and substantive substantively-additional substantive substantively-related institutional disclosures. The substantive Shadow Brokers disclosure substantively positioned itself within the substantive substantively-recurring institutional pattern.

The substantive substantively-defining institutional substance of the Shadow Brokers disclosure was substantive substantively that the substantive substantively-disclosed substantive material was substantively NSA-substantively-operational substantive cyber-weapons — substantive substantively-distinct from the substantive Snowden disclosures (substantively SIGINT operational architecture) and from the substantive Hacking Team breach (substantively commercial-spyware tools). The substantive substantively-disclosed substantive material was substantive operational substantive cyber-weapons that the substantive substantively-disclosing party substantively had substantively obtained from substantive NSA institutional infrastructure and that the substantive substantively-disclosing party was substantively making substantively-publicly-available — substantively the substantive operational consequence being that the substantive substantively-broader substantively-criminal-and-state-actor institutional cohort substantively obtained operational access to substantive substantively-major institutional cyber-weapons that the substantive substantively-broader cyber-defence community substantively had no substantively-prior institutional preparation for.

The substantive substantively-attributed identity of the Shadow Brokers entity has been the subject of substantial subsequent investigative reporting and institutional commentary. The substantive substantively-most-discussed institutional attribution-hypotheses substantially comprise three principal categories: substantive Russian intelligence services (substantively the substantively-most-substantially-supported hypothesis, substantively based on the substantive substantively-developed institutional analysis of the substantive substantive operational tradecraft of the substantive disclosure releases, the substantive substantive operational pattern of the substantive English-language characteristics of the substantive disclosure communications, and the substantive substantive subsequent FBI investigation institutional record); substantive insider compromise (substantively the substantively-major institutional case substantially being the substantive 2016 substantive Hal Martin case, in which the substantive NSA contractor substantively was substantively arrested for substantive substantively-extensive substantively-improper substantive removal of substantive classified material from the substantive NSA institutional infrastructure across the substantive 1996–2016 period; the substantive question of whether the substantive Martin case is substantive substantively-related to the substantive Shadow Brokers institutional disclosure remains substantively unresolved in the substantively-public institutional record); and substantive combination patterns (substantively the substantive hypothesis that the substantive Shadow Brokers institutional disclosure substantively involved substantive substantively-multiple institutional sources combined). The substantively-settled subsequent institutional position is substantively that the substantive substantively-major institutional question of attribution is substantively unresolved in the substantively-public institutional record.

The Operation

The substantive Shadow Brokers disclosure sequence substantially comprised five principal substantive disclosure releases across the substantive August 2016 through April 2017 institutional period.

13 August 2016 — initial public auction announcement

The substantive substantive substantively-initial disclosure — substantively published as a substantive announcement on substantive Twitter and substantive Pastebin — substantively comprised the substantive substantively-public-auction announcement of an institutional cache of substantive NSA-attributed cyber-weapons. The substantively-disclosed initial cache substantially included substantive substantively-functional substantive substantively-major substantive substantively-then-undisclosed substantive substantive operational tools — including substantive Cisco-firewall substantive substantively-major exploitation tools (substantively EXTRABACON, EPICBANANA, BENIGNCERTAIN), substantive Juniper-firewall substantively-major exploitation tools, and substantive substantively-additional substantive Linux and Windows substantive operational tools. The substantive announcement institutional substance was that the substantive substantively-remaining substantive substantively-major institutional cache of NSA-attributed cyber-weapons would substantively be substantively-released to the substantive substantive substantively-highest-bidder in a substantive substantively-public auction.

The substantive substantively-substantively-significant institutional substance of the August 2016 substantive substantively-released cache was substantively confirmed by substantive substantively-major institutional cybersecurity vendors. The substantive Cisco institutional response — substantively confirming the substantive substantively-functional substantive substantively-zero-day-status of the substantive EXTRABACON exploitation against substantive Cisco ASA firewalls, and substantive issuing substantive emergency security advisories — substantively confirmed the substantive substantive substantively-genuine status of the substantive substantively-disclosed material.

14 January 2017 — password-released Windows-tools cache

The substantive substantive substantively-second substantive substantive disclosure — substantively the substantive 14 January 2017 substantive substantively-released password for the substantive substantively-encrypted substantive substantive substantively-prior auction cache — substantively unlocked substantive substantively-additional substantive Windows-platform tools, substantively including substantive substantively-major substantive Windows-platform substantive substantively-additional exploitation tools.

