In my previous write-up about WannaCry, I addressed that the tools were dumped by a group called ShadowBrokers. But who are they? What is their motivation? Let’s take a look.
The group (well, we’ll assume group for the scope of this post), has been responsible for dumping NSA hacking tools such as the tools that led to the spread of the WannaCry cryptoworm and NotPetya. It is unknown if the group is actually just a solo individual, maybe a disgruntled NSA contractor or employee, or even a foreign government, such as Russian or North Korean hackers.
Back in May, The Atlantic ran an in-depth article analyzing possibilities for who the ShadowBrokers are. The material, while released in 2016, was from 2013. The Atlantic notes the existence of external NSA “staging servers,” which are servers that are owned by the US Government, but have no connections to the NSA. This allows NSA contractors to hide their tools on various servers removed from the NSA, and it would appear that one of these servers was hacked. Because of the amount of time between the theft of the material, and the release of the tools, Bruce Schneier, author of the Atlantic article, doesn’t think it was an inside whistle-blower or a random hacker that stumbled across the information, as in both cases, it’s more plausible that they would release the information immediately.
Schneier’s conclusion is that this would only leave a nation-state, such as China or Russia. China seems unlikely because they are currently trying to strengthen the relationship between them and the US. But when looking at Russia, the question becomes, “why?” This is where my conclusion splits from Schneir’s. He states that it doesn’t make strategic sense for Russia to release the information, as it will be more useful to them if they keep their knowledge of it a secret. However, it’s possible that they’re trying to make a statement. By releasing the information, they can say “look at what we can do.” Also, we have to keep in mind that the information was released three years later. They’ve had plenty of time to analyze the code, even possibly reverse engineer some of it. Assuming that the NSA has used these tools on the Russians, it could be a way of saying, “we know, we already have it.” Also, by releasing classified hacking tools from the National Security Agency, this will also make American citizens question their government more. By making the American people fear their own government rather than a foreign government, citizens will question more government activities, especially activities involving other governments, such as Russia. It’s a strategic move to make the other country’s citizens question their own government.
While no one knows for certain who The ShadowBrokers are, and we may never know, it seems more likely that a foreign government might be behind the leaks. Until then, all we can do is watch, and learn from these attacks and leaks, and use these as a wake-up call to realize that nothing is perfectly secure, but we can take steps to detect and prevent intrusions sooner.