Shadow Brokers, the group that leaked the U.S. National Security Administration worm that weaponized the WannaCrypt / WannaCry malware for last weekend’s global attack, says it’s just getting started.
In a convoluted post on Steemit.com and shared on the mysterious group’s Twitter account, Shadow Brokers says it has more exploits and attack tools in its possession. It wants to sell them, starting in June through  “TheShadowBrokers Data Dump of the Month” service.
https://twitter.com/shadowbrokerss/status/864363811989471233
Subscribing to the service “is being like wine of month club” (sic), the group writes. “Each month peoples can be paying membership fee, then getting members only data dump each month.”
The data dumps will include exploits for web browsers, routers, compromised network data from SWIFT providers and central banks, and compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs.
Alternately, the Shadow Brokers appears to be giving the NSA or any other organization that has leaked cyber warfare kits to buy back the whole lot and avoid the release of the tools.
Shadow Brokers claims to have about 75 per cent of the U.S. cyber-arsenal, says Sean Dillon, senior security analyst at RiskSense. Dillon was among the first researchers to reverse engineer the DoublePulsar payload that helped weaponize the WannaCrypt malware over the weekend. He says cyber security leaders should pay attention to what Shadow Brokers does next.
“The Equation Group are our nation’s top hackers,” he says, referring to the group which Shadow Brokers claims to have pilfered a stockpile of exploits and tools. “They claim they still have zero-days. That’s why people need to pay attention.”
The WannaCry attack that took place over the weekend didn’t involve any zero-day exploits – Microsoft had patched the SMB exploit used by EternalBlue in March, and the WannaCry ransomware was known to many antivirus vendors. Yet it still caused problems on many thousands of unpatched systems.
RiskSense has been tracking the Shadow Brokers since last August, when it released a zero-day exploit “Extra Bacon” for Cisco ASA firewalls that potentially allowed attackers to access internal networks. After that, it tried to sell a dump of zero-day exploits for 1 million bitcoin. When that didn’t work, it tried selling exploits in smaller bundles.
In the Steemit.com post, Shadow Brokers responds to theories that North Korea was behind the WannaCry attack, apparently dismissing that through open mockery. It also alleges that Microsoft Corp. is colluding with The Equation Group – “the Microsoft is being BFF with the equation group” – Â the NSA’s hacking group, and that the NSA has spies inside of Microsoft and other top U.S. technology companies.
It also references a meme from the poorly-translated video game Zero Wing that first surfaced in 1998. “This is theshadowbrokers way of telling the equationgroup ‘all your bases are belong to us.'” (sic)
The post explains Shadow Brokers main motivation in its activities as a competition of sorts, pitting itself against the NSA.
Any U.S. government organizations are unlikely to negotiate with the hackers, Dillon says. But if the subscription service launches in June as stated, he expects there will be subscribers.
