Shadow Brokers dump crowdfunding raises ethical questions

The prospect of monthly NSA cyberweapons leaks in new Shadow Brokers dump raises questions about the ethics of paying criminals for stolen goods.

Although past auctions and sales have not gone well, the Shadow Brokers are trying once again to get someone -- anyone -- to give them money for the trove of NSA cyberweapons the group claims to have and the damage from WannaCry has IT professionals crowdsourcing to pay.

If all goes according to plan, a monthly Shadow Brokers dump of vulnerabilities and exploits will be released to anyone who pays the $20,000 price tag. The group said this high cost is intended to only attract "high rollers, hackers, security companies, OEMs, and governments." The group is asking for payment in Zcash, an anonymous cryptocurrency with more privacy than Bitcoin, and the first Shadow Brokers dump is scheduled to be released between June 1 and June 17.

Experts fear future subscription-based Shadow Brokers dumps because of the extent of the damage caused by WannaCry and how the ransomware highlighted the large number of systems vulnerable to the EternalBlue exploit from the NSA cyberweapons stockpile.   

Csaba Krasznay, product evangelist at Balabit, a security company headquartered in Budapest, Hungary, said "the whole situation is really scary" because the next Shadow Brokers dump could lead to another WannaCry.

"Whatever the truth is, it is clear now that the governments should handle their cyberweapons in ways similar to the handling of their weapons of mass destruction," Krasznay told SearchSecurity. "Otherwise, perhaps a disgruntled privileged administrator might steal one or perhaps someone may simply forget to delete it after use in an operation. Those codes shouldn't get to a Shadow Brokers-like group, and this is a governmental responsibility."

Mounir Hahad, senior director at Cyphort Labs, said because it appears the NSA is aware of what was stolen and may have begun notifying vendors, the Shadow Brokers are more likely to provide dangerous exploits.

"The Shadow Brokers cannot make random claims of having additional cyberweapons without risking being called on it, so they will likely only talk about what they truly have," Hahad told SearchSecurity. "My concern would be with rogue entities like cybercrime groups, which now would have a more affordable access to weapons of choice. Some not-so-well funded foreign governments may dip their toes in as well."

Crowdfunding for the Shadow Brokers dump

The Shadow Brokers notably tried to auction off the cache of NSA cyberweapons it had for 10,000 Bitcoin only to cancel the auction in October after earning just 1.76 Bitcoin. At the time, that 1.76 Bitcoin was worth approximately $1,121, but the Shadow Brokers' account continued to receive additional payments after teasing the NSA cyberweapons in January, releasing them in April and the subsequent mayhem caused by WannaCry, which was based on NSA cyberweapons found in that Shadow Brokers dump.

Whatever the truth is, it is clear now that the governments should handle their cyberweapons in ways similar to the handling of their weapons of mass destruction.
Csaba Krasznayproduct evangelist, Balabit

Ultimately, the Shadow Brokers had close to 10.5 Bitcoin in their account and 10.4 Bitcoin was transferred out of the account on May 29. Bitcoin prices have also spiked over the past two months, meaning the 10.4 Bitcoin was worth more than $24,000 at the time of the transfer. This seems to indicate the Shadow Brokers dumps can generate at least some money through crowdfunding.

The Shadow Brokers Response Team (SBRT), led by Matthew Hickey, co-founder and director at Hacker House, and security researcher x0rz, started a crowdfunding project to pay for the new Shadow Brokers dump in order to "release any and all information obtained from this once we have assessed and notified vendors of any potential zero-days."

The researchers have since cancelled the crowdfunding project due to "legal reasons."

"We will make the data available to everyone who backed and supported this campaign eventually. It will first be reviewed in the immediate instance by the team members before being distributed to any security researcher who can benefit the disclosure and reverse engineering processes. This is to allow a first response analysis on the data and early insight to those who are supporting this project," SBRT wrote on its Patreon page. "Any zero-day vulnerabilities identified in the leak will be immediately shared with affected product vendors for patching / comment as part of this first response effort. The data will then be distributed to the backers promptly."

Hahad said he does not believe "security researchers should be crowdfunding any criminal activity, period."

"That would be crossing the line. We have to take the high road and fight this battle honorably with the information we have," Hahad said. "Usually the industry is driven by a code of conduct that should prevent engaging in any shady activity and definitely not funding illegal activities."

Jeremiah Grossman, chief of security strategy at SentinelOne, based in Palo Alto, Calif., and founder of WhiteHat Security, said that morality missed the bigger picture.

Christian Vezina, CISO at VASCO Data Security, said the SBRT crowdfunding could ultimately mitigate the threat from the Shadow Brokers dump.

"Hackers have been sharing information for a while. I think it is a good opportunity for security researchers to unite and get in the Shadow Brokers' exploit-of-the-month club," Vezina told SearchSecurity. "This may help level the playing field between the good and bad guys."

Next Steps

Learn five steps for business after a WannaCry attack.

Find out how defense needs to catch up as ransomware evolves.

Get info on how the Shadow Brokers dump shook the IT industry.

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing