This content is part of the Conference Coverage: Black Hat 2017: Special conference coverage

Who are the Shadow Brokers? Signs point to an intelligence insider

At Black Hat 2017, security researcher Matt Suiche analyzed the Shadow Brokers dumps, postings and behavior to get to the bottom of one of the infosec industry's biggest questions.

LAS VEGAS -- The identity of the Shadow Brokers has become one of the biggest questions in the infosec industry...

this year, and Matt Suiche believes the evidence points to an insider threat rather than an external nation-state attacker.

Suiche, founder of managed threat detection company Comae Technologies, spoke at Black Hat 2017 about the Shadow Brokers, the entity which has been releasing files and hacking tools over the last year from the Equation Group, a hacking outfit connected to the U.S. National Security Agency. Suiche explained how the behavior and tactics of the Shadow Brokers have over time revealed some clues about their background and general identity, which suggest the dumps are the work of disgruntled insiders who are either current or former intelligence community contractors.

"There's definitely a huge problem around [insider threats]," he said. "That's why I, personally, think and I would not be surprised to see the source of those files was another contractor."

While the group's blog posts are written in broken English that suggests Russian-speaking authors, Suiche said the language was likely an operations security (opsec) tactic to obscure the true identities of the Shadow Brokers. Suiche said the people behind the Shadow Brokers group have "an interesting sense of humor" and demonstrated strong familiarity with the National Security Agency's Tailored Access Operation (TAO), which was the first sign that the Shadow Brokers were, in fact, insiders, rather than Russian threat actors. The group has also expressed anger at former members of TAO and threatened to reveal the identities of current TAO hackers.

"It seems like the Shadow Brokers know a lot about TAO as a team," he said.

I don't know if we should say the intelligence community has an insider problem or if Booz Allen has an insider problem.
Matt Suichefounder, Comae Technologies

Suiche said the U.S. defense and intelligence communities employ tens of thousands of contractors, and a number of disgruntled insiders have come to light in recent years, including Edward Snowden and Harold Martin -- both of whom worked as government contractors at Booz Allen Hamilton. "I don't know if we should say the intelligence community has an insider problem or if Booz Allen has an insider problem," he said.

The Shadow Brokers dumps started relatively small, Suiche said; the first batch of free exploits included bugs in many common firewall products. The group later followed up with Solaris operating system exploits, as well as more detailed information on proposed Equation Group targets, which included domains in countries like China and Iran.

Another revealing pattern of behavior, according to Suiche, was the group's increased attempts over time to gain attention -- and the expressions of anger and frustration when the level of attention didn't meet the group's expectations. The Shadow Brokers, he said, clearly wanted more than just to dump and sell the Equation Group cyberweapons; they wanted headlines as well.

Later dumps included detailed operational notes with code names not just for the cyberweapons, but for prospective targets of hacking operations as well. Suiche mentioned one example where the operational notes indicated Equation Group had targeted different mobile service providers across the globe, likely in an effort to gain access to communications.

The biggest Shadow Brokers dump featured Windows exploits like EternalBlue, as well as material indicating the exploits were used by the Equation Group to gain unauthorized access to a service bureau for the Society for Worldwide Interbank Financial Telecommunication (SWIFT) [A SWIFT spokesperson told SearchSecurity there is no evidence indicating a breach of SWIFT’s network or messaging services]. The dump also contained a large amount of information about hacking operations, including unredacted metadata, PowerPoint presentations and even the names of Equation Group members. "That one was pretty interesting," Suiche said. "It contained some tools but mainly operational notes regarding what happened to one of the SWIFT Service Bureau in the Middle East, and it was extremely detailed."

Matt Suiche, founder of Comae Technologies
Matt Suiche at Black Hat USA 2017

Suiche said this was when the "narrative of the Shadow Brokers kind of changed," as the level of information about the Equation Group's inner workings was embarrassing for the National Security Agency. "It's hard to believe the most powerful intelligence agency in the world is not doing any opsec," he said.

While the Shadow Brokers recently introduced a monthly service to sell the stolen cyberweapons, Suiche doesn't believe that money is the group's motive, as asking for 1 million bitcoin (currently over $2.7 billion) isn't a reasonable request. In his presentation, Suiche also emphasized that it's unclear whether anyone has actually received exploits purchased through the new monthly service.

"They're following a pattern where the price keeps doubling," he said, adding that creating "fear, uncertainty and doubt is definitely part of their strategy."

Suiche closed the presentation by, again, suggesting the Shadow Brokers were either current or former intelligence contractors and warned of the potential risks such individuals could pose to cybersecurity. "It's kind of worrying to see the rising threat from some unreliable intelligence agency employees," he said.

Next Steps

Read more on addressing Shadow Brokers vulnerabilities and zero-day threat

Find out how the SHA-1 collision attack breaks the hash function

Learn about the risks posed to industrial control systems security by WannaCry ransomware

Dig Deeper on Threats and vulnerabilities