Request a Demo Contact Us
Bugcrowd Acquires Informer to Enhance Offerings Across Attack Surface Management and Penetration Testing
Learn More

Shadow Brokers

The Shadow Brokers is a cyber threat actor group that became visible for their disclosures relating to the U.S. government's National Security Agency's hacking tools.

The Shadow Brokers is a cyber threat actor group that became visible for their disclosures relating to the U.S. government’s National Security Agency’s hacking tools. To gain notoriety, they published hacking tools, which they attributed to the Equation Group. Russian security researchers allege the Equation Group to be in direct employ of the U.S. National Security Agency. The hacking tools identified vulnerabilities and exploits that could be used to target enterprise firewalls, antivirus software, and Microsoft products.

As the story goes, the Shadow Brokers supposedly stole secrets from the U.S. National Security Agency (NSA) or the Equation Group. This theft is to embarrass the NSA and hamper their activities, at least publicly. Further, the released material exposes significant vulnerabilities in routers, Microsoft Windows, Linux mail servers, and more. But, of course, files supposedly stolen from NSA are the gift that keeps on giving. The vulnerabilities and the accompanying exploits enabled the WannaCry ransomware to cause havoc with the infection of hundreds of thousands of computers worldwide.

After the WannaCry outbreak, the Shadow Brokers allegedly threatened to release more tools and exploits from the NSA. The Shadow Brokers have published multiple sets of alleged NSA documents, including:

  • A group of exploits and hacking tools can be deployed to hack routers.
  • A group of exploits and hacking tools can be deployed to hack mail servers.
  • Another set of the same sorts of data and tools to use against Microsoft Windows.
  • A directory showing an alleged NSA analyst breaking into the SWIFT banking network.

If you accept the fundamental premise that the materials disclosed by the Shadow Brokers were stolen from the NSA, you would also conclude they might be from different groups at the NSA. The SWIFT files seem to come from an internal NSA computer. The Microsoft files don’t have the same identifying information as the router and mail server files. The Shadow Brokers have released all the material without any deletions, and the time/date stamps vary quite a bit.

Most of the threats can be mitigated by basic best practices. Applying software updates and patches will eliminate the danger of most of these issues. Many of the exploits from Shadow Brokers take advantage of vulnerabilities that can be fixed with routine patching.

There remain threats for many older Windows products, especially those like Windows Server 2003, for which the OS support lapsed years ago. In addition, the NSA hacking tools target vulnerabilities in email-based applications and related collaborative functions.

Mitigations to many of these threats can be found by properly configuring and installing necessary firewalls, intrusion prevention and detection systems, and using a virtual private network (VPN). Checking and correctly configuring network resident services such as RDP gateways, SMB, etc., or uninstalling those that are not required can also reduce an organization’s attack surface and reduce the risk.


Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels across many industries and from around the world.

Get started with Bugcrowd

Hackers aren’t waiting, so why should you? See how Bugcrowd can quickly improve your security posture.