Seriously, Beware the ‘Shadow Brokers’

The group’s NSA-quality malware release isn’t just another hack.
Illustration: Kurt Woerpel

It’s not every day a trove of National Security Agency-quality hacking tools gets dumped on the open market, free for the taking, but that’s what happened in April. Security researchers say there’s evidence hackers have already used the tools to infect hundreds of thousands of computers around the world, installing a so-called backdoor that opens up the machines to an almost unlimited level of remote control.

So where’s the panic? Compared with major vulnerabilities discovered in the past few years, such as the Heartbleed bug, which exposed weaknesses at companies including Yahoo! Inc. and Amazon.com Inc., “it’s 10 times worse,” says Sean Dillon, a senior analyst at security company RiskSense Inc. who took apart the backdoor tool, called DoublePulsar, to study it. “The industry has cried wolf on naming all these vulnerabilities. This one’s the big one, but now it just gets lost in the noise, like, ‘Oh, it’s this week’s thing.’ ”

A hacking group known as Shadow Brokers posted the password for the encrypted cache in a bizarre, grammatically challenged message addressed to President Donald Trump on the social network Medium. The group went public last August, when it attempted to auction off a set of what are widely believed to be NSA hacking tools. (The agency has declined to comment.) The group apparently didn’t get the response it wanted and instead made the whole lot public last month.

The tools, with names like EternalBlue and EternalRomance, worked on vulnerabilities in Microsoft Corp.’s Windows operating systems. Microsoft said in a statement that the problem was under control, more or less—most of the security holes had already been patched before the hacking cache went public. In the real world, of course, companies, particularly small ones, often run old systems, don’t patch, and may not even be aware of the problem, meaning the Shadow Brokers tools remain effective.

Dillon figured out how DoublePulsar, perhaps the most powerful tool, worked. It runs in kernel mode, the underbelly of an OS that’s typically invisible to users and tough to code for, and, once opened, it gives hackers almost unlimited control over the system.

“It’s the kind of thing you’d see used very rarely on very special, covert cybermissions,” Dillon says. “This is like a jewel a government would guard, and now it’s just spammed across the internet.” He says he and his colleagues have found DoublePulsar in the computers of dozens of clients, including startups, government agencies, and at least one Fortune 100 company. “Every major malware family—botnets, spyware, banking malware—they’re going to be incorporating this into their attacks.”

BinaryEdge, a Swiss security company, says it found 428,827 DoublePulsar infections on April 27, up from 106,410 on April 21, by scanning computers connected to the internet. Dan Tentler, founder of security company Phobos Group, says about a third of the 4.5 million computers he’s scanned remain vulnerable. “The reason we’re seeing these numbers is there’s no pressure on businesses to patch,” he says. “People don’t take this seriously until it bites them.”

In the Medium post, Shadow Brokers claimed to be disappointed Trump supporters. Whatever the group’s feelings about Washington, its cache is a huge gift to criminals, says Levi Gundert, vice president for intelligence and strategy at security company Recorded Future Inc. “The information that gets exposed has rarely been as relevant and valuable,” Gundert says.

Recorded Future has been tracking message traffic about the tools on Russian hacking forums and Chinese-language websites. Three days after Shadow Brokers released the trove, a detailed tutorial on how to use EternalBlue and DoublePulsar was already circulating on a top-tier hacking forum. “The impact of this will be felt for years,” Gundert says. “If you look at some of the worms that were around in 2007, 2008, 2009, they’re still around.”

The bottom line: The hacking tools released by Shadow Brokers may have infected more than 400,000 computers and could be tough to erase.

Before it's here, it's on the Bloomberg Terminal.
LEARN MORE