Home/Threat Actor/The Shadow Brokers
Threat Actor

The Shadow Brokers

shadow_brokers · unknown_speculated_russia_or_ex_nsa_insider · active since 2016-08

The Shadow Brokers (self-named TSB) is a leak group / public persona operationally emerged on August 13, 2016 with public announcement of possession of stolen tools belonging to the Equation Group (Kaspersky canonical naming for US NSA Tailored Access Operations / TAO, curated separately as equation_group.yaml)

operates as a LEAK GROUP / PUBLIC PERSONA, distinct operational category from traditional cyber-espionage or cyber-criminal clusters.

true operational identity remains publicly ambiguous with three primary attribution hypotheses (Russian state intelligence service counter-intelligence operation, ex-NSA insider/contractor operation per Harold T. Martin III October 2016 arrest though Martin not formally charged for leak operations, hybrid foreign-intelligence-service exploitation of insider compromise)

operationally most consequential publicly- tracked leak group in modern cyber-threat-intelligence history.

canonical April 14, 2017 "Lost in Translation" dump released EternalBlue (CVE-2017-0144 wormable Windows SMBv1 RCE), DoublePulsar SMB backdoor, EternalRomance, EternalSynergy, EternalChampion, FuzzBunch NSA exploitation framework, DanderSpritz NSA post-exploitation framework, and numerous additional NSA exploits.

downstream operational effects include May 12, 2017 WannaCry global ransomware attack (Lazarus Group / DPRK weaponization, 200K-300K computers across 150+ countries) and June 27, 2017 NotPetya destructive cyber-operation (Sandworm Team / Russian GRU Unit 74455 weaponization, ~$10B USD in global economic damages, operationally the most economically destructive cyber-attack in history)

signature operational tradecraft includes theatrical broken-English public messaging, Twitter/Medium/Steemit public-persona infrastructure rather than traditional dark-web-forum infrastructure, failed 1 million BTC initial Bitcoin auction followed by free public dumps followed by July 2017 monthly subscription service; cluster has been publicly dormant since approximately mid- 2017.

fills the historical leak-group analytical cell as the 1st leak-group cluster curated in the corpus operationally distinct from all other clusters which are cyber-espionage, cyber-criminal, or hacktivist operational categories.

unknown_speculated_russia_or_ex_nsa_insider confidence: medium 10 aliases
Sigma rules58 YARA rules50 Live IOCs0 CVEs exploited5

Profile

The Shadow Brokers (self-named TSB) is a leak group / public persona that operationally emerged on August 13, 2016 with public announcement of possession of stolen tools belonging to the Equation Group (Kaspersky canonical naming for the US NSA Tailored Access Operations / TAO unit, curated separately as equation_group.yaml in this corpus). The cluster operates as a LEAK GROUP / PUBLIC PERSONA, a distinct operational category from traditional cyber- espionage or cyber-criminal clusters. The cluster's operational mission has been the public release of stolen NSA offensive cyber tooling, with three claimed motivations: financial gain via attempted Bitcoin auction sales, undermining US offensive cyber capabilities, and (per TSB's own public statements) "taking down the NSA" with specific focus on the Equation Group.

The cluster's true operational identity remains publicly ambiguous despite extensive investigation. Three primary attribution hypotheses are publicly discussed: (1) Russian state intelligence service counter-intelligence operation, (2) ex-NSA insider/contractor operation (Harold T. Martin III FBI arrest October 2016 noted as possible source though not formally charged for the leak operations), (3) hybrid foreign-intelligence-service exploitation of insider compromise.

No definitive public attribution has been asserted by any government cybersecurity authority.

