Mutt
Professional
- Messages
- 1,157
- Reaction score
- 824
- Points
- 113
STOLEN VIRUS FROM NSA.
What if the most powerful cyber weapon on the planet was created not by hackers, but by... the US government?
In 2016, a mysterious group called the Shadow Brokers pulled off the biggest hack in history - they stole secret NSA tools and then leaked them online. One of these exploits, EternalBlue, became the basis for the WannaCry and NotPetya attacks, which caused billions of dollars in damage worldwide.
Who are the Shadow Brokers? How did they hack the most secure US organization? And why are we still feeling the effects of their leak?
In this topic, you will learn:
Content:
Introduction: A Strange Post on GitHub.
August 13, 2016. Maryland. Night. An ordinary suburb in America. The lights of TVs flicker in the windows, the news discusses the election. Hillary Clinton versus Donald Trump. People scroll through the headlines on their phones, argue about politics, think about the future of the country. But somewhere in another dimension, in the digital underground, something much more dangerous is already unfolding. Around midnight, a strange message from an unknown user appears on the GitHub website.
It looks like a joke, broken English, loud statements, some files, someone clearly wants to attract attention to themselves. Most scroll through it as another Internet prank, but panic begins in the world of cybersecurity. What is this? This can't be true! Wait, are these tools real? What appeared before the eyes of specialists was not just another virus or a Trojan. It was a digital arsenal stolen from the world's most powerful cyber agency, the NSA.
And not just from the NSA, but from their most secret unit, the Equation Group. The Equation Group is the elite of the elite, with a level of secrecy higher than the CIA. Their existence had long been considered a rumor among experts. They were the ones behind the virus that disabled the centrifuges of the Iranian nuclear program in 2010. And now, suddenly, someone had leaked their tools online.
Real cyber bombs. Vulnerabilities among the files. Backdoors, Trojans, exploits for Cisco and Fortinet routers. Some so powerful that they could be used to gain control of a computer without leaving a trace. To an ordinary person, it looked like a strange, incomprehensible leak. To professionals, it was an earthquake, an explosion that echoed throughout cyberspace. This was the beginning of a story in which secrets, spies, betrayals and digital wars intertwined into a single ball.
Who are Equation Group.
In the world of cybersecurity, names like Fancy Bear, Lazarus Group have become almost household words. Behind each of them lies a state interest - Russia, North Korea, Iran. But there is one group that stands apart. A group that has long been only rumors. Operations that are so complex that it seemed that no known hacker group in the world could carry them out. The name of this organization is Equation Group.
When in 2015, the Russian company Kaspersky Lab began to investigate one particularly cunning malware, they noticed oddities. The code was overly sophisticated, resilient, with an incredible level of stealth. Moreover, parts of this code had been noticed in other attacks, in different parts of the world and in different languages. To somehow identify this shadow, specialists from Kaspersky Lab gave the group the code name Equation Group.
Why the name? Because their malware and exploits contained complex mathematical equations. Cryptographic tricks and algorithms that required resources unavailable to ordinary hackers. Equation Group is a state project. Funded, organized, equipped in a way that no private player can afford. They can develop malicious tools for years. They create their own file systems to hide malicious code on hard drives.
They do not just infect a computer. They embed themselves in the very architecture of the system. The most famous example is the Stuxnet virus. This malware was first discovered in 2010. It was targeted exclusively at Iranian nuclear centrifuges. Stuxnet infiltrated systems undetected, found the right models of control devices, changed the rotation speed of the centrifuge and eventually physically disabled them, while remaining invisible to the operators.
Experts around the world have come to the same conclusion - only a state intelligence agency could do this. It later turned out that the Equation Group, the very same shadow of ANB, was behind the attack. Their arsenal is like something out of a science fiction movie, here are just a few examples of the tools created by the Equation Group. Cotton Mouse, a device disguised as a regular USB flash drive, can intercept everything that goes through the USB port, keystrokes, mouse movements, and even send data via radio.
