Ghost Hackers: The Unsolved Cybersecurity Mystery

In the long history of hacking, there have been many data breaches that remain unresolved years or even decades later. The countless hackers and hacking groups behind them have yet to be revealed.

But prolific hacking groups are being caught. This is true whether they are cybercriminals like LAPSUS$, a notorious extortion ring that hacked companies like Microsoft and Nvidia and had many of its members arrested, or sophisticated government hacking groups from Russia and China, whose members have been named, indicted and placed on most wanted lists.

Yet some of the most fascinating cases in cybersecurity history remain wide open — no perpetrators, no answers, and in some cases, not even a clear motive. We decided to return to many of them in a series of articles, starting with one of the strangest episodes in the history of intelligence leaks.

The first installment focuses on the Shadow Brokers – a mysterious group that appeared on the Internet, dropped off a set of hacking tools believed to belong to the NSA, and then disappeared.

In the summer of 2016, in the midst of Russian hacks related to the US presidential elections, the group Featured on Twitter. They linked to the Pastebin post and @mentioned several news outlets — a bizarre and ineffective strategy that meant most of those outlets likely never saw the tweets.

But if anyone had clicked on the link, they would have seen a document titled “Invitation to Equation Group Cyber ​​Arms Auction” — a reference to the mysterious hacking operation widely believed to be run by the National Security Agency.

“!!! Pay attention to the governments sponsoring cyber warfare and those who benefit from it!!!! How much do you pay for the enemies’ cyber weapons?” The hackers wrote in claiming to have hacked the Equation Group.

The document included links to download some hacking tools, as well as a link to download an encrypted file that interested buyers could decrypt by making an offer. “Auction files are better than Stuxnet,” they wrote, referring to the famous malware used against Iranian nuclear facilities in a US-Israeli cyberattack in 2007. They asked for at least 1 million bitcoins.

The leak quickly attracted press coverage. Once security researchers analyzed the tools, they realized they were exceptionally sophisticated cyberweapons, very likely stolen from the NSA — a suspicion reinforced by the fact that some shared names with the software revealed by NSA whistleblower Edward Snowden.

The auction was likely a hoax, as the group eventually tossed many of the instruments publicly months later. A lot of things about shadow brokers didn’t make sense. Their broken English was almost comical, as if they were trying too hard or deliberately signaling the trick. Despite clearly seeking attention — and getting a lot of press coverage — the group spoke to a journalist only once, conducting a brief interview with 404 Media’s Joseph Cox, who was then a reporter at VICE Motherboard.

Ten years later, we know nothing about who was behind the Shadow Brokers. Cox and I interviewed former NSA employees at the time, who said that an NSA insider or former insider might have been involved. But no one was ever arrested and charged — which is exceptional, given that this was one of the worst leaks of US intelligence hacking tools ever.

One possible suspect was Harold T. Martin III, an NSA contractor who had been arrested for stealing classified information from the agency. But the theory has a problem: While Martin was detained, shadow brokers remained active online. No formal charges were brought against him in connection with the leaks. The most widely accepted theory is that shadow brokers were created by a Russian government spy group as a propaganda tool.

The impact was enormous. Among the tools released, Shadow Brokers deployed EternalBlue – a set of zero-day vulnerabilities targeting Windows that allowed hackers to break into computers on a compromised network, rapidly expand their reach, and spread self-propagating worms. (Zero-day vulnerabilities are flaws unknown to the software maker, meaning there is no patch yet.) North Korean hackers used EternalBlue to unleash the WannaCry ransomware worm. Russian hackers later integrated it into NotPetya, which exceeded its initial targets in Ukraine and caused an estimated $10 billion in damage globally. For companies, the lesson was harsh: vulnerabilities stored by intelligence agencies don’t stay secret forever — and when they leak, the private sector pays the price.

The treasure is still yielding discoveries. Among the leaked tools, there was one that contained a list of project names – including one called Fast16, only tagged with the title “Nothing to see here – continue.” Last month, researchers announced they had located and scanned it, finding malware dating back to 2005, designed to manipulate software allegedly used by Iranian nuclear scientists.