Trending / May 30, 2017

The Shadow Brokers Are at It Again This Morning!

A few weeks ago, the Shadow Brokers—the hacking group who allegedly stole and released exploits from the CIA and were behind the WannaCry, ETERNAL ROCKS, and other recent high-profile cyber-attacks—announced their new TheShadowBrokers Monthly Dump Service was “coming soon.”

Light on details, but heavy on expectations and with their now signature marketing style (frankly, entertaining yet unintelligible), the group has now released an FAQ on their new service (launching in June). It outlines cost and how one might pay for the service, but, unfortunately, provides few specifics on what exactly you’d be getting for your money.

How Does the Monthly Service Work?

 Here’s the gist, right from the source:

Welcome to TheShadowBrokers Monthly Dump Service – June 2017

Q: How do I subscribe and get the next theshadowbrokers’ dump (June 2017)?

  1. Between 06/01/2017 and 06/30/2017 send 100 ZEC (Zcash) to this z_address:zcaWeZ9j4DdBfZXQgHpBkyauHBtYKF7LnZvaYc4p86G7jGnVUq14KSxsnGmUp7Kh1Pgivcew1qZ64iEeG6vobt8wV2siJiq
  2. Include a “delivery email address” in the “encrypted memo field” when sending Zcash payment
  3. If #1 and #2 then a confirmation email will be sent to the “delivery email address” provided
  4. Between 07/01/2017 and 07/17/2017 a “mass email” will be send to the “delivery email address” of all “confirmed subscribers” (#1, #2, #3)
  5. The “mass email” will contain a link and a password for the June 2017 dump


You Have to Admire Their Persistence, Though Perhaps Not Their Grammar

Looking to capitalize on the media attention created by WannaCry, this new service is the latest attempt by the Shadow Brokers to monetize or flat out sell their cache of allegedly stolen exploits.

Their first attempt was back in August 2016, when they tweeted a link to a GitHub repository that included instructions for an online auction of two encrypted archives of stolen Equation Group exploits. To date, the Bitcoin address set up to collect bids has only collected a grand total of 10.5 Bitcoin, which, even with the recent bull run on the cryptocurrency, only amounts to about $24,000 USD.

After two weeks, they abandoned their winner-take-all, highest-bidder approach and pivoted to a crowdfunding model that offered the password to anyone who contributed to an end goal of 10,000 Bitcoin (approximately $6M USD at the time; more than $23M USD today). That, too, did not go over well, and they eventually resorted to trying to outright sell the lot of exploits packaged as the “Windows Warez” for 750 Bitcoin ($600k USD at the time; $1.7M USD today).

Having made almost no money and attracting little overall attention as a criminal business venture, the Shadow Brokers looked to have thrown in the towel for a while . . . only to re-emerge emboldened after the recent WannaCry attacks.

What Will Be in the Inaugural Data Dump?

That’s not entirely clear. Though, the Shadow Brokers take the approach that if you have to ask, you probably can’t afford it anyway. They are claiming to be keeping the subscription fee high (approximately $23k USD/month) for the sake of exclusivity, with the service really only intended for “high rollers, hackers, security companies, OEMs and governments.”

But you can expect that the cost will rise as the Zcash cryptocurrency gets some media attention and the Shadow Brokers use it to add a sense of urgency to their pitch—even if they say they are not endorsing Zcash.

So what’s potentially in the first monthly release? In their words:

TheShadowBrokers is not deciding yet. Something of value to someone. See theshadowbrokers’ previous posts. The time for “I’ll show you mine if you show me yours first” is being over. Peoples is seeing what happenings when theshadowbrokers is showing theshadowbrokers’ first. This is being wrong question. Question to be asking “Can my organization afford not to be first to get access to theshadowbrokers dumps?”

Their previous announcement also claimed that an upcoming data dump would include:

  • Exploits for operating systems, including Windows 10.
  • Exploits for web browsers, routers, and smartphones.
  • Compromised data from banks and Swift providers.
  • Stolen network information from Russian, Chinese, Iranian, and North Korean nuclear missile programs.

At this point, it’s only speculation as to whether all of this exists and, if so, if it will be the actual content released as part of the monthly subscription service.

What’s New about This Scheme?

Not much. They’re still flogging the same product and they’ve almost exhausted every conceivable way to do so at this point. Maybe if this one doesn’t pan out, they’ll try affiliate marketing or vending machines. Who knows?

What has changed, however, is their cryptocurrency of choice. They have switched from Bitcoin to Zcash, which is supposed to be more secure and difficult to track.

Earlier this week, it was reported that the Shadow Brokers moved their total haul from previous operations of 10.5 Bitcoin via a mixing service in an attempt to hide who was accessing the funds. Addressing this problem may be the reason behind the change for their new venture as this would not be a problem with Zcash, which allows money transfers that are not tracked.

That said, the Shadow Brokers don’t even seem to trust their new cryptocurrency of choice, noting this in an unpublishable expletive-ridden tirade that ends with, “This month theshadowbrokers using Zcash. If being not good, then maybe theshadowbrokers doing different for July?”

Do They Really Even Have the Goods?

There’s really no evidence that this is the case, but no way to know for sure.

The focus on discrediting Zcash right up front and indicating it has connections to the U.S. government and Israeli Intelligence appears to many in the security industry to be: 1) misdirection to take your mind off the fact that the store is empty; and 2) a potential exit-strategy excuse should this scheme be as (un)successful as previous ones.

The Shadow Brokers have cashed out and emptied the loot from their Bitcoin wallet and the timing of this new venture coming hot on the heels of WannaCry seems to indicate that they are simply being opportunistic and attempting a final cash grab.  It’s easy to speculate that if they did have anything left of value, they’d be better off showcasing it to maximize its salability. And yet, for all their salesmanship and entertaining marketing, there’s really very little to show for the money they are asking.

Should We Be Worried?

It’s hard to say. While all of their broken-English claims remain completely unverified, their previously released dump turned out to be legitimate and resulted in WannaCry and other malware attacks that caused global chaos and digital destruction. Maybe that’s all they had, but there’s no way to know that for sure.

But for now, they should be taken seriously. Why? Because if what they’ve announced turns out to be true, we may be in for another round of highly sophisticated attacks from unknown high-roller threat actors who decide to take a chance and pay for the service.

Back to top