Shadow Brokers

Threat Actor Profile Updated 2 months ago
Download STIX
Preview STIX
The Shadow Brokers, a threat actor group, made headlines in the cybersecurity world for their leaks of sophisticated cyber tools believed to be developed by the Equation Group, an Advanced Persistent Threat (APT) group associated with the NSA's Tailored Access Operations unit. The most notable among these was the EternalBlue exploit, which was released by the Shadow Brokers in April 2017. This exploit was later used in various high-profile cyberattacks, including the WannaCry ransomware attack. The Shadow Brokers' activities have escalated the cyberarms race, with the group continuing to publish stolen NSA data. In a twist of events, it was discovered that APT31, a Chinese cyberespionage group also known as Zirconium, had access to the Equation Group's EpMe exploit over two years before the Shadow Brokers leak. APT31 reportedly used a tool named Jian, a clone of the EpMe hacking tool, in numerous cyber espionage operations. This revelation indicates that some of the exploits leaked by the Shadow Brokers may have been in use by other threat actors prior to their public disclosure. The Shadow Brokers' leaks also included four different Windows Local Privilege Escalation (LPE) exploits part of the DanderSpritz framework, and an additional exploit code-named "EpMo," which was patched in May 2017 following the Shadow Brokers' "Lost in Translation" leak. However, there is no online reference pointing to the existence of the NtElevation module as part of the Equation Group arsenal or the Shadow Brokers exploits. These findings underline the complexity and depth of the Shadow Brokers' activities and their significant impact on global cybersecurity.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Equation Group
3
The Equation Group, a threat actor suspected of having ties to the United States, has been associated with various sophisticated cyber exploits. The group's EpMe exploit, which existed since at least 2013, was the original exploit for the vulnerability later labeled CVE-2017-0005. Another exploit, E
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Exploit
Exploits
Malware
Windows
Worm
Ransomware
Zero Day
Zero Day
Nsa
Signal
Apache Struts
Proxy
Apt
Vulnerability
Implant
China
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
WannaCryUnspecified
2
WannaCry is a type of malware, specifically ransomware, that caused significant global disruption in 2017. It exploited Windows SMBv1 Remote Code Execution Vulnerabilities (CVE-2017-0144, CVE-2017-0145, CVE-2017-0143), which allowed it to spread rapidly and infect over 200,000 machines across more t
WannarenUnspecified
1
None
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ZIRCONIUMUnspecified
2
Zirconium, also known as APT31, Judgment Panda, and Red Keres, is a threat actor linked to numerous cyber espionage operations. The group came into the spotlight in 2022 when the Check Point Research team discovered that it had used a tool called "Jian," a clone of the NSA Equation Group's hacking t
APT31Unspecified
2
APT31, also known as Zirconium, is a threat actor group believed to be sponsored by the Chinese government. This group has been implicated in various cyber espionage activities across the globe. One of their notable exploits includes the cloning and use of an Equation Group exploit, EpMe (CVE-2017-0
LeafminerUnspecified
1
Leafminer is a highly active threat actor group, primarily targeting organizations in the Middle East. The group employs various intrusion methods such as watering hole websites, vulnerability scans of network services on the internet, and brute-force/dictionary login attempts. Leafminer's arsenal i
Inception FrameworkUnspecified
1
The Inception Framework, a threat actor group known for its advanced and highly automated approach to targeted attacks, has been active since at least May 2014. Their activities were first exposed by Blue Coat (now part of Symantec) in December 2014. From the onset, the group distinguished itself wi
Judgment PandaUnspecified
1
Judgment Panda, also known as APT31, Zirconium, Violet Typhoon, and Red Keres, is a threat actor believed to be linked to the Chinese nation-state. This group has been active since at least 2016 and has been involved in multiple cyber espionage operations. The group gained significant attention in 2
jianUnspecified
1
Jian, a cyber espionage tool used by the China-linked APT31 group (also known as Zirconium, Judgment Panda, and Red Keres), has been implicated in multiple cyber espionage operations. The tool was first brought to public attention in 2022 when it was discovered by the Check Point Research team. Nota
Red KeresUnspecified
1
None
StripedflyUnspecified
1
StripedFly is a malicious threat actor that has been active since at least April 9, 2016, as indicated by the earliest known version of StripedFly incorporating the EternalBlue exploit. The authors behind StripedFly show parallels with the EternalBlue exploit, which is notorious for its use in wides
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
EternalblueUnspecified
4
EternalBlue is a significant software vulnerability that exists in the design or implementation of certain systems. This flaw has been exploited by various cyber threats, with one notable instance being its use as an enabler for the widespread WannaCry ransomware attack. The exploit allows attackers
EpmeUnspecified
2
EpMe is a software vulnerability (CVE-2017-0005) that was first discovered within the Equation Group's exploit arsenal, with its existence traced back to at least 2013. The Equation Group, believed to be linked to the NSA, developed this exploit as part of their cyber toolset which also included Dan
CVE-2016-6415Unspecified
1
None
CVE-2017-0005Unspecified
1
CVE-2017-0005 is a software vulnerability, a flaw in design or implementation that can be exploited for malicious purposes. This specific vulnerability was utilized by an exploit known as EpMe, which was developed by the Equation Group, a highly sophisticated threat actor believed to have ties with
Source Document References
Information about the Shadow Brokers Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
4 months ago
US Treasury Dep announced sanctions against members of China-linked APT31
GovCERT CH
a year ago
WannaCry? It is not worth it!
CERT-EU
10 months ago
Identity of NSA hacker behind cyberattack on China's leading aviation university identified; to be disclosed in due course: source
CERT-EU
7 months ago
Ooops, your files have been encrypted! | by MATE | Dec, 2023 | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
5 months ago
Are we "cybersafer" now than ever? - Panda Security
CERT-EU
6 months ago
WannaCry ransomware – Intel Today
CERT-EU
9 months ago
StripedFly malware framework infects 1 million Windows, Linux hosts
CERT-EU
9 months ago
StripedFly: Perennially flying under the radar
CERT-EU
a year ago
WannaRen Returns as Life Ransomware, Targets India
BankInfoSecurity
9 months ago
Cyber Mavens Slam Europe's Cyber Resilience Act
CERT-EU
9 months ago
Cyber Mavens Slam Europe's Cyber Resilience Act
CERT-EU
9 months ago
Is iOS really more secure than Android?
MITRE
a year ago
WannaCry Malware Profile | Mandiant
CERT-EU
9 months ago
Kaspersky reveals 'elegant' malware resembling NSA code
MITRE
a year ago
Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions
CERT-EU
a year ago
Samsung Smartphone Users Warned of Actively Exploited Vulnerability
BAE Systems
a year ago
WanaCrypt0r Ransomworm
MITRE
a year ago
WCry (WannaCry) Ransomware Analysis
CERT-EU
9 months ago
More Than a Cryptominer, StripedFly Malware Infects 1 Million PCs
CERT-EU
10 months ago
20 application security pros you should follow