\n<\/p>\n
In the\u00a0long history of hacking, there have been\u00a0numerous\u00a0data breaches that,\u00a0years or even decades\u00a0later,\u00a0remain\u00a0unsolved. Countless hackers and hacking groups behind them have never been unmasked.\u00a0\u00a0<\/p>\n
But prolific hacking groups do get caught.\u00a0This is\u00a0true whether\u00a0they\u2019re\u00a0cybercriminals such as LAPSUS$, a notorious extortion gang that compromised companies such as Microsoft and Nvidia<\/a> and that have had multiple members arrested, or sophisticated government hacking groups from Russia and China, whose members have been named, indicted, and placed on most-wanted lists.\u00a0<\/p>\n Still, some of the most fascinating cases in cybersecurity history remain wide open \u2014 no culprits, no answers, and in some cases, not even a clear motive. We decided to revisit several of them in a series of articles, starting with one of the strangest episodes in the history of intelligence leaks.<\/p>\n The first installment centers on the Shadow Brokers \u2014 an enigmatic group that surfaced online, dumped a trove of hacking tools believed to belong to the NSA, and then vanished.\u00a0<\/p>\n In the summer of 2016,\u00a0in the midst of\u00a0the Russian hacks related to the U.S. presidential elections, the group\u00a0appeared on Twitter<\/a>. They linked to a\u00a0Pastebin post<\/a>\u00a0and @-mentioned several news outlets \u2014 a strange, ineffective strategy that\u00a0meant\u00a0most of those outlets\u00a0likely never\u00a0saw\u00a0the tweets.\u00a0<\/p>\n But if anyone had clicked on the link, they would have seen a document titled \u201cEquation Group Cyber Weapons Auction \u2014 Invitation\u201d \u2014 a reference to the shadowy hacking operation widely believed to be run by the NSA.\u00a0<\/p>\n \u201c!!! Attention government sponsors of cyber warfare and those who profit from\u00a0it !!!!\u00a0How much\u00a0you\u00a0pay for enemies\u2019 cyber weapons?\u201d the hackers wrote, claiming to have hacked the Equation Group.\u00a0<\/p>\n The document included links to download some hacking tools, as well as a link to download an encrypted file that interested buyers could decrypt by making a bid. \u201cAuction files better than Stuxnet,\u201d they wrote, referring to the famous malware used against Iranian nuclear facilities in a U.S.-Israeli cyberattack in 2007. They asked for at least\u00a01 million Bitcoin<\/a>.\u00a0<\/p>\n The leak quickly attracted press coverage. Once security researchers analyzed the tools, they realized these were exceptionally sophisticated cyberweapons,\u00a0very likely\u00a0stolen from the NSA \u2014 a suspicion bolstered by the fact that some shared names with programs revealed by NSA whistleblower Edward Snowden.\u00a0<\/p>\n The auction was\u00a0likely a\u00a0ruse, since the group eventually dumped many of the tools publicly months later. Much about the Shadow Brokers made little sense. Their broken English was almost comical, as if they were either trying too hard or deliberately signaling the artifice. Despite clearly seeking attention \u2014 and getting plenty of press coverage \u2014 the group only spoke to a journalist once, giving a\u00a0brief interview<\/a>\u00a0to 404 Media\u2019s Joseph Cox, then a reporter at VICE Motherboard.\u00a0<\/p>\n Ten years later, we know\u00a0literally nothing\u00a0about who was behind the Shadow Brokers persona. Cox and I\u00a0interviewed former NSA staffers<\/a>\u00a0at the time, who said an NSA insider or former insider could be involved. But nobody has ever been arrested and charged \u2014 extraordinary, given this was\u00a0arguably one\u00a0of the worst leaks of U.S. intelligence hacking tools ever.\u00a0<\/p>\n One potential suspect was Harold T. Martin\u00a0III,\u00a0an NSA contractor arrested for stealing classified information from the agency. But the theory has a problem: While Martin was in custody, the Shadow Brokers remained active online. He has never been formally charged in connection with the leaks. The most widely credited theory is that the Shadow Brokers were created by a Russian government spy group as a propaganda tool.\u00a0<\/p>\n The impact was massive. Among the tools released, the Shadow Brokers published\u00a0EternalBlue<\/a>\u00a0\u2014 a family of zero-day vulnerabilities targeting Windows that allowed hackers to break into computers on a hacked network, rapidly expand their access, and deploy self-propagating worms. (Zero-day vulnerabilities<\/a>\u00a0are\u00a0flaws\u00a0unknown to the software maker, meaning no patch yet exists.) North Korean hackers used\u00a0EternalBlue\u00a0to unleash the\u00a0WannaCry ransomware worm<\/a>. Russian hackers later built it into\u00a0NotPetya<\/a>, which spiraled beyond its\u00a0initial\u00a0Ukrainian targets and caused an estimated\u00a0$10 billion\u00a0in damages globally. For businesses, the lesson was stark: Vulnerabilities hoarded by intelligence agencies\u00a0don\u2019t\u00a0stay secret forever \u2014 and when they leak, the private sector pays the price.\u00a0<\/p>\n The trove is still yielding discoveries. Among the leaked tools was one\u00a0containing\u00a0a list of project names \u2014 including one called Fast16, flagged only with the label \u201cNOTHING TO SEE HERE \u2014 CARRY ON.\u201d\u00a0Last month<\/a>, researchers announced they had\u00a0located\u00a0and examined it, finding malware dating to 2005, designed to tamper with software allegedly used by Iranian nuclear scientists.\u00a0<\/p>\n<\/div>\n When you purchase through links in our articles, we may earn a small commission<\/a>. This doesn\u2019t affect our editorial independence.<\/em><\/p>\n