The Shadow Brokers' "Dump of the Month" Club

Nicholas Weaver
Tuesday, May 16, 2017, 1:41 PM

Yesterday I was interviewed by NPR about the Shadow Brokers and their relationship to WannaCry. Overall I think it went well, especially since NPR is very comfortable with answers that start with “we don’t know” and then set out the evidence we do know. But I may have been wrong on one significant thing: I thought the Windows tools were the most damaging the Shadow Brokers have to offer.

Published by The Lawfare Institute
in Cooperation With
Brookings

Yesterday I was interviewed by NPR about the Shadow Brokers and their relationship to WannaCry. Overall I think it went well, especially since NPR is very comfortable with answers that start with “we don’t know” and then set out the evidence we do know. But I may have been wrong on one significant thing: I thought the Windows tools were the most damaging the Shadow Brokers have to offer. Today, with the announcement of the Shadow Broker’s Data Dump of the Month club, I may need to eat some crow.

Recall that the Shadow Brokers are an unidentified actor or group of actors who appears to have penetrated the NSA and then released the stolen information. They have conducted four releases so far: of a 3 year old collection of router exploits that nonetheless included a Cisco zero-day, a similar collection of mailserver exploits, a collection of Windows exploits, and the apparent internal working directory of an NSA operation aimed at gathering intelligence about SWIFT bank transactions in the Middle East. All indications point to this data being legitimate.

I’m pretty sure that these releases do not derive from a single source. Both the mailserver and router exploits seem to be active working directories because they include notes and other information that should identify the actual source. The SWIFT release, on the other hand, is most likely the internal, Internet-connected workstation of a Texas NSA analyst because it consists entirely of operational notes and an in-progress slide deck detailing the operation. The only release which didn’t include massive pointers enabling the NSA to find the particular source is the Windows exploits.

And now the Shadow Brokers are back with yet another missive. Although this could be a hoax, assuming it is legitimate, it should raise serious alarm bells. Although I still believe the auction & payment demands are very much theater designed to attract attention, the Shadow Brokers have earned a reputation for honesty about what they’ve obtained.

Part of their statement is effectively a disclaimer of responsibility for WannaCry. They note that their published directory listing in January resulted in the NSA notifying Microsoft, which in turn released a patch. So by the time the Shadow Brokers released the Windows tools they were no longer zero-days. This disclaimer is fair: All systems exploited were either unpatched or running an obsolete, unsupported version of Windows.

But the Shadow Brokers’ threat to launch a “dump of the month” service if they aren’t paid is ominous. Again, I think the Bitcoin payment demand is little more than a bit of theater intentionally paired with the amusingly awful English, but what are they threatening to release? It could be, according to them:

  • web browser, router, handset exploits and tools
  • select items from newer Ops Disks, including newer exploits for Windows 10
  • compromised network data from more SWIFT providers and Central banks
  • compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs

Given the Shadow Brokers’ demonstrated willingness to reveal incredibly sensitive NSA material—including tools that even Wikileaks would hesitate to publish because of the damage to benefit ratio—we have to take this threat seriously. So what does the threat entail, exactly?

Web browser exploits would make for the least problematic dump. Although zero-days on web browsers are a threat, the current patch ecosystem for browsers quickly turns discovered zero-days into non-issues. A good example is the Firefox exploit used by a European police agency with the FBI’s NIT: in less than a week it turned from something impacting millions of computers to one affecting almost zero as Firefox browsers updated around the world.

Router exploits are more severe but still patchable, assuming the router itself is still being supported by the vendor. Vulnerabilities are more of a concern for systems out of support. Likewise, although Microsoft has proven good about providing patches, not everyone timely applies them, so new Windows vulnerabilities represent a serious thread.

Of far greater concern are handset exploitation tools. Although iOS is responsive and quickly patches vulnerabilities, most Android devices are woefully insecure. Given the very high quality and ease of use present in the other Shadow Brokers released tools, a set of easy-to-use Android exploits would be devastating to the Android ecosystem, as criminals and other miscreants would be able to use such tools to devastating effect.

And finally there is the overt threat to disrupt ongoing NSA operations by revealing details about NSA financial spying and NSA targeting of nuclear and missile programs. Financial spying by the NSA is probably the most important and least liberty-infringing bulk-style program possible—and I doubt anyone outside the targeted countries would have a problem with the NSA spying on foreign WMD and missile programs.

If even if a fraction of what the Shadow Brokers are threatening in their dump of the month club comes to pass it is going to be a very long summer in Fort Meade.


Nicholas Weaver is a senior staff researcher focusing on computer security at the International Computer Science Institute in Berkeley, California, and Chief Mad Scientist/CEO/Janitor of Skerry Technologies, a developer of low cost autonomous drones. All opinions are his own.

Subscribe to Lawfare