Throughout the long history of hacking, there have been many data breaches that remain unresolved years or even decades later. The identities of countless hackers and the hacking groups behind them have never been revealed.
But the prolific hacking group gets busted. This is true whether it is cybercriminals like LAPSUS$, the notorious extortion gang that has infiltrated companies like Microsoft and Nvidia and has had multiple members arrested, or sophisticated government hacking groups in Russia and China whose members have been named, indicted, and placed on most-wanted lists.
Still, some of the most interesting cases in the history of cybersecurity remain unsolved, with no culprit, no answers, and in some cases even no clear motive. We decided to revisit some of them in a series of articles, starting with one of the strangest episodes in the history of intelligence leaks.
The first focuses on the Shadow Brokers, a mysterious group that appeared online, dumped a trove of hacking tools believed to belong to the NSA, and then disappeared.
In the summer of 2016, amid Russian hacking related to the U.S. presidential election, the group appeared on Twitter. They linked to the Pastebin post and @mentioned several news organizations. This was a strange and ineffective strategy, and meant that most news outlets likely never saw the tweet.
But if someone were to click on that link, they would see a document titled “Equation Group Cyber Weapons Auction — Invitation.” This is a reference to a shadowy hacking operation widely believed to be run by the NSA.
“!!! Beware of government sponsors of cyber warfare and those profiting from it!!! How much are you paying for your enemy's cyber weapons?” the hackers wrote, claiming to have hacked Equation Group.
The document contained links to download several hacking tools and an encrypted file that interested buyers could decrypt by placing a bid. “Auction files are better than Stuxnet,” they wrote, referring to the famous malware used against Iranian nuclear facilities in a 2007 US-Israeli cyberattack. They demanded at least 1 million Bitcoins.
The leak quickly attracted media coverage. Security researchers analyzed the tools and found that they were highly sophisticated cyberweapons and were most likely stolen from the NSA. This suspicion was further strengthened by the fact that some names were shared with the program revealed by NSA whistleblower Edward Snowden.
The auction was likely a ruse, as the group ultimately publicly scrapped many of its tools several months later. A lot of things about the Shadow Broker made little sense. Their broken English was almost comical, as if they were either trying too hard or being deliberately contrived. Despite the obvious attention and coverage it received, the group only spoke once to journalists, giving a brief interview to 404 Media's Joseph Cox, who was a reporter for VICE Motherboard at the time.
Ten years later, we literally know nothing about who was behind the Shadow Brokers figure. Cox and I interviewed former NSA employees at the time who said there was a possibility that NSA insiders or former insiders were involved. However, no one has been arrested or charged so far. This is unusual considering it was probably one of the worst leaks of US intelligence hacking tools in history.
One potential suspect was Harold T. Martin III, an NSA contractor who was arrested on suspicion of stealing classified information from the NSA. However, there are problems with this theory. While Martin was in custody, Shadow Brokers continued to operate online. He has never been formally charged in connection with the breach. The most widely believed theory is that the Shadow Broker was created by a Russian government spy group as a propaganda tool.
The impact was huge. Among the tools released is EternalBlue, published by Shadow Brokers. This is a family of zero-day vulnerabilities targeting Windows that allow hackers to compromise computers on hacked networks, rapidly expand access, and deploy self-propagating worms. (A zero-day vulnerability means a flaw unknown to the software manufacturer and for which a patch does not yet exist.) North Korean hackers used EternalBlue to unleash the WannaCry ransomware worm. Russian hackers then incorporated it into NotPetya, which spread beyond its initial Ukrainian targets and caused an estimated $10 billion in damage worldwide. For companies, this lesson was stark. Vulnerabilities hidden by intelligence agencies will not remain secret forever, and if they are leaked, the private sector will pay the price.
This treasure trove continues to yield discoveries. The leaked tools also contained a list of project names, including one called Fast16 that was simply labeled “NOTHING TO SEE HERE — CARRY ON.” Last month, researchers announced they had discovered and investigated malware dating back to 2005 that was designed to tamper with software allegedly used by Iranian nuclear scientists.
If you buy through links in our articles, we may earn a small commission. This does not affect editorial independence.