Mysterious hacking group known as the Shadow Brokers first surfaced in August 2016, claiming to have breached the spy tools of the elite NSA-linked operation known as the Equation Group. The Shadow Brokers offered a sample of alleged stolen NSA data and attempted to auction off a bigger trove.
This April, though, marked the group’s most impactful release yet. It included a trove of particularly significant alleged NSA tools, including a Windows exploit known as Eternal Blue, which hackers have since used to infect targets in two high-profile ransomware attacks.
The identity of the Shadow Brokers is still unknown, Agencies keep these flaws to themselves, instead of notifying the company that makes the software so the vendor can patch the vulnerabilities and protect its customers. If these tools get out, they potentially put in danger billions of software users.
In may a strain of ransomware called WannaCry spread around the world, walloping hundreds of thousands of targets, including public utilities and large corporations. Notably, the ransomware temporarily crippled National Health Service hospitals and facilities in the United Kingdom, hobbling emergency rooms, delaying vital medical procedures, and creating chaos for many British patients.
Though powerful, the ransomware also had significant flaws, including a mechanism that security experts effectively used as a kill switch to render the malware inert and stem its spread. In total, WannaCry netted almost 52 bitcoins, or about $130,000.
WannaCry’s reach came in part thanks to one of the leaked Shadow Brokers Windows vulnerabilities, Eternal Blue. Microsoft had released the MS17-010 patch for the bug in March, but many institutions had not applied it and were therefore vulnerable to WannaCry infection.
A month or so after WannaCry, another wave of ransomware infections that partially leveraged Shadow Brokers Windows exploits hit targets worldwide. This malware, called Petya, was more advanced than WannaCry in many ways, but still had some flaws, like an ineffective and inefficient payment system. Though it infected networks in multiple countries—like the US pharmaceutical company Merck, Danish shipping company Maersk, and Russian oil giant Rosnoft—researchers suspect that the ransomware actually masked a targeted cyberattack against Ukraine. The ransomware hit Ukrainian infrastructure particularly hard, disrupting utilities like power companies, airports, public transit, and the central bank, just the latest in a series of cyber assaults against the country.