Operational phases: (1) Initial public emergence and failed auction era (August
  • October 2016). August 13, 2016 public emergence with initial leak of Equation Group firewall implants and exploitation scripts targeting Cisco, Juniper, Topsec. Initial 1 million Bitcoin auction attempts failed. (2) Pre-Lost-in-Translation dump era (October 2016.
  • March 2017). October 2016 second public dump. March 2017 DanderSpritz + FuzzBunch framework dump. (3) Lost in Translation operational climax (April 14, 2017). The operationally most-consequential leak dump released EternalBlue (CVE-2017-0144, wormable Windows SMBv1 RCE), DoublePulsar (SMB backdoor), EternalRomance, EternalSynergy, EternalChampion, and numerous additional NSA exploits. Microsoft had patched the SMB exploits in MS17-010 approximately one month earlier (March 14, 2017) , operationally suggesting Microsoft was forewarned of the impending leak. (4) Downstream global cyber-attack era (May.
  • June 2017). May 12, 2017 WannaCry global ransomware attack (attributed to Lazarus Group / DPRK) weaponized EternalBlue to infect 200,000-300,000 computers across 150+ countries. June 27, 2017 NotPetya destructive cyber-operation (attributed to Sandworm Team / Russian GRU Unit 74455) caused approximately $10 billion USD in global economic damages, operationally the most economically destructive cyber-attack in history. Both attacks operationally enabled by the TSB Lost in Translation EternalBlue release. (5) Monthly subscription and dormancy era (July 2017+). Monthly subscription dump service launched. June 28, 2017 threats to expose identities of former NSA Equation Group contractors. Cluster has been publicly dormant since approximately mid-2017.
Signature operational tradecraft
  • Stolen NSA offensive cyber tooling acquisition and public release: cluster-defining operational pattern. Tools include EternalBlue, DoublePulsar, EternalRomance, EternalSynergy, FuzzBunch (NSA exploitation framework), DanderSpritz (NSA post-exploitation framework), DarkPulsar (NSA SSH-targeting backdoor), and numerous additional NSA exploits.
  • Theatrical broken-English public messaging tradecraft: cluster public communications written in deliberately theatrical broken English, operationally consistent with operational tradecraft of disguising operator-language identity and adding distinctive persona-recognition features. Persona naming derived from MassEffect video game character, operationally suggesting English-language familiarity despite the broken-English communications pattern.
  • Bitcoin auction + monthly subscription operational monetization: failed 1 million BTC initial auction followed by free public dumps followed by monthly subscription service.
  • Twitter / Medium / Steemit public persona infrastructure: cluster operations conducted via public-persona social media accounts and blog platforms rather than dark-web- forum traditional cyber-criminal infrastructure.
  • Operational coordination with Equation Group prior research: TSB operations operationally coordinated with and built upon Kaspersky's prior Equation Group research (Kaspersky's 2015 Equation Group public disclosure operationally established the canonical Equation Group naming that TSB subsequently referenced in their leak operations). The cluster fills the historical leak-group analytical cell in this curated corpus, the first leak-group cluster curated and operationally distinct from all other curated clusters which are traditional cyber-espionage, cyber- criminal, or hacktivist operational categories. The cluster is operationally significant as the most consequential publicly-tracked leak group in modern cyber-threat- intelligence history, operationally responsible for releasing the NSA Equation Group tooling that enabled the WannaCry global ransomware attack (May 2017, ~$4-8B damages) and the NotPetya destructive cyber-operation (June 2017, ~$10B damages), operationally one of the most consequential cyber-threat-intelligence events in modern history.

Aliases

10
shadow brokersthe shadow brokersshadow-brokersshadowbrokersshadow brokers leak grouptsbtsb leak groupshadow brokers nsa leakshadow_brokers_leak_groupshadow_brokers_historical

Notable Campaigns

10
2017-PresentOperational Dormancy Post-2017
2017March 2017 DanderSpritz + FuzzBunch Framework Dump
2017'Lost in Translation' April 2017 Dump, EternalBlue + DoublePulsar Release
2017WannaCry Global Ransomware Attack, Downstream Effect of EternalBlue Release (May 12, 2017)
2017NotPetya Destructive Cyber-Operation, Downstream Effect of EternalBlue Release (June 27, 2017)
2017Monthly Subscription Dump Service (July 2017+)
2016-2019Ex-NSA Contractor Attribution Speculation and Harold Martin Prosecution (October 2016 - 2019)
2016-2017Failed Bitcoin Auction Attempts (August 2016 - 2017)
2016The Shadow Brokers Initial Public Emergence (August 13, 2016)
2016Second TSB Dump Release (October 2016)

Attribution & Reporting

Attributed by
Kaspersky GReATMicrosoft Threat Intelligence CenterMandiantCrowdStrikeSecureWorks Counter Threat UnitRapid7SentinelOne / SentinelLabsSymantec / Broadcom Threat Hunter TeamRecorded Future Insikt GroupETDA Threat Group CardsUS Department of Justice (Martin prosecution)US FBI (Martin investigation)US NSA (victim of the leak)
Key reporting
reportKaspersky GReAT: Equation Group + Shadow Brokers Operational Tracking, 'strong connection' between several hundred tools in TSB dump and Equation Group malware
reportMicrosoft Security Response Center: MS17-010, Microsoft Security Bulletin for SMB Server Vulnerabilities (March 14, 2017), EternalBlue, EternalRomance, EternalSynergy patches released one month prior to TSB Lost in Translation dump
reportMicrosoft: April 14, 2017 Update on Lost in Translation Dump Exploit Review
reportRapid7: The Shadow Brokers Leaked Exploits Explained FAQ (April 18, 2017)
reportSecureWorks Counter Threat Unit: PLATINUM COLONY Threat Profile, Equation Group tracking with TSB leak context
reportSecurelist (Kaspersky): DarkPulsar Analysis (March 2017 dump components)
reportSentinelLabs: EternalBlue NSA-Developed Exploit Continued Impact Analysis
reportVice / Motherboard: 'Shadow Brokers' Whine That Nobody Is Buying Their Hacked NSA Files (October 2016)
reportCyberScoop: Shadow Brokers Leaks Show US Spies Successfully Hacked Russian, Iranian Targets (April 2017)
reportRussia Today / RT: Shadow Brokers Threatens to Expose NSA Hacker's Covert Operations Against China (June 2017)
reportETDA Threat Group Cards: Shadow Brokers Threat Actor Encyclopedia Profile
reportWikipedia: The Shadow Brokers, comprehensive public timeline documentation
reportUS Department of Justice: Harold T. Martin III Prosecution Documentation (October 2016 - May 2019)
reportUS Federal Bureau of Investigation: Martin Investigation (broader NSA insider threat context)
reportMalpedia Actor Profile: Shadow Brokers

