[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Shadow Brokers: “All your bases are belong to us”

Back when Shadow Brokers doxxed some NSA hackers, I argued some allusions Shadow Brokers made served as a kind of warning, in that case directed at people who hack for NSA. As I understand it, Shadow Brokers’ threats reflected access to specific and accurate information.

Though I haven’t confirmed any of these details, yesterday’s Shadow Brokers post seems to do more of the same, although this time directed at NSA itself.

Consider this passage:

In April, 90 days from theequationgroup show and tell, 30 days from Microsoft patch, theshadowbrokers dumps old Linux (auction file) and windows ops disks. Because why not? TheShadowBrokers is having many more where coming from? “75% of U.S. cyber arsenal” TheShadowBrokers dumped 2013 OddJob from ROCTOOLS and 2013 JEEPFLEAMARKET from /TARGETS. This is theshadowbrokers way of telling theequationgroup “all your bases are belong to us”. TheShadowBrokers is not being interested in stealing grandmothers’ retirement money. This is always being about theshadowbrokers vs theequationgroup.

Shadow Brokers starts by saying it just dropped the EternalBlue dump, along with some other files, because “The ShadowBrokers is having many more where [those were] coming from.” Shadow Brokers then cites from a detail first reported in a WaPo report (though presents the factoid as a direct quote when it is not): that Hal Martin stole 75% of the US cyberarsenal. The WaPo report actually stated that Martin had stolen “75 percent of TAO’s library of hacking tools.”

Shadow Brokers then made some assertions that may disprove a claim WaPo made yesterday: “It is not clear how the Shadow Brokers obtained the hacking tools, which are identical to those breached by former NSA contractor Harold T. Martin III, according to former officials.” It described exactly where, on the NSA servers, the files came from. “TheShadowBrokers dumped 2013 OddJob from ROCTOOLS and 2013 JEEPFLEAMARKET from /TARGETS.” Having suggested it had at least seen file paths or screen caps of the NSA’s file system, Shadow Brokers then made its point even more clear: “This is theshadowbrokers way of telling theequationgroup ‘all your bases are belong to us‘,” both making fun of the claims about its broken language but also suggesting takeover (though I’m curious if mis-citation using a plural here is intentional — perhaps these file systems are in different places? — or just one of a some egregious typos in this post).

Again, I haven’t confirmed whether those details are accurate. Surely the NSA has doublechecked. If they are accurate, then the other claims made in the post — specifically about the other things it has to dump — will especially merit attention.

TheShadowBrokers Monthly Data Dump could be being:

  • web browser, router, handset exploits and tools
  • select items from newer Ops Disks, including newer exploits for Windows 10
  • compromised network data from more SWIFT providers and Central banks
  • compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs

One more point. Shadow Brokers seems to suggest Oracle and another Microsoft patch were due to notice from former NSA hackers, as if all the former NSA employees are helping their employers clean up holes they’ve long known about.

Oracle is patching huge numbers of vulnerabilities but TheShadowBrokers is not caring enough to be look up exact dates.


TheShadowBrokers is thinking Google Project Zero is having some former TheEquationGroup member. Project Zero recently releasing “Wormable Zero-Day” Microsoft patching in record time, knowing it was coming? coincidence?

It’s not clear whether they’d be doing this because they knew of holes NSA had been using or not.

But it’s worth observing that Shadow Brokers is not making vague threats here.

9 replies
    • SpaveLifeForm says:

      Correct. But note that most NSA ops are conducted from military bases (plural, my SIC).

      And most run on *OLD* hardware and software. Plenty of old Solaris too.

      It is not a SB threat, it is fact.

    • emptywheel says:

      Yup. As noted:

      (though I’m curious if mis-citation using a plural here is intentional — perhaps these file systems are in different places? — or just one of a some egregious typos in this post)

  1. b says:

    “Having suggested it had at least seen file paths or screen caps of the NSA’s file system”

    That file system could be on a DVD or a USB stick. It doesn’t mean Shadow Broker has seen a  NSA life filesystem or screenshots thereof. But s/he seems to have fun making the NSA nervous …

  2. SpaveLifeForm says:

    VEP is legal CYA. Some want to fix.
    The problem is that it relies on Executive branch of government. At this time, that is like asking the fox to guard the henhouse.


    Today, Senators Brian Schatz (D-HI), Ron Johnson (R-WI) and Cory Gardner (R-CO), along with Representatives Ted
    Lieu (D-CA) and Blake Farenthold (R-TX), introduced the Protecting Our Ability to Counter Hacking (“PATCH”) Act.

    The bill requires the Executive Branch to establish a Vulnerabilities Equities Review Board to oversee the government’s disclosure of vulnerabilities in information technology products and systems that are not publicly known.

  3. SpaceLifeForm says:


    “If one of our targets discovered we were using this particular exploit and turned it against the United States, the entire Department of Defense would be vulnerable,” the second employee said. “You just have to have a foothold inside the network and you can compromise everything.”

    [Yep. And this what NSA is internally concerned about]

    The Shadow Brokers’ first dump of exploits in August sparked a robust discussion within the Obama administration. “By that point, the intelligence value” of the exploits was “degraded,” so it was decided that NSA would alert whatever vendors were affected, a former senior administration official said.

    [Note August 2016. Not January 2017. Also note vendors, plural. Maybe it was ‘decided’ that NSA would alert Microsoft, but there is no evidence they did. The more likely scenario, even if true that someone at NSA *SAID* they would notify Microsoft, is that they sat on it. Because they had ongoing targets and did not want Microsoft to patch too quickly.]

    [Other vendors would be Cisco, Juniper who had been hacked for a long time]

    [And now, those in NSA that sat on it, probably realize that SB actuallly did the disclosure in January 2017. Which means they know that others know what is really happening internally at NSA with regard to decision making processes]

    For years, NSA had its own internal process for weighing whether to disclose software flaws to the vendor or to keep them secret so they could be used to build surveillance tools. In the spring of 2014, the Obama administration’s National Security Council kicked off a new process to vet vulnerabilities among agencies including the FBI, the NSA, the CIA and Department of Homeland Security.


    Some security experts say that the process to debate and disclose vulnerabilities worked in this case but that there was a failure to signal the seriousness of the need to apply fixes.

    [Maybe the real wakeup is Wcry? Because no one in government wanted to take the political risk to say something? Alternatively, maybe, SB is actually inside US government]

    “NSA identified a risk and communicated it to Microsoft, who put out an immediate patch” in March, said Mike McNerney, a former Pentagon cybersecurity official and a fellow at the Truman National Security Project.

    [That assumes facts not in evidence. Did McNerney get some #FakeIntel/#FalseLeak?
    Or just a cover story?]

  4. orionATL says:

    do american nuclear weapons use microsoft software?

    surely not.

    that software would be uniquely designed and uniquely invulnerable, wouldn’t it?there would not be a chance in hell that any kind of intrusion or take-over of that software would be possible, right?

    or its warning signals, right?

    but it doesn’t hurt to ask,
    given the dod slackness about internet compromise/intrusion,
    are these great killing machines in any way vulnerable to these (microsoft oriented, or other) “exploits” * – particularly in these times of an self-oriented, incompetent president.

    * people who do software engineering are terrible with articulating easy to understand metaphors, e. g.,
    ” hard drive”
    “floppy disk”
    “zero-day exploit”.

    what reader could easily understand these terms meaning on first meeting? none.

Comments are closed.