Who Are The Shadow Brokers?

Uploaded on 2017-08-14 in NEWS-Cybersecurity News, INTELLIGENCE--USA, FREE TO VIEW

The identity of the Shadow Brokers has become one of the biggest questions in the infosec industry this year, and Matt Suiche believes the evidence points to an insider threat rather than an external nation-state attacker.

Suiche, founder of managed threat detection company Comae Technologies, spoke at Black Hat 2017 about the Shadow Brokers, the entity which has been releasing files and hacking tools over the last year from the Equation Group, a hacking outfit connected to the US National Security Agency. 

Suiche explained how the behavior and tactics of the Shadow Brokers have over time revealed some clues about their background and general identity, which suggest the dumps are the work of disgruntled insiders who are either current or former intelligence community contractors.
"There's definitely a huge problem around insider threats," he said. "That's why I, personally, think and I would not be surprised to see the source of those files was another contractor."

While the group's blog posts are written in broken English that suggests Russian-speaking authors, Suiche said the language was likely an operations security (Opsec) tactic to obscure the true identities of the Shadow Brokers. Suiche said the people behind the Shadow Brokers group have "an interesting sense of humor" and demonstrated strong familiarity with the National Security Agency's Tailored Access Operation (TAO), which was the first sign that the Shadow Brokers were, in fact, insiders, rather than Russian threat actors. The group has also expressed anger at former members of TAO and threatened to reveal the identities of current TAO hackers.
"It seems like the Shadow Brokers know a lot about TAO as a team," he said.

Suiche said the US defense and intelligence communities employ tens of thousands of contractors, and a number of disgruntled insiders have come to light in recent years, including Edward Snowden and Harold Martin, both of whom worked as government contractors at Booz Allen Hamilton. "I don't know if we should say the intelligence community has an insider problem or if Booz Allen has an insider problem," he said.

The Shadow Brokers dumps started relatively small, Suiche said; the first batch of free exploits included bugs in many common firewall products. The group later followed up with Solaris operating system exploits, as well as more detailed information on proposed Equation Group targets, which included domains in countries like China and Iran. Another revealing pattern of behavior, according to Suiche, was the group's increased attempts over time to gain attention, and the expressions of anger and frustration when the level of attention didn't meet the group's expectations.

The Shadow Brokers, he said, clearly wanted more than just to dump and sell the Equation Group cyber-weapons; they wanted headlines as well.

Later dumps included detailed operational notes with code names not just for the cyber-weapons, but for prospective targets of hacking operations as well. Suiche mentioned one example where the operational notes indicated Equation Group had targeted different mobile service providers across the globe, likely in an effort to gain access to communications.
The biggest Shadow Brokers dump, which featured Windows exploits like EternalBlue and tools to access the Society for Worldwide Interbank Financial Telecommunication SWIFT messaging system, also contained a large amount of information about hacking operations, including un-redacted metadata, PowerPoint presentations and even the names of Equation Group members. 
"That one was pretty interesting," Suiche said. "It contained some tools but mainly operational notes regarding what happened to one of the SWIFT Service Bureau in the Middle East, and it was extremely detailed."
Suiche said this was when the "narrative of the Shadow Brokers kind of changed," as the level of information about the Equation Group's inner workings was embarrassing for the National Security Agency. "It's hard to believe the most powerful intelligence agency in the world is not doing any opsec," he said.

While the Shadow Brokers recently introduced a monthly service to sell the stolen cyber-weapons, Suiche doesn't believe that money is the group's motive, as asking for 1 million Bitcoin (currently over $2.7 billion) isn't a reasonable request. In his presentation, Suiche also emphasised that it's unclear whether anyone has actually received exploits purchased through the new monthly service.
"They're following a pattern where the price keeps doubling," he said, adding that creating "fear, uncertainty and doubt is definitely part of their strategy."

Suiche closed the presentation by, again, suggesting the Shadow Brokers were either current or former intelligence contractors and warned of the potential risks such individuals could pose to cyber-security. "It's kind of worrying to see the rising threat from some unreliable intelligence agency employees," he said.

TechTarget:

You Might Also Read:

Kasperky Identify The ‘Equation Group’:

Prices For Stolen NSA Exploits Go Higher:

Careless: NSA Hacking Tools Theft Due To Operative's 'Mistake':

 

« The US Power Generation System Is Under Siege
German Police To Hack Suspect Devices »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

KPMG

KPMG

KPMG s a leading provider of professional services including information technology and cyber security consulting.

Kaspersky Lab

Kaspersky Lab

Kaspersky Lab is one of the world’s largest privately held vendors of endpoint cybersecurity solutions.

QNAP Systems

QNAP Systems

QNAP Systems, Inc. delivers world class network attached storage (NAS) and network video recorder (NVR) solutions.

AON

AON

Aon is a leading global provider of risk management (including cyber), insurance and reinsurance brokerage, human resources solutions and outsourcing services.

Secure360

Secure360

Secure360 focuses on the following key areas: governance, risk and compliance, information security, physical security, business continuity management, and professional development.

Venable

Venable

Venable is an American Lawyer 100 law firm with nine offices across the USA, Practice areas include Cybersecurity.

TechGuard Security

TechGuard Security

TechGuard Security was founded to address national cyber defense initiatives and US critical infrastructure security.

Bechtel

Bechtel

Bechtel’s Industrial Control Systems Cyber Security Laboratory focuses on protecting large-scale industrial and infrastructure systems that support critical infrastructure.

ACM-CCAS

ACM-CCAS

ACM is a UKAS-accredited certification body helping businesses around the world perform to a higher standard. Our certifications include ISO 27001 and ISO 22301.

Red Piranha

Red Piranha

Red Piranha's Crystal Eye Unified Threat Management Platform is designed for Managed Service Providers and corporations that need extreme security that is both easy to use and affordable.

QGroup

QGroup

QGroup has been re-designing the consultancy industry since 2012. We're a rapidly expanding group of consulting companies that deliver bespoke IT services including cybersecurity.

Matrium Technologies

Matrium Technologies

Matrium Technologies has been a leading provider of technology solutions since 1991, with a strong industry background in Network Testing, Network Visibility and Security.

Otava

Otava

Otava is a global leader of secure, compliant hybrid cloud and IT solutions for service providers, channel partners and enterprise clients.

TrafficGuard

TrafficGuard

TrafficGuard is an award-winning digital ad verification and fraud prevention platform.

DHCO IT

DHCO IT

The DHCO IT team are experts in IT support, cyber security, cloud support and disaster recovery, and are Microsoft 365 partners.

Amplifier Security

Amplifier Security

Amplifier Security are on a mission to empower security teams to modernize their practice by connecting the dots between their security stack and their people.