Dropout Jib, malware that allows you to turn an iPhone into a spy device. Access to the microphone, camera, SMS, contacts - all this is possible without the owner's knowledge. RageMaster is a hardware device connected to the VGA port of the monitor. It intercepts the image from the screen and transmits it via radio, creating a full copy of what is happening on the monitor, at a distance.
Secrecy above all. All of the Equation Group's tools were kept in the highest degree of secrecy. Only a limited circle of NSA specialists had access to them. Internal rules prohibited even discussing these projects outside the office.
Shadow Brokers come out of the shadows.
On August 13, 2016, a post appears on GitHub from an unknown group called the Shadow Brokers. They claim to have hacked Equation Group.
Sound crazy? Then they offer proof. Along with the claim, they post real hacking tools online, which they claim were taken from internal NSA servers. These files could have allowed them to gain full control of a Cisco network device, even if they were updated, and penetrate corporate and government networks without detection. Major companies like Cisco confirmed that these vulnerabilities were real and they did not know they existed.
Shadowbrokers didn’t just hack, they decided to sell the stolen weapons to the world. How much do you pay your enemies for cyber weapons? We’re auctioning off the best files. Do you want the full package? You pay 1 million bitcoins. The price of 1 million bitcoins? It’s pointless. It’s even funny, but that was the calculation. This isn’t just a sale, it’s a show of force. Shadowbrokers were playing their game, not making fun of the NSA. The tone of the messages was special, broken, as if translated through Google Translate, but some experts believe that it was intentional, to confuse the investigator.
A few days later, the world’s largest media, the Guardian and the New York Times, publish articles. The NSA has been hacked, a real weapon of digital war has leaked. Vulnerabilities that no one should have seen are now in the public domain. For cybersecurity specialists, this was a moment of truth. If they had previously guessed at the power of the NSA, now they saw it with their own eyes.
The NSA's reaction and the capture of Harold Martin.
Lines of code, hacks, vulnerabilities - all in front of them. This was more than the Snowden leak. Snowden revealed documents and schematics, the Shadow Brokers revealed source code. Real tools, real keys to the locks, right into the hands of potential enemies of the United States. The hunt was on. The FBI and the NSA were building hypotheses. Russia? At that point, the Kremlin was already accused of interfering in the US elections.
The DNS leak happened a month before. The Shadow Brokers could have been part of this scenario. Does this mean that the Shadow Brokers are them too? Perhaps. But there is a problem. Style. The Shadow Brokers' leaks do not look like the work of Russian intelligence services. This is not a covert operation. This is a show. They are playing with the public. A man inside the NSA? A new Snowden? Someone working for the NSA decided to take revenge? After all, you can't just get access to such data. Hackers? Maybe it's just a group looking to get rich, and they decided to blackmail the government? Officially, no version has been confirmed so far.
The FBI began monitoring the Shadow Brokers bitcoin wallet, the auction failed, almost no one transferred the bitcoins. Shadowbrokers went silent. But instead of relief, panic begins inside the NSA, because if the files are real, then somewhere in the system there is a leak of the scale of a national catastrophe. The NSA and FBI offices are in full swing, cryptanalysts, counterintelligence officers, homeland security experts - everyone is trying to answer two key questions.
Who are the Shadow Brokers and how did they get access to the NSA's holy of holies - the Equation Group Arsenal? The NSA began to work on the version about a person inside the system who leaked all the data. After Snowden's revelation, the NSA tightened control over employees. But what if someone decided to go against the system again?
At this point, the FBI gets a tip. Someone inside the agency has posted a suspicious tweet containing coded hints of an internal leak. His account is oddly designed. An avatar, Latin and French phrases, 13-year-old videos about PMCs and snipers. The suspect's name is Harald Timartin III. Harald Timartin is the perfect candidate for a traitor. A former Navy officer, he worked as a contractor for Booth Allen Hamilton, the same company that hired Snowden, and had access to the NSA's most classified materials.
