Criminal Justice & the Rule of Law Intelligence

The Shadow Brokers Dump NSA Trove, Go Out with a Whimper

Grayson Clary
Monday, April 10, 2017, 9:32 AM

One of the stranger dramas in information security may now be over. On Saturday, apparently in protest at President Trump’s missile strike on Syria, the group that calls itself the Shadow Brokers dumped the rest of its cache of stolen NSA hacking tools. The collection of exploits had nominally been up for auction, albeit at an improbably high price in Bitcoin, since last August.

Published by The Lawfare Institute
in Cooperation With
Brookings

One of the stranger dramas in information security may now be over. On Saturday, apparently in protest at President Trump’s missile strike on Syria, the group that calls itself the Shadow Brokers dumped the rest of its cache of stolen NSA hacking tools. The collection of exploits had nominally been up for auction, albeit at an improbably high price in Bitcoin, since last August. The Shadow Brokers shared the password to the auction file at the end of a profane and disorganized Medium post, styled as a letter to Trump and entitled “Don’t Forget Your Base.”

The post doesn’t do an enormously convincing job of debunking the theory that the Shadow Brokers are a Russian sock puppet like Guccifer 2.0. The author of the post rants, “If theshadowbrokers being Russian don’t you think we’d be in all those U.S. governments reports on Russian hacking?” But he or she also insists, “We recognize Americans’ having more in common with Russians than Chinese or Globalist or Socialist. Russia and Putin and nationalist and enemies of the Globalist…” In that vein, the post makes much greater use of alt-right and white nationalist rhetoric than past Shadow Brokers’ communications (though the group has apparently used a cut-out identifying as an American neo-Nazi before, as the researcher the Grugq has detailed).

The post criticizes not just the Syria strike but also Goldman Sachs’ influence in the Administration, the failure to repeal Obamacare, Trump’s clash with the Freedom Caucus, the concept of “white privilege,” and Steve Bannon’s removal from his permanent seat on the National Security Council. At points, that media literacy shades into self-conscious parody. The post claims, “Most of us used to be The DeepState everyone is talking about,” and notes, “‘Unmasking’ is being new buzz word, so we use.” As Lawfare contributor Matt Tait observed on Twitter, “It’s pretty well constructed for disinfo tbh.”

Security researchers are still picking over the file, but initial responses suggest the cache itself is underwhelming. Motherboard reporter Lorenzo Franceschi-Biccherai tweeted one observer’s reaction: “Buyers woulda been pissed.” The strange group may have gone out with a whimper.

In that light, the Shadow Brokers’ return is probably most notable as a story about U.S.-Russia relations (if the group is, in fact, Russian). The release of the exploits, impressive or not, seems to reiterate that Russia will happily use against Trump the same hack-and-leak tactics it used to interfere in the 2016 elections—and signals obvious unhappiness with any shift in Syria policy.

The leak will also reinforce criticism of the government’s approach to disclosing software vulnerabilities. When the Shadow Brokers first started releasing NSA exploits, some of them apparently zero-days, the agency came in for criticism for hoarding flaws in American software and hardware—especially in light of the fact that some of the vulnerabilities were several years old. While a recent RAND study suggested that independent rediscovery of zero-days is relatively rare, it didn’t and couldn’t account for the risk—clearly non-zero—that some exploits designed by the intelligence community will be stolen by foreign adversaries. It remains impossible to tell whether the government’s internal Vulnerabilities Equities Process appropriately accounts for that danger when weighing whether to hand over a bug to be patched.

Finally, the release will probably have some impact on the attribution of past operations to NSA (Edward Snowden, among others, has circulated a list of IP addresses allegedly identified as targets in the dump). In that respect, the publication dovetails with WikiLeaks’ ongoing “Vault 7” releases on CIA hacking, which have exposed tools that the CIA uses to obfuscate its malware to defeat attribution. WikiLeaks bragged that “thousands of CIA viruses and hacking attacks could now be attributed,” and that claim was promptly echoed by outlets like RT and Breitbart, which stressed that intrusions previously thought to be Russian or Chinese might be American.

But all in all, this latest Shadow Brokers post is a bizarre but relatively modest ending for a group whose debut raised dramatic questions about the security of NSA hacking tools. Granted, this isn’t the first “last time” the group has spoken out; unless the Shadow Brokers have access to more U.S. government property than previously advertised, though, they seem to have spent the last of their stock. Whether or not this particular personality ever reappears, we can expect to see more and more of the hack, leak, and spin operations in which it specialized.


Grayson Clary is the Stanton Foundation National Security/Free Press Fellow at the Reporters Committee for Freedom of the Press. Prior to joining the Reporters Committee, he clerked for the Honorable Merrick B. Garland on the U.S. Court of Appeals for the District of Columbia Circuit. Clary is a graduate of Harvard Law School, where he was book reviews chair of the Harvard Law Review and a winner of the Sears Prize.

Subscribe to Lawfare