ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > Shadow Brokers

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Other threat group: Shadow Brokers

NamesShadow Brokers (self given)
CountryUSA USA
MotivationFinancial gain
First seen2016
DescriptionBreached a server where zero-days accumulated by Equation Group were held, leaked a large section on the internet and tried to sell the rest afterward. Most of the published vulnerabilities have since been fixed by the respective vendors, but many have been used by other threat actors. Most notably among the dumps were zero-days such as ETERNALBLUE that were used for the creation of infamous ransomware explosions such as WannaCry and NotPetya.

Shadow Brokers turned out to be an ex-NSA contractor.
Observed
Tools used
Operations performedAug 2016Initial public dump
<https://musalbas.com/blog/2016/08/16/equation-group-firewall-operations-catalogue.html>
Oct 2016‘Shadow Brokers’ Whine That Nobody Is Buying Their Hacked NSA Files
<https://www.vice.com/en_us/article/53djj3/shadow-brokers-whine-that-nobody-is-buying-their-hacked-nsa-files>
Oct 2016Second Shadow Brokers dump released
<https://www.scmagazineuk.com/second-shadow-brokers-dump-released/article/1476023>
Mar 2017In March 2017, the ShadowBrokers published a chunk of stolen data that included two frameworks: DanderSpritz and FuzzBunch.
<https://securelist.com/darkpulsar/88199/>
Apr 2017Shadow Brokers leaks show U.S. spies successfully hacked Russian, Iranian targets
<https://www.cyberscoop.com/nsa-shadow-brokers-leaks-iran-russia-optimusprime-stoicsurgeon/>
Apr 2017New NSA leak may expose its bank spying, Windows exploits
<https://www.csoonline.com/article/3190055/new-nsa-leak-may-expose-its-bank-spying-windows-exploits.html>
Apr 2017ShadowBrokers Dump More Equation Group Hacks, Auction File Password
<https://threatpost.com/shadowbrokers-dump-more-equation-group-hacks-auction-file-password/124882/>
Sep 2017ShadowBrokers are back demanding nearly $4m and offering 2 dumps per month
<http://securityaffairs.co/wordpress/62770/hacking/shadowbrokers-return.html>
Sep 2017ShadowBrokers Release UNITEDRAKE Malware
<https://www.hackread.com/nsa-data-dump-shadowbrokers-expose-unitedrake-malware/>
Counter operationsNov 2017Who Was the NSA Contractor Arrested for Leaking the ‘Shadow Brokers’ Hacking Tools?
<https://blacklakesecurity.com/who-was-the-nsa-contractor-arrested-for-leaking-the-shadow-brokers-hacking-tools/>
Information<https://www.dropbox.com/s/buxkfotx1kei0ce/Whitepaper%20Shadow%20Broker%20-%20Equation%20Group%20Hack.pdf?dl=0>

Last change to this card: 21 May 2020

Download this actor card in PDF or JSON format

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key