He worked directly with the Equation Group, including TAO, the NSA's elite digital attack unit. He is quiet, withdrawn, and colleagues have described him as strange but smart. He knew where the keys to the digital doors were. Harald was arrested. When the agents entered the house, they were shocked. Folders, hard drives, printed documents, even classified data sitting in plain sight in a car.
A total of 50 terabytes of information. That's the equivalent of tens of millions of documents. Many of them marked top secret. He took material not just from the NSA, but from the CIA, U.S. Cyber Command, the Department of Defense, the National Reconnaissance Office. And he did it for two decades. But there's a problem. The FBI was counting on Martin being the Shadow Brokers. They had suspects, they had access, they had 50 terabytes of stolen data, it all added up, but none of the files the Shadow Brokers released were found among Martin's files.
The Shadow Brokers' second message: the manifesto and the United States.
He didn't run them outside the NSA's secure networks, he didn't even release any of them himself. Martin was guilty of theft, but he was not the Shadow Brokers. Time passes, no answers, meanwhile the Shadow Brokers return with a new manifesto, with political statements, with a new leak and a direct challenge to the White House.
September 2016. The second message from the Shadowbrokers. They publish data again, but this time everything is different. Yes, they publish cyber tools again, yes, they attach evidence again, but the main thing is that now they talk a lot, loudly and very defiantly. The target is the American government. In October 2016, the Shadowbrokers publish a new message full of mockery of the United States.
Their target is Vice President Joe Biden, whom they call "Dirty Grandpa" for his threats to Russia. Why is Dirty Grandpa threatening cyber war with Russia through the CIA? Why not through the NSA or Cyber Command? The CIA is Cyber Team "B"? Really? Where is Cyber Team "A"? In this message they reinforce their anti-American rhetoric, phrases like "the enemy of my enemy is my friend", "where is the free press?" hint at their position against the American establishment.
They question the blame placed on Russia for cyberattacks, suggesting that the US is exaggerating external threats to cover up its own failures. Their rhetoric echoes anti-Western narratives, but the motives remain unclear, whether these are independent hackers or someone acting on behalf of US adversaries. What’s in the new leak? Shadowbrokers publishes a list of IP addresses, domains and servers through which they say the NSA has carried out cyberattacks around the world.
It’s a digital map of US covert activity, and cyber experts around the world are checking the data and finding confirmation. Many of the addresses actually showed up in attack logs in Asia, the Middle East and Europe. This isn’t just a scandal, it means that any country can now look at its logs and say “the US was spying on us”. The fact that Shadow Brokers have access to such data destroys the illusion of NSA immunity.
Now everyone in the world knows that even the most secret servers of the most secret US cyber unit can be hacked. And this knowledge is much more dangerous than the exploits themselves. The US reaction is deathly silence. The White House does not comment on the messages, the media almost does not discuss this part of the leaks, but the shadow broker notices this and makes the following conclusion. Where is the freedom of the press, ABC, NBC, CBS, FOX are negligent in informing Americans.
They accuse the media of censorship and dependence on the state. They say that if they are silent about us, it means they are afraid. There is disappointment and confusion inside the NSA and FBI. Harald Martin is in jail, but the leaks continue. There is no evidence, no traces. All the actions of the Shadow Brokers are anonymous, skillfully disguised, without digital traces. The FBI and NSA are starting to suspect. Maybe there is someone else in our ranks?
Or was it an external attack that we do not know about? The Shadow Brokers are silent, but this is the calm before the storm. April 2017. The final message from Shadowbrokers. A post titled “Don’t Forget Your Base” appears on Medium. The message begins not as a hacker release, but as an angry letter from a fan who was betrayed. An appeal personally to Donald Trump. Shadowbrokers voted for you. Shadowbrokers are losing faith in you, Mr. Trump.
