In 2016, a mysterious person or a group of hackers revealed how big a threat cybercrime can be. Calling themselves The Shadow Brokers, the hackers released more than a gigabyte worth of highly sensitive tools allegedly belonging to the American National Security Agency (NSA), Tailored Access Operations (TAO) unit, the Equation Group. The capabilities exhibited in The Shadow Brokers’ hack were never heard of before and the leaked cache of exploits was so powerful that the group became immediately infamous. What could be the identity of this highly sophisticated hacker group? The answer to that can be found in this article.

The Shadow Brokers were not only able to gain access to the NSA’s toolbox, but they also managed to steal information about its modus operandi, [1] including a list of agents‘ names and a code for hacking into Middle Eastern banks, linked to the NSA’s attack against financial institutions in the area. [2] Surprisingly, however, as far as we know, The Shadow Brokers never used the stolen data in any kind of cyber attack. Instead, they sold it to the highest bidder and later created a monthly subscription service, [1] a rather strange behavior for a hacker group of this sophistication.

After surprising the world, The Shadow Brokers suddenly went silent in July 2017. [1] To this day, no one is sure who they were, why were they releasing the stolen materials, and if they will ever post again. However, in case they would or just to shed light on the previous events, this article analyses the possible theories of the group’s identity and their intent. It focuses on the topic from the perspective of the Advanced persistent threats (APTs), considering the possibility of a government-funded cyber attack, as well as a non-governmental sabotage kind of activity.

The Chinese Theory

In cyberspace, China is currently regarded as the biggest threat to the United States. [3] Therefore, it is logical to analyze whether The Shadow Brokers could come from China.

Most evidence points to a negative answer. Most importantly, in 2015 Barack Obama came into office and he took a strong stance against Chinese hacking activities. Once he threatened the Chinese president Xi Jinping with sanctions in response to the Chinese hacking of the U.S. Office of Personnel Management, they agreed on a deal that China would stop the hacking of the American companies and interests for its industrial benefit. And for 18 months, during the time The Shadow Brokers were posting, there was a significant drop in the Chinese hacking. [3] Of course, that could mean that China would take cover under the name of a previously unknown hacking group, but there is another evidence that may point otherwise.

The Chinese-affiliated hacking group APT31 was already in possession of a clone of the NSA’s exploit EpMe with a Windows zero-day bug, for four years before The Shadow Brokers released it. [4] It wouldn’t make any sense for APT31 to release the exploit at all because it would be more valuable for them to store it in secrecy, so they can utilize it whenever possible. Once released, the exploits are shortly fixed by the targeted companies, therefore there is no reason, other than money and upsetting the owner of the cyber tools, to leak them.

China is currently among the richest nations in the world and its cybercriminal activities play a negligible if any, role in that fact. [5] Therefore, putting that much effort into a very uncertain source of profit doesn’t seem like a sufficiently sensible motive for a Chinese APT. There is also the fact that during the time of The Shadow Brokers activity China acted in accordance with the agreements with the United States. This theory could be only disapproved if we presume that the Chinese APTs act in their country’s interests, therefore one would not hurt another with its actions. In this context, The Shadow Brokers wouldn’t exploit valuable assets to another group. Nevertheless, we can’t know if the cyber groups cooperate at all. Moreover, China could always create an unknown APT to circumvent the agreements for example. Therefore, the chances would be about even with the Chinese theory if there weren’t more evidence connecting the hackers to another state, which will be analysed further in this article.

The North Korean Theory

It may seem that North Korea sometimes tends to exaggerate and show off its cyber capabilities as was presented in the famous Sony Pictures hack that happened in 2014. [6] Back then, a North Korean foreign ministry spokesperson called the forthcoming American comedy with a plot of assassinating Kim Jong Un “an act of terrorism” and threatened with launching a “merciless counter-measure”. [7] A hacker group called the Guardians of Peace then hacked Sony, stole a huge amount of data, and shut down the company’s servers for days. [8] If North Korea is capable of such an attack a second theory presents itself: Could The Shadow Brokers be a North Korean APT?

