The Shadow Brokers

The Shadow Brokers (TSB) is a hacker group who first appeared in the summer of 2016. They published several leaks containing hacking tools, including several zero-day exploits, from the "Equation Group" who are widely suspected to be a branch of the National Security Agency (NSA) of the United States. Specifically, these exploits and vulnerabilities targeted enterprise firewalls, antivirus software, and Microsoft products. The Shadow Brokers originally attributed the leaks to the Equation Group threat actor, who have been tied to the NSA's Tailored Access Operations unit.

Name and alias
Several news sources noted that the group's name was likely in reference to a character from the Mass Effect video game series. Matt Suiche quoted the following description of that character: "The Shadow Broker is an individual at the head of an expansive organization which trades in information, always selling to the highest bidder. The Shadow Broker appears to be highly competent at its trade: all secrets that are bought and sold never allow one customer of the Broker to gain a significant advantage, forcing the customers to continue trading information to avoid becoming disadvantaged, allowing the Broker to remain in business."

Equation Group leaks
While the exact date is unclear, reports suggested that the preparation of the leak started at least in the beginning of August, and that the initial publication occurred August 13, 2016 with a Tweet from a Twitter account "@shadowbrokerss" announcing a Pastebin page and a GitHub repository containing references and instructions for obtaining and decrypting the content of a file supposedly containing tools and exploits used by the Equation Group. The initial response to the publication was met with some uncertainty about its authenticity.

On October 31, 2016, The Shadow Brokers published a list of servers supposedly compromised by the Equation Group, as well as references to seven supposedly undisclosed tools (DEWDROP, INCISION, JACKLADDER, ORANGUTAN, PATCHICILLIN, RETICULUM, SIDETRACK AND STOICSURGEON) also used by the threat actor.

On April 8, 2017, the Medium account used by The Shadow Brokers posted a new update. The post revealed the password to encrypted files released the previous year, which allegedly had more NSA hacking tools. This posting explicitly stated that the post was partially in response to President Trump's attack against a Syrian airfield, which was also used by Russian forces.

April 14 hacking tool leak
On April 14, 2017, The Shadow Brokers released, amongst other things, the tools and exploits codenamed: DANDERSPRITZ, ODDJOB, FUZZBUNCH, DARKPULSAR, ETERNALSYNERGY, ETERNALROMANCE, ETERNALBLUE, EXPLODINGCAN and EWOKFRENZY.

The leak was suggested to be the "...most damaging release yet" and CNN quoted Matthew Hickey saying, "This is quite possibly the most damaging thing I've seen in the last several years".

Some of the exploits targeting the Windows operating system had been patched in a Microsoft Security Bulletin on March 14, 2017, one month before the leak occurred. Some speculated that Microsoft may have been tipped off about the release of the exploits.

EternalBlue
Over 200,000 machines were infected with tools from this leak within the first two weeks, and in May 2017, the major WannaCry ransomware attack used the ETERNALBLUE exploit on Server Message Block (SMB) to spread itself. The exploit was also used to help carry out the 2017 Petya cyberattack on June 27, 2017.

ETERNALBLUE contains kernel shellcode to load the non-persistent DoublePulsar backdoor. This allows for the installation of the PEDDLECHEAP payload which would then be accessed by the attacker using the DanderSpritz Listening Post (LP) software.

NSA insider threat
James Bamford along with Matt Suiche speculated that an insider, "possibly someone assigned to the [NSA's] highly sensitive Tailored Access Operations", stole the hacking tools. In October 2016, The Washington Post reported that Harold T. Martin III, a former contractor for Booz Allen Hamilton accused of stealing approximately 50 terabytes of data from the National Security Agency (NSA), was the lead suspect. Martin had worked with the NSA's Tailored Access Operations from 2012 to 2015 in a support role. He pleaded guilty to retaining national defense information in 2019, but it is not clear whether the Shadow Brokers obtained their material from him. The Shadow Brokers continued posting messages that were cryptographically-signed and were interviewed by media while Martin was detained.

Theory on ties to Russia
Edward Snowden stated on Twitter on August 16, 2016 that "circumstantial evidence and conventional wisdom indicates Russian responsibility" and that the leak "is likely a warning that someone can prove responsibility for any attacks that originated from this malware server" summarizing that it looks like "somebody sending a message that an escalation in the attribution game could get messy fast".

The New York Times put the incident in the context of the Democratic National Committee cyber attacks and hacking of the Podesta emails. As US intelligence agencies were contemplating counter-attacks, the Shadow Brokers code release was to be seen as a warning: "Retaliate for the D.N.C., and there are a lot more secrets, from the hackings of the State Department, the White House and the Pentagon, that might be spilled as well. One senior official compared it to the scene in The Godfather where the head of a favorite horse is left in a bed, as a warning."

In 2019, David Aitel, a computer scientist formerly employed by the NSA, summarized the situation with: "I don't know if anybody knows other than the Russians. And we don't even know if it's the Russians. We don't know at this point; anything could be true."