Shadow Brokers announce exploit subscription service deets!

The Shadow Brokers are at it again this morning!

The hacking group who allegedly stole and released the exploits from the CIA that were behind the WannaCry, ETERNAL ROCKS and other recent high profile cyber-attacks, announced their new TheShadowBrokers Monthly Dump Service that they teased was coming soon just a few weeks ago.

Light on details but heavy on expectations and using their now signature, and frankly highly entertaining yet unintelligible, marketing style the Shadow Brokers released a FAQ format message providing some details regarding how their new service launching in June will work. In it, they outline how much it will cost, and how one might pay for the service. Unfortunately, there are few specifics on what exactly you’d be getting for your money.

How does the monthly service work?

Here’s the gist right from the source:

Welcome to TheShadowBrokers Monthly Dump Service – June 2017

Q: How do I subscribe and get the next theshadowbrokers’ dump (June 2017)?

#1 – Between 06/01/2017 and 06/30/2017 send 100 ZEC (Zcash) to this z_address:

zcaWeZ9j4DdBfZXQgHpBkyauHBtYKF7LnZvaYc4p86G7jGnVUq14KSxsnGmUp7Kh1Pgivcew1qZ64iEeG6vobt8wV2siJiq

#2 – Include a “delivery email address” in the “encrypted memo field” when sending Zcash payment

#3 – If #1 and #2 then a confirmation email will be sent to the “delivery email address” provided

#4 – Between 07/01/2017 and 07/17/2017 a “mass email” will be send to the “delivery email address” of all “confirmed subscribers” (#1, #2, #3)

#5 – The “mass email” will contain a link and a password for the June 2017 dump

You have to admire their persistence if not their grammar

Looking to capitalize on the media attention created by WannaCry, this new service is the latest attempt by the Shadow Brokers to monetize or flat out sell their cache of allegedly stolen exploits.

Their first attempt was back in August of 2016 when they tweeted a link to a GitHub repository which included instructions for an online auction of two encrypted archives of stolen Equation Group exploits. The Bitcoin address set up to collect bids have only collected a grand total of 10.5 Bitcoin to date, that even with the recent bull run on the cryptocurrency, only amounts to about $24,000 USD.

After two weeks, they abandoned their winner takes all highest bidder approach and pivoted to a crowdfunding model offering the password to anyone who contributed to an end goal of 10,000 Bitcoin which was worth approximately $6M USD at the time and over $23M USD today. It didn’t go over well either.

Eventually, they resorted to simply trying to outright sell the whole lot of exploits packaged as the “Windows Warez” for 750 Bitcoin worth approximately $600k USD at the time or $1.7M USD today.

Having made almost no money and attracting little overall attention as a criminal business venture, it looked like the Shadow Brokers had thrown in the towel for a while only to reemerge emboldened from the attention garnered from the recent WannaCry attacks.

What will be in the inaugural Data Dump?

That’s not entirely clear. The Shadow Brokers, however, take the approach that if you have to ask, you probably can’t afford it anyway.

They are claiming that at a monthly price of approximately $23k USD membership has been kept expensive in order to be exclusive and that the service is really only indented for “high rollers, hackers, security companies, OEMs and governments”.

But you can expect that the cost will rise as the Zcash cryptocurrency gets some media attention from all of this and the Shadow Brokers themselves even make note of this to add a sense of urgency to their pitch. They also however, make it clear that “TheShadowBrokers is not making endorsements of Zcash”.

So what’s potentially in the first monthly release?

In their own words:

TheShadowBrokers is not deciding yet. Something of value to someone. See theshadowbrokers’ previous posts. The time for “I’ll show you mine if you show me yours first” is being over. Peoples is seeing what happenings when theshadowbrokers is showing theshadowbrokers’ first. This is being wrong question. Question to be asking “Can my organization afford not to be first to get access to theshadowbrokers dumps?”

The Shadow Brokers’ previous announcement did claim that an upcoming data dump would include:

  • Exploits for operating systems, including Windows 10.
  • Exploits for web browsers, routers, and smartphones.
  • Compromised data from banks and Swift providers.
  • Stolen network information from Russian, Chinese, Iranian, and North Korean nuclear missile programs.

However, it’s only speculation as to whether all of this stuff actually exists and if so, if it will be the actual content released as part of the monthly subscription service.

What’s new about this scheme?

Not much. They’re still flogging the same product and they’ve almost exhausted every conceivable way to do so at this point. Maybe if this one doesn’t pan out they’ll try affiliate marketing or vending machines. Who knows.

What has changed however is their cryptocurrency of choice. They have switched from Bitcoin to Zcash which is supposed to be more secure and difficult to track.

Earlier this week it was reported that the Shadow Brokers moved their total haul from pervious operations of 10.5 Bitcoin via a mixing service in an attempt to hide who was accessing the funds. Addressing this problem may be the reason behind the change for their new venture as this would not be a problem with Zcash which allows money transfers that are not tracked.

That being said… The Shadow Brokers don’t even seem to trust their new cryptocurrency of choice noting this in an unpublishable expletive-ridden tirade that ends with “This month theshadowbrokers using Zcash. If being not good, then maybe theshadowbrokers doing different for July?”

Do they really even have the goods they’re purporting to sell?

There’s really no evidence that this is the case or way to know for sure.

The focus on discrediting Zcash right up front and indicating it has connections to the US government and Israeli Intelligence appears to many in the security industry to be both a bit of misdirection to take your mind off the fact that the store is empty and a potential exit strategy excuse if this scheme is about as successful as previous ones.

They’ve cashed out and emptied the loot from their Bitcoin wallet and the timing of this new venture coming hot on the heels of WannaCry seems to indicate that they are simply being opportunistic and attempting a final cash grab.

It’s easy to speculate that if they did have anything left of value, they’d be better off showcasing it somehow in order to maximize their ability to sell it. And yet, for all their salesmanship and entertaining marketing, there’s really very little to show for the money they are asking.

Should we be worried?

It’s hard to say. While all of their broken English claims remain completely unverified, their previously released dump turned out to be legitimate and resulted in WannaCry and other malware attacks that caused global chaos and digital destruction. Maybe that’s all they had, but there’s no way to know that for sure, so for now, they should be taken seriously. Why? Because if what they’ve announced turns out to be true, we may be in for another round of highly sophisticated attacks from unknown high roller threat actors that decide to take a chance and pay for the service.

Leave a Reply