GoKawiilIn the long history of hacking, there have been numerous data breaches that, years or even decades later, remain unsolved. Countless hackers and hacking groups behind them have never been unmasked.
But prolific hacking groups do get caught. This is true whether they’re cybercriminals such as LAPSUS$, a notorious extortion gang that compromised companies including Microsoft and Nvidia, who have had multiple members arrested, or sophisticated government hacking groups from Russia and China, whose members have been named, indicted, and placed on most-wanted lists.
Still, some of the most fascinating cases in cybersecurity history remain wide open — no culprits, no answers, and in some cases, not even a clear motive. We decided to revisit several of them in a series of articles, starting with one of the strangest episodes in the history of intelligence leaks.
The first installment centers on the Shadow Brokers — an enigmatic group that surfaced online, dumped a trove of hacking tools believed to belong to the NSA, and then vanished.
In the summer of 2016, in the midst of the Russian hacks related to the U.S. Presidential elections, the group appeared on Twitter. They linked to a Pastebin post and @-mentioned several news outlets — a strange, ineffective strategy that meant most of those outlets likely never saw the tweets.
But if anyone had clicked on the link, they would have seen a document titled “Equation Group Cyber Weapons Auction — Invitation” — a reference to the shadowy hacking operation widely believed to be run by the NSA.
“!!! Attention government sponsors of cyber warfare and those who profit from it !!!! How much you pay for enemies’ cyber weapons?” the hackers wrote, claiming to have hacked the Equation Group.
The document included links to download some hacking tools, as well as a link to download an encrypted file that interested buyers could decrypt by making a bid. “Auction files better than Stuxnet,” they wrote, referring to the famous malware used against Iranian nuclear facilities in a U.S.-Israeli cyberattack in 2007. They asked for at least one million Bitcoin.
The leak quickly attracted press coverage. Once security researchers analyzed the tools, they realized these were exceptionally sophisticated cyberweapons, very likely stolen from the NSA — a suspicion bolstered by the fact that some shared names with programs revealed by NSA whistleblower Edward Snowden.
The auction was likely a ruse, since the group eventually dumped many of the tools publicly months later. Much about the Shadow Brokers made little sense. Their broken English was almost comical, as if they were either trying too hard or deliberately signaling the artifice. Despite clearly seeking attention — and getting plenty of press coverage — the group only spoke to a journalist once, giving a brief interview to 404 Media’s Joseph Cox, then a reporter at VICE Motherboard.
... continue reading