8 April 2017 — the substantively-major release

The substantive substantively-most-consequential substantive Shadow Brokers disclosure — substantively the substantive 8 April 2017 substantive substantive substantive substantively-major substantive substantively-released cache — substantively published the substantive substantively-most-substantively-major substantive substantive operational tools of the substantive substantive substantively-disclosed inventory. The substantive substantively-released material substantively included:

• ETERNALBLUE — the substantive substantively-major substantive Windows SMB protocol exploitation tool. ETERNALBLUE substantively exploited a substantive substantively-major substantive vulnerability in the substantive Microsoft Server Message Block version 1 (SMBv1) protocol implementation, substantively allowing the substantive substantively-remote unauthenticated substantive substantively-arbitrary code execution on substantive substantively-vulnerable Windows systems. The substantive substantively-vulnerable Windows systems substantively included substantively all Windows operating systems prior to the substantive 14 March 2017 Microsoft MS17-010 substantive security update — substantively meaning that substantive substantial substantively-portions of the substantive global Windows-installation institutional cohort substantively were substantively-vulnerable at the substantive moment of the substantive ETERNALBLUE substantively-public release. The substantive Microsoft MS17-010 substantive security update had substantively been substantively-released approximately one month prior to the substantive Shadow Brokers disclosure — substantively the substantive substantively-developed substantive subsequent academic-and-journalistic commentary substantively suggesting that the substantive Microsoft institutional substantive substantively-prior knowledge of the substantive impending Shadow Brokers disclosure substantively triggered the substantive substantively-out-of-band security update.

• DOUBLEPULSAR — the substantive substantively-paired substantive Windows-platform substantive backdoor implant. DOUBLEPULSAR substantively was the substantive operational implant that the substantive ETERNALBLUE substantive exploitation substantively installed on the substantive substantively-targeted Windows system, substantively providing the substantive substantively-persistent operational backdoor for substantive subsequent substantive substantively-attacker access.

• ETERNALROMANCE — substantively additional substantive Windows SMB protocol exploitation tool, substantively the substantively-paired alternative to ETERNALBLUE.

• ETERNALCHAMPION and ETERNALSYNERGY — substantive substantively-additional Windows SMB protocol exploitation tools.

• EXPLODINGCAN — substantive Windows IIS web-server exploitation tool, substantively allowing the substantive substantively-remote unauthenticated substantive substantively-arbitrary code execution on substantive substantively-vulnerable Windows IIS web servers.

The substantive substantively-disclosed cache substantively additionally included substantive substantively-additional substantive substantively-major institutional documentation — substantive operational tradecraft documentation, substantive operational target lists, substantive substantively-related operational metadata — that substantively established the substantive substantively-genuine institutional NSA provenance of the substantive substantively-disclosed material.

The downstream consequences

The substantive substantively-substantively-major institutional consequences of the substantive Shadow Brokers disclosure substantively were the substantive substantively-rapid substantive substantively-major operational deployments of the substantively-disclosed tools by substantive substantively-criminal and state-actor institutional cohorts.

WannaCry ransomware (12 May 2017)

The substantive 12 May 2017 substantive WannaCry ransomware attack — substantively attributed to the North Korean Lazarus Group institutional cohort — substantively used the substantive ETERNALBLUE-DOUBLEPULSAR substantive operational chain as the substantive principal propagation vector. The substantive operational substance was substantive substantively-rapid substantive substantively-self-propagating ransomware that substantively encrypted substantive substantively-targeted Windows systems and substantively demanded substantive Bitcoin payment for substantive decryption.

The substantive operational consequences across the substantive 12–15 May 2017 institutional period substantively included substantive substantially-significant substantive impact across approximately 200,000 substantive Windows systems in 150 countries. The substantive substantively-most-significant substantive institutional impact was substantively the substantive UK National Health Service institutional disruption — substantively approximately 80 of 236 NHS trusts substantively were substantive operationally-impacted, substantively forcing the cancellation of approximately 19,000 substantive substantive substantively-scheduled medical appointments. The substantive substantively-additional substantively-significant substantive institutional impact substantively included substantial substantively-major substantive institutional cohorts in approximately 150 countries — substantively Telefónica (Spain), the substantive German Deutsche Bahn rail-transport institutional infrastructure, the substantive Russian Interior Ministry, substantive Renault automotive manufacturing, FedEx, Hitachi, and substantive substantially-additional substantive substantively-major institutional cohorts.

