A mysterious actor revealed itself to the public in August 2016 when it started to publicly dump tools and operational notes allegedly belonging to the Tailored Access Operations unit at the National Security Agency of the USA, also known as ‘The Equation Group’. This new actor referred to itself as The Shadow Brokers, and quickly developed a reputation for its ambiguity, intrigue, and for the information it claimed to have taken from the NSA. Oscillating between communicating political messages and trying to make a profit, the Shadow Brokers’ self-created image became the perfect subject of speculation and countless theories and hypotheses. The Shadow Brokers may have become a symbol for a new kind of cyber warfare, exposing the limits of defense and the capacity for manipulation, exploiting two of the greatest characteristics of cyber: anonymity and the difficulty of attribution.
It seems a consensus emerged regarding the Shadow Brokers: First, it is commonly accepted that the information the group or individual claims to be in possession of are authentic NSA exploits and tool kits. The lack of a denial from the agency and the damage caused by the ransomware epidemic using EternalBlue, an exploit leaked by the Shadow Brokers, support this assumption. It is also commonly agreed that the group or individual has good knowledge of English, American English expressions, and cultural references. The messages published by the Shadow Brokers seem to be written in faux-English, disguising writing styles to avoid investigation. This was even expressed by the Shadow Brokers themselves in one of their messages. Finally, it is generally accepted that the remaining information concerning the Shadow brokers is still unknown. Most of the information available has been revealed by the Shadow Brokers themselves through their messages on social media and other platforms.
If taken at face value, we would have reason to believe that the Shadow Brokers are former US government agents, perhaps even former NSA employees, who are both interested in making a profit and hoping to bring down the establishment (‘deep state’) of the United States government. These domestic dissidents appear to have voted for, and still support, Donald Trump and his isolationist, anti-liberal, nationalist, anti-foreign entanglements, anti-Wall Street, pro-transparency, and pro-Russian rhetoric. Their nemesis would be the Tailored Access Group, which they see as the incarnation of the ‘deep state’ and as threatening the values of the United States, or they only hope to be bought for their silence. Of course, this could all be part of an image they intend to fabricate.
Only a few pieces of the puzzle can be put together from the available metadata. The Shadow Brokers, according to researchers using a Tweets analyzer, use Twitter in English and within the Pacific Time zone (US & Canada time zone). It was also identified that the Shadow Brokers tended to post messages on weekends at improbable hours, with peaks of activity followed by prolonged periods of silence. In addition, the account was created on the same day as the first leak, i.e. on 13 August 2016. The Shadow Brokers also systematically uses the web client of Twitter. Metadata regarding their PGP ID was also recovered, and seemed to show that the PGP ID was created two weeks prior to the first publication. (@x0rz, « Shadow Brokers: Courtier ou agent d’influence? » MISC, N. 93, septembre/octobre 2013) This indicates a level of planning carried out prior to commencing publications, and supports the hypothesis that the group’s members (or the individual) have perfect knowledge of English, write mistakes purposefully to throw off investigators, and even that they may be located on the West Coast of the United States. However, if the metadata was modified, this could also be incorrect.
And this is at the core of the power of the fifth dimension: anything is possible. As many unknowns and variables persist, attackers have freedom of movement and the upper-hand in decision making over the target. Potential enemies are propped up, potential motives diffused, and the trust and communication of the defenders and defences is severely limited. The fog of war has never been so easily exploitable.
The Shadow Brokers continue to offer a subscription plan as a way to sell the stolen NSA information and tools, and until now they continue to publish one message per month. It would be rash to deny that they want to both make a profit and oppose the traditional ‘establishment’ forces within the United States.
With the exception of the United States, the Shadow Brokers appear to pose only an indirect threat to other nations and organisations. What the world rightly fears is that the information at their disposal could fall into the wrong hands. The potential damage would be great as cybercriminals and state sponsored groups could take advantage of these secrets to develop new tools, use or sell these tools for profit, or utilize them for espionage or even the commercialisation of information. One can only hope that the NSA has knowledge of which information was compromised, and that third parties have been informed of the vulnerabilities these tools exploit.
Cyber has often been presented as a new field in modern warfare, i.e. the fifth dimension as American military doctrine calls it, which combines computer network operations, psychological operations, and military diversion tactics. To the United States, the Shadow Brokers represent a threat embodying the essence of this fifth dimension. To the world, they illustrate the potential use of this fifth dimension.
Since the beginning, the Shadow Brokers have controlled the information released to the public, showing what they want and seeking all possible attention. As they carried out what could be considered as a marketing initiative to sell their products, the group responded to and interacted with reactions from cyber-security circles, the media, and the government in order to deny theories, augment the level of doubt, and even communicate political messages. They have profited from its anonymity to throw off investigators, from their computer operations (even if it was not the Shadow Brokers who directly obtained the information), and deceived authorities with regard to their real identity. The available evidence suggests that the group is located within the United States, which, if correct, only contributes to the psychological damage inflicted on the US intelligence community and armed forces. Whether it is the work of a foreign power or domestic dissidents, the Shadow Brokers’ underlying objective has been achieved: US research and development has been impacted, authorities remain incapable of retaliation, and enemies of the US are being empowered.
What remains to be seen is the extent of the damage that can be done, both to the US and to the world, and how long the current immunity of the attackers will continue. As long as attribution remains impossible, the US response will be limited to investigation, damage-control, and political maneuvering to control the situation.