What connects the hacker group with North Korea is the WannaCry ransomware attack. The Lazarus Group, which was involved in the Sony Pictures hack and stole 81 million dollars from Bangladesh’s central bank in 2016 was also accused of creating the WannaCry ransomware. Two reputable security firms, Kaspersky and Symantec, stated that the technical details within an early version of the WannaCry code demonstrate similarities with the previous activity of the Lazarus Group. Furthermore, the companies stated that the WannaCry exploits were drawn from the Shadow Brokers’ cache of exploits. [9]

Nevertheless, this case only proves that the hoarding of vulnerabilities by governmental agencies is a problem. Even though there is a link between the Lazarus group and The Shadow Brokers ergo between The Shadow Brokers and North Korea, they are probably two different hacker groups. The Lazarus Group was not acting carefully enough and was caught. The Shadow Brokers are likely another, a more sophisticated hacker group, from which the Lazarus Group bought the materials for their hacking events.

But that doesn’t disapprove of this theory.  In the analysis of The Shadow Brokers’ posts on Steemit, a blockchain-based blogging and social media website, I found two posts that are making fun of North Korea. Specifically, one includes a meme of Kim Jong Il’s character from a comedy movie called “Team America: World Police“, in which the character isn’t portrayed respectfully. [10] And another one makes fun of the North Korean political regime and ideology. [11] It is unlikely for North Korean hackers to publicly shame their ideology. Hence the North Korean theory can be very likely called false.

The Russian Theory

During the time of The Shadow Brokers’ leaks, many experts debated whether the group could be a Russian APT. [12] The relations between the U.S. and Russia at the time would aid this theory. Russia was accused by the U.S. government of being responsible for hacking the servers of the Democratic National Committee and The Shadow Brokers started releasing shortly after the DNC and a security firm, CrowdStrike, pointed their fingers at Russia. [12]

To add to the tensions regarding the presidential elections and Putin’s influence campaign, in one of their messages the hacker group addressed Donald Trump. They claimed to have been his supporters but were losing faith in him and his actions including an increased U.S. involvement in Syria. [13] Intensifying the U.S. engagement in a war where Russia supports the opposite side is logically something a Russian APT wouldn’t like. However, The Shadow Brokers aren’t any typical APT or a typical hacker.

Even though Russia would probably like to make the NSA seem incompetent. And Edward Snowden also mentioned The Shadow Brokers possibly being a part of a new cyber cold war. [12]  There is more evidence disapproving of this theory. Firstly, according to the same logic I used in the previous cases, if The Shadow Brokers were a Russian APT, the tools they stole would be of more use if kept secret, not sold online. Furthermore, Russia already has prominent hacker groups such as Cozy Bear and Fancy Bear. [14] Unless it was an avoidance strategy or a way to undermine the U.S. or the western countries, it would be bizarre if one of the Russian hacker groups sold information valuable to them.

American/insider theory

From the analysis so far, one may wonder if The Shadow Brokers are an APT. They don’t act like one, but their hacks are extraordinarily sophisticated for it to be just a rogue group or person. Therefore, another theory presents itself: an American insider, someone who worked for the Equation Group, TAO, or at least for the NSA is behind The Shadow Brokers.

The first evidence supporting the American/insider theory is the linguistic analysis, which was done on the messages The Shadow Brokers posted. All of them are written in bad English, although the spelling is entirely correct (except the second message, where “r”s are intentionally interchanged with “l”s to sound like the Kim Jong Il character from the movie Team America: World Police). [15] According to the study the text includes grammatical errors in idioms that a low-skilled English speaker wouldn’t probably know. The linguistic analysis concludes that someone is intentionally inserting errors and the author is a native English speaker who’s writing purposely to sound like a foreigner. [16]

When I first read the messages I came to a similar conclusion, that the author is trying to sound foreign, sometimes maybe even Russian due to the world order, and that the errors are too obvious to be made naturally. However, I believe, someone with very good English skills could write the same text, not necessarily having to be a native speaker. Nevertheless, it is most probably written by someone fluent in English. Moreover, The Shadow Brokers refer to this topic in one of their messages where they claim to write in bad English on purpose. [16]

Furthermore, there are many thoughts on politics, relationships, and events including several politicians mentioned in the messages, [16] therefore the author needs to know and follow American politics very thoroughly. A normal government-supported APT probably wouldn’t have known or wouldn’t talk about their specific political opinions to hide the ideological link to their supervisors. On top of that, there are multiple cultural references of American nature, such as the ones already mentioned in the article, meaning that the author is someone well versed in American culture. To finish the argument based on the analysis of the messages, in the tenth message they not only acknowledge that their English is bad by intent, but they also suggest they are indeed Americans. [17]