Operational

State sponsor

The Shadow Brokers' true operational identity remains publicly ambiguous and has been subject to multiple competing hypotheses since the cluster's August 2016 operational emergence. The Shadow Brokers operate as a LEAK GROUP / PUBLIC PERSONA rather than as a traditional cyber-espionage or cyber-criminal cluster, the cluster's operational identity is the public-facing "Shadow Brokers" Twitter / blog persona and the data-dumping operational mission objective. Three primary attribution hypotheses have been publicly discussed: (1) Russian state intelligence service operation. The most commonly-suggested attribution hypothesis, that The Shadow Brokers operations are conducted by a Russian state intelligence service (FSB or GRU) as a counter-intelligence operation against the US NSA. The Russia hypothesis is operationally supported by (a) August 2016 operational emergence timing coinciding with the 2016 US Democratic National Committee (DNC) hack (broadly attributed to GRU Unit 26165 / APT28), operationally suggesting coordinated Russian-state-aligned cyber-offensive operations against US government targets and political institutions.

(b) Edward Snowden's speculation that "in obtaining EternalBlue and similar tools, the Shadow Brokers conducted a sort of 'reverse hack' in which Equation Group offensive activities were used to provide a door into the NSA".

(c) operational anonymity-maintenance tradecraft consistent with state intelligence service operational security practices. (2) Ex-NSA insider/contractor operation. Multiple public sources (ETDA Threat Group Cards, broader industry analysis) note that "Shadow Brokers turned out to be an ex-NSA contractor", referencing the August 2016 identification and subsequent prosecution of Harold T. Martin III, a former NSA contractor charged with unauthorized retention of classified NSA documents. However, the formal Martin attribution to The Shadow Brokers leaks specifically remains operationally debated , Martin's hoarding of NSA documents was extensive but the specific operational link to The Shadow Brokers public- persona leak operations was not definitively proven. (3) Foreign intelligence service exploitation of insider compromise. Hybrid hypothesis combining elements of (1) and (2), that a foreign state intelligence service (Russia or other) obtained the NSA tooling via insider compromise (Martin or unidentified other insider) and then established the Shadow Brokers public-persona as a cover for the operational leak. The hybrid hypothesis operationally consistent with both the timing patterns and the operational sophistication observed. No definitive public attribution has been asserted by any government cybersecurity authority. The US Department of Justice prosecution of Martin (charged October 2016, pleaded guilty March 2019, sentenced May 2019 to 9 years for unauthorized retention of national defense information) did NOT include charges for the public Shadow Brokers leak operations, the prosecution focused on Martin's possession of classified documents rather than on the leak attribution. The cluster is operationally significant in this curated corpus as the first leak-group cluster (operationally distinct category from cyber-espionage and cyber-criminal clusters) and as the operational vector that released the EternalBlue Windows SMB exploit and DoublePulsar backdoor (both developed by the Equation Group / NSA TAO) that were subsequently weaponized in the May 2017 WannaCry global ransomware attack and the June 2017 NotPetya destructive cyber-operation (attributed to Sandworm Team / Russian GRU Unit 74455, curated separately as sandworm_team.yaml).

Motivations
public_leak_of_classified_nsa_offensive_cyber_tooling, financial_extortion_bitcoin_auction_attempts, public_humiliation_of_us_intelligence_services, undermining_us_offensive_cyber_capabilities, speculated_geopolitical_pressure_via_intelligence_disclosure, speculated_political_messaging_via_taunting_communications
Sectors
us_national_security_agencyus_intelligence_communityglobal_microsoft_windows_userbaseglobal_critical_infrastructurebanking_industry_indirectswift_financial_messaging_indirect
Regions
united_statesglobal_indirect_via_eternalblue_release

Techniques Used

10
T1078T1583T1583.001T1583.003T1583.006T1585T1585.001T1588T1588.001T1588.005

Detection Blind Spots

10 techniques
Across this actor’s 10 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)3/10 · 30%
Analytics (MITRE CAR)1/10 · 10%
Runtime / container (Falco)0/10 · 0%
File / malware (YARA)0/10 · 0%
Network (Suricata/Snort)2/10 · 20%
Vuln scan (Nuclei)0/10 · 0%

Tools Used

0 mapped
Other tooling / TTPs (curation, not ATT&CK-mapped):
MEDIUM BLOG PERSONAMONTHLY SUBSCRIPTION DUMP SERVICESTEEMIT BLOG PERSONA

CVEs Exploited

5
CVECVE-2017-0143
CVECVE-2017-0144
CVECVE-2017-0145
CVECVE-2017-0146
CVECVE-2017-0148
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin