Security Encyclopedia

Shadow Brokers

The Shadow Brokers are a group of hackers linked to the 2017 leak of hacked intel belonging to the US National Security Agency. The Shadow Brokers are, in turn, implicated in that year’s WannaCry global ransomware attack that used EternalBlue, an NSA cyber weapon that the Shadow Brokers obtained in the original breach. 

The Shadow Brokers have said they are committed to taking down the NSA, in particular the Equation Group. The Equation Group is an offensive cyberwarfare unit of the NSA Computer Network Operations (CNO) unit, formerly called the Office of Tailored Access Operations (TAO). Names aside, the activities associated with CAO/TNO are reported to have been underway since 1998.

The Shadow Brokers take their name from a MassEffect video game character. They appeared around the time of the 2016 Democratic National Committee (DNC), the US presidential candidate selection event held by the organization of the same name. When announcing possession of the stolen NSA tools, the Shadow Brokers initially offered them at auction for 1 million Bitcoin, which at the time was around $600 million. They challenged the NSA and large technology players to buy the NSA tools at auction, arguing that there was a public interest in securing them. In a subsequent communication they released them onto the internet. 

Edward Snowden has speculated that, in obtaining EternalBlue and similar tools, the Shadow Brokers conducted a sort of “reverse hack” in which Equation Group offensive activities were used to provide a door into the NSA. Snowden is a former US Central Intelligence Agency (CIA) employee and subcontractor who in 2013 leaked highly classified NSA information. 


“The Shadow Brokers released NSA hacking tools that were never meant to be seen. The unfortunate timing of the leak of tools such as EternalBlue, and the failure to patch vulnerable systems, allowed the WannaCry ransomware attack to be as large as it was — 300,000 computers in 150 countries.”