Whose war are you fighting? Israeli nationalists? Goldman Sachs? They accuse Trump of betraying his electorate. And at the very end of the message, as if in passing, they post the password to the encrypted archive that they posted six months ago. This is the key to hell.
EternalBlue: the hack that became a virus.
What’s inside the archive? 67 executable files for Windows. Zero-day exploits unknown even to Microsoft. IP addresses, domains, encrypted Trojans, remote control tools, malicious drivers, invisible antiviruses.
But the main one among them is the EternalBlood exploit. What is EternalBlue? It is a cyber arsenal created by ANB to penetrate any Windows-based computer. The exploit uses a vulnerability in the SMBv1 protocol, an outdated component for exchanging files between devices on a local network. According to the classification, the vulnerability is CVE-2017-01-44. It allows remote code execution on any computer, that is, complete system takeover, without a password, without clicks, without confirmations.
EternalBlue is a digital Earth-server missile. Until now, only the NSA had such a weapon. Now the whole world. Why is it so dangerous? SMB-1 was enabled, by default, on hundreds of millions of devices. The vulnerability was present even in Windows XP and Server 2003.
Many organizations simply did not have time to install patches or did not even know about the threat. Eternal Blue gave hackers the ability to infect entire networks in a second, jumping from one computer to another like a digital plague.
WannaCry and NotPetya: the consequences of the leak.
May 2017 comes WannaCry. A month after the EternalBlue leak, the first large-scale attack of a new type begins. A global cyberattack virus paralyzes hospitals, banks and enterprises. The WannaCry malware uses Eternal Blue to penetrate systems, then encrypts all files and demands a ransom in bitcoins.
The scale of the attack - more than 300 thousand computers in 150 countries are infected. Hospitals in the UK and factories in Asia are affected. The damage is more than 4 billion dollars. In some hospitals, operations were canceled, doctors wrote diagnoses by hand. Emergency services were temporarily unavailable. The United States officially blamed North Korea for the attack.
Lazarus, associated with the DPRK, used Internal Blue to launch the virus. The weapon developed by the US ended up in the hands of its enemies and was used against the entire world. But that's not all. Then NotPetya came. A month and a half later, another wave. But now the target is Ukraine. The NotPetya virus is spread by the same methods through Eternal Blue. But now the goal is not ransom, but data destruction.
National banks, the Kiev metro, power grids, international companies, Rosneft, FedEx suffered. The damage is more than 10 billion dollars. Some companies took months to recover, while others lost everything forever. The Eternal Blue attack was one of the most destructive in human history. Not because of hacks, not because of a virus, but because weapons from the hands of the state ended up in free access.
The disappearance of the Shadow Brokers.
And here is the main question: who is responsible? The Shadow Brokers for what they published, or the NSA for creating this weapon and not protecting it? After the latest manifesto and the Eternal Blue leak, the Shadow Brokers group disappears as suddenly as it appeared. No new posts, no statements, no trace. On the Darknet, on forums, in specialized chats - silence. In two years of investigation, the US government has not established the identity of a single member of the Shadow Brokers.
Russia - no evidence. China, Iran, North Korea - only guesses. Harald Timartin is in prison, but he was not involved in the Shadow Brokers leak. He pleaded guilty to illegal storage of classified materials and was sentenced to 9 years in prison, 3 years of supervision and a fine of 250 thousand dollars. But the sentence did not mention the Shadow Brokers, because no evidence was ever found. In this story, the name of the hackers is not important, the precedent is important.
The Shadow Brokers did not reveal secrets, but rather system vulnerabilities. They showed that weapons hidden in safes sooner or later end up in the wrong hands. Sometimes accounts that try to pass themselves off as the Shadow Brokers still pop up on the Darknet, but they are not them. The real ones are silent. They are most likely gone forever, but their legacy lives on in every attack, in every new virus.
What if the most powerful cyber weapon on the planet was created not by hackers, but by... the US government?
