Ghost hackers: the cybersecurity thriller that no one has solved

Within the lengthy historical past of hacking, there have been quite a few data breaches that, years and even a long time later, stay unsolved. Numerous hackers and hacking teams behind them have by no means been unmasked.  

However prolific hacking teams do get caught. That is true whether or not they’re cybercriminals akin to LAPSUS$, a infamous extortion gang that compromised corporations akin to Microsoft and Nvidia and which have had a number of members arrested, or refined authorities hacking teams from Russia and China, whose members have been named, indicted, and positioned on most-wanted lists. 

Nonetheless, a number of the most fascinating instances in cybersecurity historical past stay vast open — no culprits, no solutions, and in some instances, not even a transparent motive. We determined to revisit a number of of them in a collection of articles, beginning with one of many strangest episodes within the historical past of intelligence leaks.

The primary installment facilities on the Shadow Brokers — an enigmatic group that surfaced on-line, dumped a trove of hacking instruments believed to belong to the NSA, after which vanished. 

In the summertime of 2016, within the midst of the Russian hacks associated to the U.S. presidential elections, the group appeared on Twitter. They linked to a Pastebin put up and @-mentioned a number of information retailers — a wierd, ineffective technique that meant most of these retailers doubtless by no means noticed the tweets. 

But when anybody had clicked on the hyperlink, they’d have seen a doc titled “Equation Group Cyber Weapons Public sale — Invitation” — a reference to the shadowy hacking operation extensively believed to be run by the NSA. 

“!!! Consideration authorities sponsors of cyber warfare and those that revenue from it !!!! How a lot you pay for enemies’ cyber weapons?” the hackers wrote, claiming to have hacked the Equation Group. 

The doc included hyperlinks to obtain some hacking instruments, in addition to a hyperlink to obtain an encrypted file that consumers might decrypt by making a bid. “Public sale information higher than Stuxnet,” they wrote, referring to the well-known malware used in opposition to Iranian nuclear services in a U.S.-Israeli cyberattack in 2007. They requested for at the very least 1 million Bitcoin. 

The leak shortly attracted press protection. As soon as security researchers analyzed the instruments, they realized these had been exceptionally refined cyberweapons, very doubtless stolen from the NSA — a suspicion bolstered by the truth that some shared names with packages revealed by NSA whistleblower Edward Snowden. 

The public sale was doubtless a ruse, for the reason that group finally dumped most of the instruments publicly months later. A lot in regards to the Shadow Brokers made little sense. Their damaged English was nearly comical, as in the event that they had been both attempting too exhausting or intentionally signaling the artifice. Regardless of clearly in search of consideration — and getting loads of press protection — the group solely spoke to a journalist as soon as, giving a temporary interview to 404 Media’s Joseph Cox, then a reporter at VICE Motherboard. 

Ten years later, we all know actually nothing about who was behind the Shadow Brokers persona. Cox and I interviewed former NSA staffers on the time, who stated an NSA insider or former insider may very well be concerned. However no one has ever been arrested and charged — extraordinary, given this was arguably one of the worst leaks of U.S. intelligence hacking instruments ever. 

One potential suspect was Harold T. Martin III, an NSA contractor arrested for stealing categorized info from the company. However the concept has an issue: Whereas Martin was in custody, the Shadow Brokers remained lively on-line. He has by no means been formally charged in reference to the leaks. Essentially the most extensively credited concept is that the Shadow Brokers had been created by a Russian authorities spy group as a propaganda software. 

The influence was huge. Among the many instruments launched, the Shadow Brokers printed EternalBlue — a household of zero-day vulnerabilities focusing on Home windows that allowed hackers to interrupt into computer systems on a hacked community, quickly develop their entry, and deploy self-propagating worms. (Zero-day vulnerabilities are flaws unknown to the software program maker, which means no patch but exists.) North Korean hackers used EternalBlue to unleash the WannaCry ransomware worm. Russian hackers later constructed it into NotPetya, which spiraled past its preliminary Ukrainian targets and induced an estimated $10 billion in damages globally. For companies, the lesson was stark: Vulnerabilities hoarded by intelligence businesses don’t keep secret ceaselessly — and after they leak, the non-public sector pays the worth. 

The trove remains to be yielding discoveries. Among the many leaked instruments was one containing a listing of challenge names — together with one referred to as Fast16, flagged solely with the label “NOTHING TO SEE HERE — CARRY ON.” Final month, researchers introduced that they had positioned and examined it, discovering malware relationship to 2005, designed to tamper with software program allegedly utilized by Iranian nuclear scientists.