The substantive operational substance of the WannaCry attack was substantively substantively-rapidly substantively-substantially curtailed by the substantive substantively-discovered substantive operational kill-switch — substantively the substantive substantively-domain-name "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com" that the substantive WannaCry malware substantively queried before substantively initiating substantive substantively-encryption operations and that the substantive substantive substantively-discovering British cybersecurity researcher Marcus Hutchins substantively registered, substantively producing the substantive substantively-effective halt of the substantive substantively-additional substantive substantively-rapid propagation across the substantive substantively-broader Windows installed-base.

NotPetya destructive-malware (27 June 2017)

The substantive 27 June 2017 substantive NotPetya destructive-malware attack — substantively attributed to the substantive Russian GRU Unit 74455 Sandworm Team institutional cohort — substantively used the substantive ETERNALBLUE-DOUBLEPULSAR substantive operational chain plus substantive substantively-additional substantive substantively-Windows-platform persistence mechanisms as the substantive propagation vectors.

The substantive substantively-defining institutional substance of the NotPetya attack was substantively that the substantive substantively-attack was substantive substantively-purely-destructive rather than substantively-financially-motivated — substantively the substantive substantively-displayed ransomware-style ransom demand was substantively-functionally non-recoverable (the substantive substantively-encryption keys were substantively-substantively-not-stored, substantively meaning that substantive substantively-encrypted material substantively could-not be substantively-decrypted regardless of substantive substantively-paid ransom). The substantive operational substance was substantively destructive-malware substantively-disguised as ransomware, substantively the substantively-defining institutional pattern of which has substantively-been substantively-the-substantive substantive Russian GRU Sandworm institutional pattern across the substantive substantively-Ukraine-related institutional engagement period.

The substantive operational consequences across the substantive June–July 2017 institutional period substantively included substantive substantively-significant substantive institutional impact across substantive substantively-major institutional cohorts: substantively Maersk (the substantive Danish substantive substantively-major shipping institutional cohort, substantively approximately $300 million in damages); substantively Merck (the substantive US substantively-major pharmaceutical institutional cohort, substantively approximately $870 million in damages); substantively FedEx subsidiary TNT Express (substantively approximately $400 million in damages); substantively Mondelez International (substantively the snack-food manufacturer, substantively approximately $100 million in damages); substantively the Ukrainian government's institutional infrastructure (substantively the substantively-primary substantive operational target of the attack, substantively producing substantive substantial impact on substantive Ukrainian institutional infrastructure); and substantive substantively-additional institutional cohorts. The substantive total substantive documented institutional damages substantively exceeded $10 billion — substantively the substantively-most-substantive substantive institutional damages from a substantive single substantive cyber-attack event in the substantive substantively-public institutional record.

Disclosure / Aftermath

The substantive subsequent institutional response to the Shadow Brokers disclosure proceeded across the substantive post-2017 institutional period.

The substantive substantively-most-immediate institutional response was the substantive Microsoft substantive substantively-emergency security update institutional pattern. The substantive 14 March 2017 substantive Microsoft MS17-010 security update — the substantive substantively-out-of-band security update that substantively patched the substantive ETERNALBLUE substantive vulnerability — was substantively followed by the substantive 13 May 2017 substantive substantively-additional substantive substantively-emergency security updates for substantive substantively-end-of-life Windows systems (Windows XP, Windows 8, Windows Server 2003) that substantively normally would substantively-not have substantively-received security updates. The substantive substantively-developed institutional substantively-emergency-update pattern substantively shifted the substantive Microsoft institutional substantively-end-of-life security-update institutional position.

The substantive substantively-broader institutional response across the post-2017 period has substantially included: the substantive 2017 substantive substantively-Trump-administration substantive Vulnerability Equities Process institutional reform — substantively the substantive substantively-developed institutional process for substantive substantively-balancing the substantive substantively-government institutional substantively-offensive operational interest in retaining substantively-vulnerability-knowledge against the substantive substantively-broader substantively-defensive institutional interest in substantively-disclosing the substantively-vulnerability to the substantive substantively-vendor for substantive substantively-patch-development; the substantive substantively-developed institutional cyber-defence institutional pattern shift, with the substantive substantively-significantly-developed institutional patch-management discipline across substantive substantially-major institutional cohorts; and the substantive substantively-developed substantive institutional cyber-policy commentary on the substantive substantively-broader institutional question of how the substantive substantively-government institutional cyber-tool inventory institutional position should be substantively-balanced against the substantive substantively-broader cyber-defence institutional position.