From the cyber perspective, there is more evidence supporting this theory. Former NSA employee, who wished to stay anonymous, claims that he and his colleagues believe there was no hack, nor there is a group. He says that some of the stolen files and scripts were only accessible internally, they were stored on a physically separated network that is not connected to the internet at all, and there is no reason for these data to be on a server someone could hack. [18] A cybersecurity expert Matt Suiche was doing an in-depth analysis on The Shadow Brokers, and he backed this claim by finding out that the stolen toolkit is indeed stored on a physically segregated network without internet access, and with some of the scripts it doesn’t make sense to have them on a staging server because they are only used for setting up a workstation pre-operation. So, until someone did a mistake or someone purposedly put them on a staging server, they could not have been stolen. He also stated that according to the file hierarchy and the unchanged file naming, it seems like the files were directly copied from the source. [19]

The Shadow Brokers also revealed the name of one cyber expert who used to work for TAO, while he claims that only his closest family and his co-workers knew of his actual job. The hacker group also mentioned the names of the different projects or files he was working with, which are classified and were not included in the stolen data. [20] Moreover, in the twelfth message posted on Steemit, The Shadow Brokers are claiming to know that the Equation Group has HUMINT inside Microsoft and other U.S. technology companies. [21] That can of course be only an assumption, but it is information an insider would know.

The most important fact that supports the insider theory, however, is that the NSA itself suspected an insider behind the leaks, based on two arrests that went down after the leaks went online. After the first group’s post, the F.B.I. got a warrant to search a home of Harold T. Martin III, NSA contractor working through Booz (the same organization Snowden was working for [1]) and found terabytes of stolen material. It is presented that there is no evidence that Martin leaked anything from the stolen data to The Shadow Brokers, [22] but the time frame here is very suspicious.

There was also another arrest of a TAO employee. Nghia Hoang Pho was sentenced to prison for willful retention of classified material. Part of his hearing was classified for National Security Reason [23] and since it is not possible to compare this stolen data to those leaked by The Shadow Brokers, the possibility of a link between them cannot be eliminated. Furthermore, the Director of the NSA, Michael S. Rogers sent a letter to the court regarding the trial of Nghia Hoang Pho. A French cyber expert analyzed this letter and speculated that there are some indications that the data might have included class exploits such as Eternal and the FuzzBunch framework that links it to The Shadow Brokers. [24]

Finally, there is one minor, but interesting thing in support of this theory. Matt Suiche claims there is a great gaming culture inside the TAO group. [19] And the name The Shadow Brokers most probably comes from a game called Mass Effect, where the character stands for “an enigmatic figure at the head of an expansive organization which trades in information, always selling to the highest bidder” [25], which fits the modus operandi The Shadow Brokers started with. Therefore, it is possible that the group or the hacker could be an insider of TAO.

These are of course only speculations, though supported by circumstantial evidence. And on top of that, there is one thing that comes to mind when questioning this theory. The NSA’s candidates must certainly undergo very demanding personal and psychological tests, so how could someone who was accepted to this organization, share the ideas that The Shadow Brokers promote? An answer to that question might lie in the ninth message the group has posted on Steemit. There they claim to have been a part of the so-called Deep State, which according to a conspiracy theory is a group of people within the American government that includes national security bureaucrats who secretly collect information and use it to manipulate the actions of elected officials. President Trump often accused them of working against him. [26] In the message, The Shadow Brokers also claimed that most of their members have taken the oath “…to protect and defend the constitution of the United States against all enemies foreign and domestic…”. But they had a change in their heart once they saw how the „Deep State“ really works. [11] If we decide to trust their statement, then I believe, we have a similar case to that of Snowden. He also successfully underwent all the different NSA entry tests, but he decided to leak the classified information once he saw how the organization works. [27]

Fitting the intent to the theory

The last thing this article focuses on is the intent of The Shadow Brokers’ actions and where does it stand from the perspective of the last theory. The Shadow Brokers have claimed many times that their sole target is the Equation Group and that their sole intent is to battle with it, as it is the most sophisticated hacking group in the world, and they want to burn its exploits. [15,20] But why would they do that? Maybe they just want to show the problem with hoarding zero-day-like material by the governmental agencies. However, a more probable explanation is to look at The Shadow Brokers as a group of hacktivists. They have shared their political inclinations as well as the anti-globalist and anti-war ideas many times.

