Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

TheShadowBrokers Babytalk Translation

TheShadowBrokers have just released a blog post (written in a child-like style to mock the lack of understanding of what they're doing) explaining their position and some of the recent events following the release of 'goodies' from TheEquationGroup. There are obviously direct references to the EternalBlue exploit that has fuelled WannaCry. I've created a TL;DR version for those who're struggling with reading it and don't have time to translate. I've included some conclusions and opinions of my own.

ThePeoples Are Not the Enemy

TheShadowBrokers insist throughout the post that they are adversarial only with TheEquationGroup and that members of TheEquationGroup are implanted within large tech firms across the globe (including Google Project Zero). Perhaps this is related to some of the negative feedback they have received within the hacking and information security community, they seem to be defending their actions and trying to link their activities to being 'for the people'.

Unsuccessful Auction to FiveEyes, UN and Tech Giants

TheShadowBrokers seem to be addressing claims that their attempted 'auction' of TheEquationGroup's arsenal was not the same as a ransom and that they have the public interest in mind (as well as making money). This seems linked to various assertions within the community and also potentially to the Laywers at Microsoft that they're holding these organisations to ransom.

The group seem to be annoyed that an array of big tech firms and Governments were not interested in buying the tools and exploits. It is interesting that the group are still looking to monetise their haul and will not be releasing everything, despite their claims that they're working in the people's interest. There seems to be a conflict in ethics between these two points, as if that was their primary concern, they could just disclose all materials to the relevant vendors, give them 90 days to patch and release the exploits after.

The ShadowBrokers explain how they waited (30 days) for Microsoft to patch the SMB vulnerabilities, despite what Microsoft lawyers are claiming. I tend to agree that it seems like they have tried to give some time before releasing their tools. However, it could be said that the only reason they did release the tools is to prove they had them therefore giving potential buyers more assurance that this was a genuine sale.

TheShadowBrokers Have 75% of The U.S Cyber Arsenal?

They claim to have "75% of U.S. cyber arsenal". I believe that TheShadowBrokers likely do have a substantial amount of data and tooling from TheEquationGroup, whether that represents 75% of the US cyber arsenal is debatable. However, I think the action to try and auction the tools and exploits back are naïve, as there's really no upside for the buyer and the risk of the items being disclosed anyway given the stated motives of the group, is high. Additionally, the US will likely view this as a terrorist attack on the US government and we all know from Hollywood films what governments don't do with Terrorists, negotiate (large corporates will obviously want to keep out of this too!). It's debatable whether this is a smart action in order to mock the impacted parties or was a ploy to make money that was misguided – we'll likely never know the true motives.

TheEquationGroup Conspiracy Theories?

The group also claim that TheEquationGroup has spies inside Microsoft and other large tech companies, despite the agencies working directly with these organisations also. While I won't make assertions over the truth of these claims, I certainly won't state that this is an outrageous claim or impossible. The group also suggest that TheEquationGroup (via government) is paying large corporates not to patch specific vulnerabilities they wish to exploit. Again, this is not outside the realms of possibility, but I wouldn't like to say either way whether I believe this is the case or not.

North Korea

TheShadowBrokers highlight the strange behaviour of the malware having a kill-switch and seem to attribute the attack to North Korea – something that Kaspersky and Google were already following up on and have discussed publicly. This is something that the BBC have already latched on to (

Tooling Dumps as a Service

The ShadowBrokers announced their "TheShadowBrokers Data Dump of the Month" service, which will be live from June. They describe this working as "Each month peoples can be paying membership fee, then getting members only data dump each month". They also issued a disclaimer that they're not responsible for how these items are used. At the end of the post, they suggest they will 'go dark' if they continue to be bullied about their activities. I'm assuming this is a reference to some condemnation within the community, rather than (what must be expected) Microsoft / the US government's threats of legal action.

The post can be found here:

Latest SpiderLabs Blogs

Important Security Defenses to Help Your CISO Sleep at Night

This is Part 13 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More

2024 Public Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies

Trustwave SpiderLabs’ 2024 Public Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies report details the security issues facing public sector security teams as...

Read More

How to Create the Asset Inventory You Probably Don't Have

This is Part 12 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More