In the waning months of the Obama administration, just as the White House began confronting Russia over its election interference, a mysterious hacker group called the Shadow Brokers appeared, and started causing big problems for U.S. intelligence agencies. The hackers had gotten ahold of secret NSA hacking tools, and they were periodically releasing portions of the cache for the world to see.
Eight days before Donald Trump’s swearing-in, the hackers announced their retirement, bolstering suspicions that the Shadow Brokers were part of the Kremlin’s sophisticated hacking apparatus. They haven’t been heard from since. Until now.
On Saturday, the Shadow Brokers blazed back to life to release another tranche of NSA files. This time they’ve abandoned their former pretext of being mercenary hackers looking to make a buck. In a lengthy open letter to Donald Trump, the Shadow Brokers explain that they’ve returned to protest the US missile strike against a Syrian airbase Thursday – an action that marked Trump’s first significant move directly opposing the will of Russian president Vladimir Putin. And they warn the president that he will face consequences if he doesn’t revert back to his former policy of leaving Syrian president Bashar al-Assad, a Putin ally, alone.
“Respectfully, what the fuck are you doing?,” the hackers cautioned Trump. “Is appearing you are abandoning ‘your base’, ‘the movement’, and the peoples who getting you elected.”
To security experts watching the group, the Shadow Brokers’ resurgence now leaves little doubt that Putin is pulling their strings. “It’s almost certainly the Russian government,” says Jake Williams, founder of Rendition Infosec. “Whether they’re directly Russian government or controlled by the Russians, all evidence points there.”
The Shadow Brokers first appeared last August with an announcement that they were selling the hacking tools used by a sophisticated computer-intrusion operation known as the Equation Group. It was a remarkable assertion, because the Equation Group was generally understood to be part of the NSA’s elite Tailored Access Operations program and is virtually never detected, much less penetrated. To back up their claim, the Shadow Brokers published two files of about 260 megabytes each: “eqgrp_free_file” and “eqgrp-auction-file”.
The free file contained a huge cache of specialized NSA malware, including dozens of backdoor programs and 10 exploits, two of them targeting previously unknown security holes in Cisco routers—a basic building block of the internet. The leak electrified the computer security world, and sent Cisco and other companies scrambling to fix the security holes and lock out the NSA.
The second file, “eqgrp-auction-file”, was encrypted. Nobody could open it. Portraying themselves as mercenaries out to make a buck, the Shadow Brokers said they’d sell the password to the highest bidder, with a buy-it-now price of 1 million bitcoins — about $600 million at the time.
The ludicrous price tag was one reason experts dismissed the auction as pure theater, crafted to give the Kremlin a fig leaf of deniability while still sending a message to the US to back off. Few thought that the NSA’s toolkit was stolen by non-governmental hackers. The Shadow Brokers went on to release more NSA secrets in time with the public thrusts and parries between the Obama administration and the Russian government. On Dec. 15th, Obama announced to NPR that the U.S. would retaliate for the election hacks—“we need to take action.” On the 16th, the Shadow Brokers published a tweetstorm of screenshots showing off more of its unreleased NSA files.
Throughout it all, though, the password to the “auction” file stayed a secret, hanging over the NSA like the Sword of Damocles.
Last January, in Obama’s final week as president, the Shadow Brokers announced their retirement, dumping a batch of Windows NSA code as a “final fuck you.” In an online interview with the Daily Beast at the time, the Shadow Brokers insisted that they were just out to make a buck, and had no interest in government affairs or political causes. “Douchebags uses causes for trying to get laid,” they wrote. “TheShadowBrokers is getting plenty laid, no need for cause douchbaggery. Leaving that to those straight men who looking, acting like gay men, thinking its called hipsters.”
“TheShadowBrokers will not dump passwords,” they vowed. “TheShadowbrokers will not make all shit free. If theshadowbrokers lose then all peoples lose.”
Now they’ve released the password anyway, and in their public letter they’ve mostly abandoned any claim of being independent, profit-oriented hackers — though they still say they aren’t working for Russia. “If theshadowbrokers being Russian don’t you think we’d be in all those U.S. government reports on Russian hacking?” they wrote.
The security community is still poring over the newly-decrypted file, but so far the contents are largely uninteresting compared to the earlier NSA dumps. “So far the stuff in there isn’t earth shattering,” says Williams. Nicholas Weaver, a computer security researcher at the University of California at Berkeley,” shares the sentiment, but he thinks the U.S. may be embarrassed by some information in the documents, such as lists of machines the NSA has hacked.
Trump reversed a long-held hands-off policy with respect to Syria on Thursday when the U.S. launched 59 Tomahawk missiles at a Syrian government air base in response to a chemical weapon attack that killed over 80 people, including 20 children. Trump told reporters that he was moved by footage of the children suffering and dying. The Russian government considers Syria an ally, and immediately condemned the US response.
Despite their disappointment with Trump’s policy reversal on Syria (they also complain about Steve Bannon’s ejection from the National Security Council), the Shadow Brokers are offering to help Trump by hacking other politicians, singling out John McCain as an “enemy of the Constitution of the United States” because he pushed for the missile attack. “TheShadowBrokers is sure if we ‘unmasking’, Senator McCain, Magog [Armageddon] itself might come out, many defense contractors, Saudi Princes.” (McCain’s office didn’t respond to inquiries Saturday).
At the same time, the Shadow Brokers warn Trump, at length, that he’ll face public ridicule if he continues to displease them.
“Do you be remembering when you were sitting there at the Obama Press Party and they were all laughing at you?,” they write. “Do you be remembering when you touring the country and all those peoples believed in you and supported you? You were those peoples hope. How do you be thinking it will be feeling when those people turn on you? Will they be laughing at you, hating you, and mocking you too?”
Another piece of advice addresses the controversy still swirling around Trump over the circumstances of his election. The Shadow Brokers suggest Trump stop denying that the Kremlin helped him win the presidency.
“Celebrate it,” they write.