In 2016, a mysterious group called the Shadow Brokers pulled off the biggest hack in history - they stole secret NSA tools and then leaked them online. One of these exploits, EternalBlue, became the basis for the WannaCry and NotPetya attacks, which caused billions of dollars in damage worldwide.
Who are the Shadow Brokers? How did they hack the most secure US organization? And why are we still feeling the effects of their leak?
In this topic, you will learn:
- How cyber wars work and who wins them
- Why Even the NSA Couldn't Protect Its Secrets
- What happened after the virus hit the internet
- And who is really responsible for the cyber chaos?
Content:
- Introduction: A Strange GitHub Post
- Who is Equation Group?
- Shadow Brokers Come Out of the Shadows
- NSA Response and the Capture of Harold Martin
- The Second Shadow Brokers Message: The Manifesto and the US
- EternalBlue: The Hack That Went Viral
- WannaCry and NotPetya: The consequences of the leak
- The Disappearance of the Shadow Brokers
Introduction: A Strange Post on GitHub.
August 13, 2016. Maryland. Night. An ordinary suburb in America. The lights of TVs flicker in the windows, the news discusses the election. Hillary Clinton versus Donald Trump. People scroll through the headlines on their phones, argue about politics, think about the future of the country. But somewhere in another dimension, in the digital underground, something much more dangerous is already unfolding. Around midnight, a strange message from an unknown user appears on the GitHub website.
It looks like a joke, broken English, loud statements, some files, someone clearly wants to attract attention to themselves. Most scroll through it as another Internet prank, but panic begins in the world of cybersecurity. What is this? This can't be true! Wait, are these tools real? What appeared before the eyes of specialists was not just another virus or a Trojan. It was a digital arsenal stolen from the world's most powerful cyber agency, the NSA.
And not just from the NSA, but from their most secret unit, the Equation Group. The Equation Group is the elite of the elite, with a level of secrecy higher than the CIA. Their existence had long been considered a rumor among experts. They were the ones behind the virus that disabled the centrifuges of the Iranian nuclear program in 2010. And now, suddenly, someone had leaked their tools online.
Real cyber bombs. Vulnerabilities among the files. Backdoors, Trojans, exploits for Cisco and Fortinet routers. Some so powerful that they could be used to gain control of a computer without leaving a trace. To an ordinary person, it looked like a strange, incomprehensible leak. To professionals, it was an earthquake, an explosion that echoed throughout cyberspace. This was the beginning of a story in which secrets, spies, betrayals and digital wars intertwined into a single ball.
Who are Equation Group.
In the world of cybersecurity, names like Fancy Bear, Lazarus Group have become almost household words. Behind each of them lies a state interest - Russia, North Korea, Iran. But there is one group that stands apart. A group that has long been only rumors. Operations that are so complex that it seemed that no known hacker group in the world could carry them out. The name of this organization is Equation Group.
When in 2015, the Russian company Kaspersky Lab began to investigate one particularly cunning malware, they noticed oddities. The code was overly sophisticated, resilient, with an incredible level of stealth. Moreover, parts of this code had been noticed in other attacks, in different parts of the world and in different languages. To somehow identify this shadow, specialists from Kaspersky Lab gave the group the code name Equation Group.
Why the name? Because their malware and exploits contained complex mathematical equations. Cryptographic tricks and algorithms that required resources unavailable to ordinary hackers. Equation Group is a state project. Funded, organized, equipped in a way that no private player can afford. They can develop malicious tools for years. They create their own file systems to hide malicious code on hard drives.
They do not just infect a computer. They embed themselves in the very architecture of the system. The most famous example is the Stuxnet virus. This malware was first discovered in 2010. It was targeted exclusively at Iranian nuclear centrifuges. Stuxnet infiltrated systems undetected, found the right models of control devices, changed the rotation speed of the centrifuge and eventually physically disabled them, while remaining invisible to the operators.
