Shadow Brokers

Threat Actor updated 22 days ago (2024-09-26T02:00:53.388Z)
Download STIX
Preview STIX
The Shadow Brokers, a threat actor group, has been involved in several high-profile cybersecurity incidents. They first came into the limelight in August 2016 when they leaked tools believed to be from the Equation Group, an Advanced Persistent Threat (APT) group associated with the U.S. National Security Agency's Tailored Access Operations unit. Among the most notable exploits leaked by the Shadow Brokers was EternalBlue, a potent exploit that targeted a Windows Server Message Block code execution vulnerability (CVE-2017-0144). This exploit was later used in various ransomware attacks, making it one of the most infamous cyber weapons. In April 2017, the Shadow Brokers released another leak containing the EternalBlue exploit. This leak, part of their "Lost in Translation" series, also included four different Windows Local Privilege Escalation (LPE) exploits as part of the DanderSpritz framework and an additional exploit code-named "EpMo." This exploit was patched in May 2017, likely as a response to the Shadow Brokers' leaks. The group's activities have significantly impacted cybersecurity, leading to a surge in cybercriminal activities and escalating the cyber arms race. Interestingly, the Chinese APT31 (also known as Zirconium, Judgment Panda, or Red Keres), a group linked to multiple cyber espionage operations, had access to an Equation Group exploit code-named "EpMe" more than two years before the Shadow Brokers leak. This discovery indicates that the Shadow Brokers were not the only group with access to these advanced tools, raising questions about the security of such exploits and the potential for their misuse by various threat actors.
Description last updated: 2024-09-26T01:16:03.948Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Equation Group is a possible alias for Shadow Brokers. The Equation Group is a threat actor, believed to have ties to the United States, that has been involved in numerous cyber espionage operations. The group's favorite vulnerabilities include CVE-2017-0144, a Windows server message block code execution vulnerability that was leaked by another group kn
4
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Exploit
Windows
Exploits
Malware
Ransomware
Vulnerability
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The WannaCry Malware is associated with Shadow Brokers. WannaCry, a potent malware, emerged as one of the most destructive cyberattacks in recent history when it struck in May 2017. Leveraging Windows SMBv1 Remote Code Execution vulnerabilities (CVE-2017-0144, CVE-2017-0145, and CVE-2017-0143), WannaCry rapidly spread across systems worldwide, encryptingUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The ZIRCONIUM Threat Actor is associated with Shadow Brokers. Zirconium, also known as APT31, Judgment Panda, and Red Keres, is a threat actor linked to numerous cyber espionage operations. The group came into the spotlight in 2022 when the Check Point Research team discovered that it had used a tool called "Jian," a clone of the NSA Equation Group's hacking tUnspecified
2
The APT31 Threat Actor is associated with Shadow Brokers. APT31, also known as Zirconium, is a threat actor believed to be working on behalf of China's Ministry of State Security in Wuhan. The group's primary mission, according to security vendors like Mandiant, involves gathering information from rival nations that could be of economic, military, and poliUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The Eternalblue Vulnerability is associated with Shadow Brokers. EternalBlue is a software vulnerability that exists due to a flaw in the design or implementation of the Windows Server Message Block (SMB). This vulnerability, officially known as CVE-2017-0144, was made public after the Shadow Brokers group leaked an exploit developed by the U.S. National SecurityUnspecified
5
The Epme Vulnerability is associated with Shadow Brokers. EpMe is a software vulnerability (CVE-2017-0005) that was first discovered within the Equation Group's exploit arsenal, with its existence traced back to at least 2013. The Equation Group, believed to be linked to the NSA, developed this exploit as part of their cyber toolset which also included DanUnspecified
2
Source Document References
Information about the Shadow Brokers Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
BankInfoSecurity
22 days ago
BankInfoSecurity
a month ago
Securityaffairs
7 months ago
GovCERT CH
2 years ago
CERT-EU
a year ago
CERT-EU
10 months ago
CERT-EU
8 months ago
CERT-EU
9 months ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
2 years ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
MITRE
2 years ago
CERT-EU
a year ago
MITRE
2 years ago
CERT-EU
a year ago
BAE Systems
2 years ago
MITRE
2 years ago