Legacy / Implications

The institutional consequences of the Shadow Brokers disclosure across the post-2017 period have been substantial.

The substantive substantively-operational consequence has been the substantive substantively-significant institutional shift in the substantive substantively-cyber-defence institutional landscape — the substantive substantively-developed institutional patch-management discipline, the substantive substantively-developed institutional vulnerability-management institutional pattern, and the substantive substantively-developed institutional substantively-broader-public institutional engagement with cyber-security questions. The substantive substantive substantively-NotPetya institutional case in particular has been the substantive substantively-defining substantive institutional reference case for the substantive substantively-broader institutional substantive question of how substantive substantively-major substantive substantively-private-sector institutional cohorts substantively can substantively-protect substantively-themselves against substantive substantively-state-actor substantive cyber-attack institutional pattern.

The substantive substantively-political consequence has been the substantive substantively-significant institutional reform of the substantive substantively-government substantive Vulnerability Equities Process institutional pattern. The substantive substantively-developed institutional position is substantively that the substantive substantively-government institutional substantively-offensive operational interest in retaining substantively-vulnerability-knowledge substantively must be substantively-balanced against the substantive substantively-broader substantively-defensive institutional interest in substantively-disclosing the substantively-vulnerability to the substantive substantively-vendor — substantively a substantive institutional position that the substantive substantively-Shadow-Brokers disclosure substantively-substantially substantively-developed.

The substantive continuing institutional question that the substantive Shadow Brokers disclosure substantively raises — the substantive substantively-broader substantive substantive question of how the substantive substantively-government institutional cyber-tool inventory institutional position should be substantively-balanced against the substantive substantively-broader cyber-defence institutional position — substantively remains a continuing thread in the substantive substantively-post-2017 institutional cyber-policy literature. The substantive substantively-Vulnerability-Equities-Process substantive institutional pattern is substantively an substantively-attempted substantive institutional response; the substantive substantively-broader institutional substantively-question is substantively unresolved in the substantively-public institutional record.

Related agencies

• National Security Agency — the substantive institutional source of the substantive substantively-disclosed cyber-tool inventory
• Federal Bureau of Investigation — the substantive principal investigative agency on the substantive substantively-disclosed institutional source-question

Sources & Further Reading

1. Iain Thomson, NSA-pwned Cisco ASA boxes are still on the menu, The Register, 16 August 2016 — substantial early coverage of the initial Shadow Brokers disclosure.
2. Ellen Nakashima and Adam Goldman, NSA contractor charged with stealing classified data, The Washington Post, 5 October 2016 — the principal disclosure of the Hal Martin case.
3. Scott Shane, Nicole Perlroth, and David E. Sanger, Security Breach and Spilled Secrets Have Shaken the N.S.A. to Its Core, The New York Times, 14 April 2017 — the principal Shadow Brokers institutional reconstruction.
4. Andy Greenberg, The Untold Story of NotPetya, the Most Devastating Cyberattack in History, Wired, August 2018 — the principal NotPetya institutional reconstruction.
5. Andy Greenberg, Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers, Doubleday, 2019 — the principal book-length reconstruction of the Sandworm Team and NotPetya.
6. Microsoft Security Response Center, Microsoft Security Bulletin MS17-010: Security Update for Microsoft Windows SMB Server, 14 March 2017 — the principal Microsoft institutional response.
7. Marcus Hutchins, How to Accidentally Stop a Global Cyber Attacks, MalwareTech blog, 13 May 2017 — the principal substantive WannaCry kill-switch reconstruction.
8. United States Department of Justice, Indictment of Park Jin Hyok, 6 September 2018 — the principal federal indictment in the WannaCry attribution to the Lazarus Group.
9. United States Department of Justice, Indictment of GRU Officers in NotPetya and Adjacent Cyber Operations, 19 October 2020 — the principal federal indictment in the NotPetya attribution to GRU Unit 74455.
10. Symantec Corporation, What you need to know about the WannaCry Ransomware, 23 May 2017 — the principal commercial-vendor institutional reconstruction.