Experts around the world have come to the same conclusion - only a state intelligence agency could do this. It later turned out that the Equation Group, the very same shadow of ANB, was behind the attack. Their arsenal is like something out of a science fiction movie, here are just a few examples of the tools created by the Equation Group. Cotton Mouse, a device disguised as a regular USB flash drive, can intercept everything that goes through the USB port, keystrokes, mouse movements, and even send data via radio.
Dropout Jib, malware that allows you to turn an iPhone into a spy device. Access to the microphone, camera, SMS, contacts - all this is possible without the owner's knowledge. RageMaster is a hardware device connected to the VGA port of the monitor. It intercepts the image from the screen and transmits it via radio, creating a full copy of what is happening on the monitor, at a distance.
Secrecy above all. All of the Equation Group's tools were kept in the highest degree of secrecy. Only a limited circle of NSA specialists had access to them. Internal rules prohibited even discussing these projects outside the office.
Shadow Brokers come out of the shadows.
On August 13, 2016, a post appears on GitHub from an unknown group called the Shadow Brokers. They claim to have hacked Equation Group.
Sound crazy? Then they offer proof. Along with the claim, they post real hacking tools online, which they claim were taken from internal NSA servers. These files could have allowed them to gain full control of a Cisco network device, even if they were updated, and penetrate corporate and government networks without detection. Major companies like Cisco confirmed that these vulnerabilities were real and they did not know they existed.
Shadowbrokers didn’t just hack, they decided to sell the stolen weapons to the world. How much do you pay your enemies for cyber weapons? We’re auctioning off the best files. Do you want the full package? You pay 1 million bitcoins. The price of 1 million bitcoins? It’s pointless. It’s even funny, but that was the calculation. This isn’t just a sale, it’s a show of force. Shadowbrokers were playing their game, not making fun of the NSA. The tone of the messages was special, broken, as if translated through Google Translate, but some experts believe that it was intentional, to confuse the investigator.
A few days later, the world’s largest media, the Guardian and the New York Times, publish articles. The NSA has been hacked, a real weapon of digital war has leaked. Vulnerabilities that no one should have seen are now in the public domain. For cybersecurity specialists, this was a moment of truth. If they had previously guessed at the power of the NSA, now they saw it with their own eyes.
The NSA's reaction and the capture of Harold Martin.
Lines of code, hacks, vulnerabilities - all in front of them. This was more than the Snowden leak. Snowden revealed documents and schematics, the Shadow Brokers revealed source code. Real tools, real keys to the locks, right into the hands of potential enemies of the United States. The hunt was on. The FBI and the NSA were building hypotheses. Russia? At that point, the Kremlin was already accused of interfering in the US elections.
The DNS leak happened a month before. The Shadow Brokers could have been part of this scenario. Does this mean that the Shadow Brokers are them too? Perhaps. But there is a problem. Style. The Shadow Brokers' leaks do not look like the work of Russian intelligence services. This is not a covert operation. This is a show. They are playing with the public. A man inside the NSA? A new Snowden? Someone working for the NSA decided to take revenge? After all, you can't just get access to such data. Hackers? Maybe it's just a group looking to get rich, and they decided to blackmail the government? Officially, no version has been confirmed so far.
The FBI began monitoring the Shadow Brokers bitcoin wallet, the auction failed, almost no one transferred the bitcoins. Shadowbrokers went silent. But instead of relief, panic begins inside the NSA, because if the files are real, then somewhere in the system there is a leak of the scale of a national catastrophe. The NSA and FBI offices are in full swing, cryptanalysts, counterintelligence officers, homeland security experts - everyone is trying to answer two key questions.
Who are the Shadow Brokers and how did they get access to the NSA's holy of holies - the Equation Group Arsenal? The NSA began to work on the version about a person inside the system who leaked all the data. After Snowden's revelation, the NSA tightened control over employees. But what if someone decided to go against the system again?