They claim to have political motives but on the other hand, it looks like they don’t want to be seen as criminals. As far as we know, they aren’t using the stolen data in their cyber attacks., They are selling them to the highest bidder and creating a monthly subscription service. Therefore, they only might be after profit, and since no other hacker group has ever been able to that much data from the Equation Group if any at all, selling them might generate a great profit. On top of that, it is probably much safer than using the data in their hacks since there would be more actions ergo more possible mistakes to track them by.

Moreover, either if one insider was sharing the data with other like-minded people or if The Shadow Brokers were only one person, a possible explanation behind his doing can be understood by portraying the insider in the same light as Snowden. The Shadow Brokers may have a member, who used to work for the NSA and used to share the same ideals as his superiors, but for some reason became angry with the status quo and decided to do something about it or just sought vengeance by hacking and making money.

In any case, The Shadow Brokers have been silent for a long time now. Is it because they run out of material to sell? Or do they have more and are waiting for something? Another possibility, concerning the last theory, is that the NSA has already caught the insider and the information just didn’t get to the media because TAO is preserving its reputation. Maybe The Shadow Brokers will re-emerge again and prove the entire theory wrong.

Sources:

[1] comae technologies. (2017). “The Shadow Brokers Cyber Fear Game-Changers”. Comae technologies. Retrieved from: https://archive.org/details/us-17-Suiche-TheShadowBrokers-Cyber-Fear-Game-Changers-wp. (Accessed 18. 12. 2021).

[2] Goodin, Dan. (2017). “NSA-leaking Shadow Brokers just dumped its most damaging release yet”. Ars technical. Retrieved from: https://arstechnica.com/information-technology/2017/04/nsa-leaking-shadow-brokers-just-dumped-its-most-damaging-release-yet/. (Accessed 18. 12. 2021).

[3] Perlorth, Nicol. (2021). “How China Transformed Into a Prime Cyber Threat to the U.S.“. The New York Times. Retrieved from: https://www.nytimes.com/2021/07/19/technology/china-hacking-us.html. (Accessed 18. 12. 2021).

[4] Gatlan, Sergiu. (2021). “Chinese hackers used NSA exploit years before Shadow Brokers leak“. Bleeping Computer. Retrieved from: https://www.bleepingcomputer.com/news/security/chinese-hackers-used-nsa-exploit-years-before-shadow-brokers-leak/. (Accessed 18. 12. 2021).

[5] India Today. (2021). “China overtakes US as world’s richest nation as global wealth surges“. India Today. Retrieved from: https://www.indiatoday.in/business/story/china-overtakes-us-as-richest-country-global-wealth-mckinsey-report-1877299-2021-11-16 (Accessed 16. 1. 2022).

[6] Stengel, Richard. (2019). “THE UNTOLD STORY OF THE SONY HACK: HOW NORTH KOREA’S BATTLE WITH SETH ROGEN AND GEORGE CLOONEY FORESHADOWED RUSSIAN ELECTION MEDDLING IN 2016“. Vanity Fair. Retrieved from: https://www.vanityfair.com/news/2019/10/the-untold-story-of-the-sony-hack. (Accessed 18. 12. 2021).

[7] Reutters Staff. (2014). “North Korea slams U.S. movie on leader assassination plot“. Reuters. Retrieved from: https://www.reuters.com/article/northkorea-usa-movie-idUSL4N0P61AY20140625. (Accessed 18. 12. 2021).

[8] VanDerWerff, Emily and Lee, Timothy B. (2015). “The 2014 Sony hacks, explained“. Vox. Retrieved from: https://www.vox.com/2015/1/20/18089084/sony-hack-north-korea. (Accessed 20. 12. 2021).

[9] Solon, Olivia. (2017). “WannaCry ransomware has links to North Korea, cybersecurity experts say“. The Guardian. Retrieved from: https://www.theguardian.com/technology/2017/may/15/wannacry-ransomware-north-korea-lazarus-group. (Accessed 18. 12. 2021).

[10] The Shadow Brokers. (2016). “Message#2“. Steemit. Retrieved from: https://swithak.github.io/SH20TAATSB18/Archive/Messages/TSB/Message2/. (Accessed 18. 12. 2021).

[11] The Shadow Brokers. (2017). “Message9 Don’t Forget Your Base“. Steemit. Retrieved from: https://swithak.github.io/SH20TAATSB18/Archive/Messages/TSB/Message9/. (Accessed 18. 12. 2021).

