Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

TheShadowBrokers Babytalk Translation

TheShadowBrokers have just released a blog post (written in a child-like style to mock the lack of understanding of what they're doing) explaining their position and some of the recent events following the release of 'goodies' from TheEquationGroup. There are obviously direct references to the EternalBlue exploit that has fuelled WannaCry. I've created a TL;DR version for those who're struggling with reading it and don't have time to translate. I've included some conclusions and opinions of my own.

ThePeoples Are Not the Enemy

TheShadowBrokers insist throughout the post that they are adversarial only with TheEquationGroup and that members of TheEquationGroup are implanted within large tech firms across the globe (including Google Project Zero). Perhaps this is related to some of the negative feedback they have received within the hacking and information security community, they seem to be defending their actions and trying to link their activities to being 'for the people'.

Unsuccessful Auction to FiveEyes, UN and Tech Giants

TheShadowBrokers seem to be addressing claims that their attempted 'auction' of TheEquationGroup's arsenal was not the same as a ransom and that they have the public interest in mind (as well as making money). This seems linked to various assertions within the community and also potentially to the Laywers at Microsoft that they're holding these organisations to ransom.

The group seem to be annoyed that an array of big tech firms and Governments were not interested in buying the tools and exploits. It is interesting that the group are still looking to monetise their haul and will not be releasing everything, despite their claims that they're working in the people's interest. There seems to be a conflict in ethics between these two points, as if that was their primary concern, they could just disclose all materials to the relevant vendors, give them 90 days to patch and release the exploits after.

The ShadowBrokers explain how they waited (30 days) for Microsoft to patch the SMB vulnerabilities, despite what Microsoft lawyers are claiming. I tend to agree that it seems like they have tried to give some time before releasing their tools. However, it could be said that the only reason they did release the tools is to prove they had them therefore giving potential buyers more assurance that this was a genuine sale.

TheShadowBrokers Have 75% of The U.S Cyber Arsenal?

They claim to have "75% of U.S. cyber arsenal". I believe that TheShadowBrokers likely do have a substantial amount of data and tooling from TheEquationGroup, whether that represents 75% of the US cyber arsenal is debatable. However, I think the action to try and auction the tools and exploits back are naïve, as there's really no upside for the buyer and the risk of the items being disclosed anyway given the stated motives of the group, is high. Additionally, the US will likely view this as a terrorist attack on the US government and we all know from Hollywood films what governments don't do with Terrorists, negotiate (large corporates will obviously want to keep out of this too!). It's debatable whether this is a smart action in order to mock the impacted parties or was a ploy to make money that was misguided – we'll likely never know the true motives.

TheEquationGroup Conspiracy Theories?

The group also claim that TheEquationGroup has spies inside Microsoft and other large tech companies, despite the agencies working directly with these organisations also. While I won't make assertions over the truth of these claims, I certainly won't state that this is an outrageous claim or impossible. The group also suggest that TheEquationGroup (via government) is paying large corporates not to patch specific vulnerabilities they wish to exploit. Again, this is not outside the realms of possibility, but I wouldn't like to say either way whether I believe this is the case or not.

North Korea

TheShadowBrokers highlight the strange behaviour of the malware having a kill-switch and seem to attribute the attack to North Korea – something that Kaspersky and Google were already following up on and have discussed publicly. This is something that the BBC have already latched on to (http://www.bbc.co.uk/news/technology-39931635).

Tooling Dumps as a Service

The ShadowBrokers announced their "TheShadowBrokers Data Dump of the Month" service, which will be live from June. They describe this working as "Each month peoples can be paying membership fee, then getting members only data dump each month". They also issued a disclaimer that they're not responsible for how these items are used. At the end of the post, they suggest they will 'go dark' if they continue to be bullied about their activities. I'm assuming this is a reference to some condemnation within the community, rather than (what must be expected) Microsoft / the US government's threats of legal action.

The post can be found here: https://steemit.com/shadowbrokers/@theshadowbrokers/oh-lordy-comey-wanna-cry-edition