At this point, the FBI gets a tip. Someone inside the agency has posted a suspicious tweet containing coded hints of an internal leak. His account is oddly designed. An avatar, Latin and French phrases, 13-year-old videos about PMCs and snipers. The suspect's name is Harald Timartin III. Harald Timartin is the perfect candidate for a traitor. A former Navy officer, he worked as a contractor for Booth Allen Hamilton, the same company that hired Snowden, and had access to the NSA's most classified materials.
He worked directly with the Equation Group, including TAO, the NSA's elite digital attack unit. He is quiet, withdrawn, and colleagues have described him as strange but smart. He knew where the keys to the digital doors were. Harald was arrested. When the agents entered the house, they were shocked. Folders, hard drives, printed documents, even classified data sitting in plain sight in a car.
A total of 50 terabytes of information. That's the equivalent of tens of millions of documents. Many of them marked top secret. He took material not just from the NSA, but from the CIA, U.S. Cyber Command, the Department of Defense, the National Reconnaissance Office. And he did it for two decades. But there's a problem. The FBI was counting on Martin being the Shadow Brokers. They had suspects, they had access, they had 50 terabytes of stolen data, it all added up, but none of the files the Shadow Brokers released were found among Martin's files.
The Shadow Brokers' second message: the manifesto and the United States.
He didn't run them outside the NSA's secure networks, he didn't even release any of them himself. Martin was guilty of theft, but he was not the Shadow Brokers. Time passes, no answers, meanwhile the Shadow Brokers return with a new manifesto, with political statements, with a new leak and a direct challenge to the White House.
September 2016. The second message from the Shadowbrokers. They publish data again, but this time everything is different. Yes, they publish cyber tools again, yes, they attach evidence again, but the main thing is that now they talk a lot, loudly and very defiantly. The target is the American government. In October 2016, the Shadowbrokers publish a new message full of mockery of the United States.
Their target is Vice President Joe Biden, whom they call "Dirty Grandpa" for his threats to Russia. Why is Dirty Grandpa threatening cyber war with Russia through the CIA? Why not through the NSA or Cyber Command? The CIA is Cyber Team "B"? Really? Where is Cyber Team "A"? In this message they reinforce their anti-American rhetoric, phrases like "the enemy of my enemy is my friend", "where is the free press?" hint at their position against the American establishment.
They question the blame placed on Russia for cyberattacks, suggesting that the US is exaggerating external threats to cover up its own failures. Their rhetoric echoes anti-Western narratives, but the motives remain unclear, whether these are independent hackers or someone acting on behalf of US adversaries. What’s in the new leak? Shadowbrokers publishes a list of IP addresses, domains and servers through which they say the NSA has carried out cyberattacks around the world.
It’s a digital map of US covert activity, and cyber experts around the world are checking the data and finding confirmation. Many of the addresses actually showed up in attack logs in Asia, the Middle East and Europe. This isn’t just a scandal, it means that any country can now look at its logs and say “the US was spying on us”. The fact that Shadow Brokers have access to such data destroys the illusion of NSA immunity.
Now everyone in the world knows that even the most secret servers of the most secret US cyber unit can be hacked. And this knowledge is much more dangerous than the exploits themselves. The US reaction is deathly silence. The White House does not comment on the messages, the media almost does not discuss this part of the leaks, but the shadow broker notices this and makes the following conclusion. Where is the freedom of the press, ABC, NBC, CBS, FOX are negligent in informing Americans.
They accuse the media of censorship and dependence on the state. They say that if they are silent about us, it means they are afraid. There is disappointment and confusion inside the NSA and FBI. Harald Martin is in jail, but the leaks continue. There is no evidence, no traces. All the actions of the Shadow Brokers are anonymous, skillfully disguised, without digital traces. The FBI and NSA are starting to suspect. Maybe there is someone else in our ranks?
Or was it an external attack that we do not know about? The Shadow Brokers are silent, but this is the calm before the storm. April 2017. The final message from Shadowbrokers. A post titled “Don’t Forget Your Base” appears on Medium. The message begins not as a hacker release, but as an angry letter from a fan who was betrayed. An appeal personally to Donald Trump. Shadowbrokers voted for you. Shadowbrokers are losing faith in you, Mr. Trump.
