Trustwave SpiderLabs Uncovers Critical Cybersecurity Vulnerabilities Exposing Manufacturers to Costly Attacks. Learn More

Trustwave SpiderLabs Uncovers Critical Cybersecurity Vulnerabilities Exposing Manufacturers to Costly Attacks. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

TheShadowBrokers Babytalk Translation

TheShadowBrokers have just released a blog post (written in a child-like style to mock the lack of understanding of what they're doing) explaining their position and some of the recent events following the release of 'goodies' from TheEquationGroup. There are obviously direct references to the EternalBlue exploit that has fuelled WannaCry. I've created a TL;DR version for those who're struggling with reading it and don't have time to translate. I've included some conclusions and opinions of my own.

ThePeoples Are Not the Enemy

TheShadowBrokers insist throughout the post that they are adversarial only with TheEquationGroup and that members of TheEquationGroup are implanted within large tech firms across the globe (including Google Project Zero). Perhaps this is related to some of the negative feedback they have received within the hacking and information security community, they seem to be defending their actions and trying to link their activities to being 'for the people'.

Unsuccessful Auction to FiveEyes, UN and Tech Giants

TheShadowBrokers seem to be addressing claims that their attempted 'auction' of TheEquationGroup's arsenal was not the same as a ransom and that they have the public interest in mind (as well as making money). This seems linked to various assertions within the community and also potentially to the Laywers at Microsoft that they're holding these organisations to ransom.

The group seem to be annoyed that an array of big tech firms and Governments were not interested in buying the tools and exploits. It is interesting that the group are still looking to monetise their haul and will not be releasing everything, despite their claims that they're working in the people's interest. There seems to be a conflict in ethics between these two points, as if that was their primary concern, they could just disclose all materials to the relevant vendors, give them 90 days to patch and release the exploits after.

The ShadowBrokers explain how they waited (30 days) for Microsoft to patch the SMB vulnerabilities, despite what Microsoft lawyers are claiming. I tend to agree that it seems like they have tried to give some time before releasing their tools. However, it could be said that the only reason they did release the tools is to prove they had them therefore giving potential buyers more assurance that this was a genuine sale.

TheShadowBrokers Have 75% of The U.S Cyber Arsenal?

They claim to have "75% of U.S. cyber arsenal". I believe that TheShadowBrokers likely do have a substantial amount of data and tooling from TheEquationGroup, whether that represents 75% of the US cyber arsenal is debatable. However, I think the action to try and auction the tools and exploits back are naïve, as there's really no upside for the buyer and the risk of the items being disclosed anyway given the stated motives of the group, is high. Additionally, the US will likely view this as a terrorist attack on the US government and we all know from Hollywood films what governments don't do with Terrorists, negotiate (large corporates will obviously want to keep out of this too!). It's debatable whether this is a smart action in order to mock the impacted parties or was a ploy to make money that was misguided – we'll likely never know the true motives.

TheEquationGroup Conspiracy Theories?

The group also claim that TheEquationGroup has spies inside Microsoft and other large tech companies, despite the agencies working directly with these organisations also. While I won't make assertions over the truth of these claims, I certainly won't state that this is an outrageous claim or impossible. The group also suggest that TheEquationGroup (via government) is paying large corporates not to patch specific vulnerabilities they wish to exploit. Again, this is not outside the realms of possibility, but I wouldn't like to say either way whether I believe this is the case or not.

North Korea

TheShadowBrokers highlight the strange behaviour of the malware having a kill-switch and seem to attribute the attack to North Korea – something that Kaspersky and Google were already following up on and have discussed publicly. This is something that the BBC have already latched on to (

Tooling Dumps as a Service

The ShadowBrokers announced their "TheShadowBrokers Data Dump of the Month" service, which will be live from June. They describe this working as "Each month peoples can be paying membership fee, then getting members only data dump each month". They also issued a disclaimer that they're not responsible for how these items are used. At the end of the post, they suggest they will 'go dark' if they continue to be bullied about their activities. I'm assuming this is a reference to some condemnation within the community, rather than (what must be expected) Microsoft / the US government's threats of legal action.

The post can be found here:

Latest SpiderLabs Blogs

Trustwave SpiderLabs Report: LockBit 3.0 Ransomware Vs. the Manufacturing Sector

As the manufacturing sector continues its digital transformation, Operational Technology (OT), Industrial Control Systems (ICS), and Supervisory Control and Data Acquisition (SCADA) are becoming...

Read More

Overview of the Cyberwarfare used in Israel – Hamas War

On October 7, 2023, the Palestinian organization Hamas launched the biggest attack on Israel in years, resulting in numerous casualties and hostages taken. Israel responded with a large-scale ground...

Read More

The 2023 Retail Services Sector Threat Landscape: A Trustwave Threat Intelligence Briefing

The annual holiday shopping season is poised for a surge in spending, a fact well-known to retailers, consumers, and cybercriminals alike. The latter group, however, is poised to exploit any...

Read More