[12] Franceschi-Bicchierai, Lorenzo. (2016). “Hack of NSA-Linked Group Signals a Cyber Cold War“. Vice. Retrieved from: https://www.vice.com/en/article/z43wwe/hack-nsa-linked-equation-group-cyber-cold-war. (Accessed 19. 12. 2021).

[13] The Shadow Brokers. (2017). “Don’t forget your base“. Steemit. Retrieved from: https://swithak.github.io/SH20TAATSB18/Archive/Messages/TSB/Message9/. (Accessed 19. 12. 2021).

[14] Editorial Team. (2020). „CrowdStrike’s work with the Democratic National Committee: Setting the record straight“. Crowdstrike. Retrieved from: https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/. (Accessed 19. 12. 2021).

[15] The Shadow Brokers‘ Steemit Messages. Retrieved from: https://swithak.github.io/SH20TAATSB18/Archive/Messages/TSB/TheShadowBrokers-SteemitMessages/. (Accessed 19. 12. 2021).

[16] Franceschi-Bicchierai, Lorenzo. (2016). „The NSA Data Leakers Might Be Faking Their Awful English To Deceive Us“. Vice. Retrieved from: https://www.vice.com/en/article/gv5d93/the-shadow-brokers-nsa-leakers-linguistic-analysis. (Accessed 19. 12. 2021).

[17] The Shadow Brokers. (2017). “Grammer Critics: Information vs Knowledge“. Steemit. Retrieved from: https://swithak.github.io/SH20TAATSB18/Archive/Messages/TSB/Message10/. (Accessed 19. 12. 2021).

[18] Cox, Joseph. (2016). “Former NSA Staffers: Rogue Insider Could Be Behind NSA Data Dump.“ Vice. Retrieved from: https://www.vice.com/en/article/ezp5na/former-nsa-staffers-rogue-insider-shadow-brokers-theory. (Accessed 19. 12. 2021).

[19] Suiche, Matt. (2016). “Shadow Brokers: The insider theory“. Medium. Retrieved from: https://medium.com/comae/shadowbrokers-the-insider-theory-ded733b39a55#.br7pbm7ar. (Accessed 19. 12. 2021).

[20] Darknet Diaries podcast. “EP 53: SHADOW BROKERS“. Darknet Diaries. Retrieved from: https://darknetdiaries.com/transcript/53/. (Accessed 19. 12. 2021).

[21] The Shadow Brokers. (2017). „OH LORDY! Comey Wanna Cry Edition“. Steemit. Retrieved from: https://swithak.github.io/SH20TAATSB18/Archive/Messages/TSB/Message12/. (Accessed 19. 12. 2021).

[22] Morse, Dan and Jackman, Tom. (2019). “NSA contractor sentenced to nine years in theft of massive amounts of classified material.“ The Washington Post. Retrieved from: https://www.washingtonpost.com/local/public-safety/nsa-contractor-who-stole-massive-amounts-of-classified-material-set-for-sentencing-friday/2019/07/18/83f1bf96-a995-11e9-9214-246e594de5d5_story.html. (Accessed 19. 12. 2021).

[23] The United States Department of Justice. (2018). “Former NSA Employee Sentenced to Prison for Wilful Retention of Classified National Defense Information“. Department of Justice Office of Public Affairs. Retrieved from: https://www.justice.gov/opa/pr/former-nsa-employee-sentenced-prison-willful-retention-classified-national-defense. (Accessed 19. 12. 2021).

[24] SH20TAATSB18. “Case Updates“. SwitHak. Retrieved from: https://swithak.github.io/SH20TAATSB18/about/. (Accessed 19. 12. 2021).

[25] Mass Effect Wiki. “Shadow Broker“. Retrieved from: https://masseffect.fandom.com/wiki/Shadow_Broker. (Accessed 19. 12. 2021).

[26] Goldsmith, Jack. (2018). “The ‚deep state‘ is real. But are its leaks against Trump justified?“ The Guardian. Retrieved from: https://www.theguardian.com/commentisfree/2018/apr/22/leaks-trump-deep-state-fbi-cia-michael-flynn. (Accessed 20. 12. 2021).

[27] Valentová, Anna. (2021). “ The Prototypical Leaker“. Security Outlines. Retrieved from: https://www.securityoutlines.cz/the-prototypical-leaker/. (Accessed 19. 12. 2021).