Whose war are you fighting? Israeli nationalists? Goldman Sachs? They accuse Trump of betraying his electorate. And at the very end of the message, as if in passing, they post the password to the encrypted archive that they posted six months ago. This is the key to hell.
EternalBlue: the hack that became a virus.
What’s inside the archive? 67 executable files for Windows. Zero-day exploits unknown even to Microsoft. IP addresses, domains, encrypted Trojans, remote control tools, malicious drivers, invisible antiviruses.
But the main one among them is the EternalBlood exploit. What is EternalBlue? It is a cyber arsenal created by ANB to penetrate any Windows-based computer. The exploit uses a vulnerability in the SMBv1 protocol, an outdated component for exchanging files between devices on a local network. According to the classification, the vulnerability is CVE-2017-01-44. It allows remote code execution on any computer, that is, complete system takeover, without a password, without clicks, without confirmations.
EternalBlue is a digital Earth-server missile. Until now, only the NSA had such a weapon. Now the whole world. Why is it so dangerous? SMB-1 was enabled, by default, on hundreds of millions of devices. The vulnerability was present even in Windows XP and Server 2003.
Many organizations simply did not have time to install patches or did not even know about the threat. Eternal Blue gave hackers the ability to infect entire networks in a second, jumping from one computer to another like a digital plague.
WannaCry and NotPetya: the consequences of the leak.
May 2017 comes WannaCry. A month after the EternalBlue leak, the first large-scale attack of a new type begins. A global cyberattack virus paralyzes hospitals, banks and enterprises. The WannaCry malware uses Eternal Blue to penetrate systems, then encrypts all files and demands a ransom in bitcoins.
The scale of the attack - more than 300 thousand computers in 150 countries are infected. Hospitals in the UK and factories in Asia are affected. The damage is more than 4 billion dollars. In some hospitals, operations were canceled, doctors wrote diagnoses by hand. Emergency services were temporarily unavailable. The United States officially blamed North Korea for the attack.
Lazarus, associated with the DPRK, used Internal Blue to launch the virus. The weapon developed by the US ended up in the hands of its enemies and was used against the entire world. But that's not all. Then NotPetya came. A month and a half later, another wave. But now the target is Ukraine. The NotPetya virus is spread by the same methods through Eternal Blue. But now the goal is not ransom, but data destruction.
National banks, the Kiev metro, power grids, international companies, Rosneft, FedEx suffered. The damage is more than 10 billion dollars. Some companies took months to recover, while others lost everything forever. The Eternal Blue attack was one of the most destructive in human history. Not because of hacks, not because of a virus, but because weapons from the hands of the state ended up in free access.
The disappearance of the Shadow Brokers.
And here is the main question: who is responsible? The Shadow Brokers for what they published, or the NSA for creating this weapon and not protecting it? After the latest manifesto and the Eternal Blue leak, the Shadow Brokers group disappears as suddenly as it appeared. No new posts, no statements, no trace. On the Darknet, on forums, in specialized chats - silence. In two years of investigation, the US government has not established the identity of a single member of the Shadow Brokers.
Russia - no evidence. China, Iran, North Korea - only guesses. Harald Timartin is in prison, but he was not involved in the Shadow Brokers leak. He pleaded guilty to illegal storage of classified materials and was sentenced to 9 years in prison, 3 years of supervision and a fine of 250 thousand dollars. But the sentence did not mention the Shadow Brokers, because no evidence was ever found. In this story, the name of the hackers is not important, the precedent is important.
The Shadow Brokers did not reveal secrets, but rather system vulnerabilities. They showed that weapons hidden in safes sooner or later end up in the wrong hands. Sometimes accounts that try to pass themselves off as the Shadow Brokers still pop up on the Darknet, but they are not them. The real ones are silent. They are most likely gone forever, but their legacy lives on in every attack, in every new virus.
