The “Shadow Brokers” Story

October 05, 2016
Suggested Reading


In August 2016 a hacker or hacking group by the name “The Shadow Brokers” claimed to have compromised a group named “Equation Group”, which is allegedly linked to the US National Security Agency (NSA). As proof, they disclosed a part of the tools owned by the Equation Group (used for their hacking campaigns) for free and auctioned the rest. The analysis of these tools revealed a series of vulnerabilities in known vendors’ devices, who rushed to investigate the issue. This note provides an overview of the incident and its side effects, through a series of suggested articles.

What Happened?

Beginning on Saturday 13 August 2016, the Shadow Brokers group registered accounts across different social media (by now they have been taken down) and began promoting themselves. They published their manifesto, a FAQ, and posted two sets of encrypted files, providing the password for the first one, and initiating an auction for the second. An overview of the story is provided by NakedSecurity.

Initially there was a lot of speculation over the validity of the exposed data. After analysis, security researchers suggested that they were indeed valid and dated back to as far as 2013. According to Matt Suiche, a cyber security entrepreneur, a first analysis of the freely available set of files indicated that it contained exploits, code, and tools for penetrating network equipment, e.g. firewalls, mainly made by Cisco, Fortinet, Juniper and TopSec. Mustafa Al Bassam, a computer science student, published an extended and detailed list with the descriptions of the files released, categorising them in exploits, implants, and tools. Another security researcher, actually tested one of the disclosed exploits called “EXTRABACON” that appeared to be targeting Cisco firewalls against his own equipment with success.

Despite Shadow Brokers’ claims to have hacked the Equation Group, there is a lot of speculation regarding the true origin of the leaked material. There are scant undeniable facts, but theories abound: the compromise of a staging server (a server used for the deployment of a cyber-attack), the existence of an insider threat (both theories are discussed by Matt Suiche), or according to more recent scenarios the mistake of an NSA employee or contractor who used the tools and accidentally left them exposed on a remote computer. One thing is certain: identifying and validating the true origin of the leaked files is as difficult as the reliable attribution of the attack per se.

The Side Effects

After the Shadow Brokers’ disclosure, Cisco investigated and confirmed the potential impact of the leaked toolkit on some of its products. Cisco provided more details on two of the leaked exploits and the implant (respectively EXTRABACON, EPICBANANA, and JETPLOW) that affected its products. Further investigation by Cisco revealed another vulnerability (CVE-2016-6415) related to an exploit called BENIGNCERTAIN again affecting some of its devices. The vulnerability is described in the related Cisco advisory and it is expected to be patched. Until then, only workarounds are available as mitigation measures. In the meantime, Motherboard reported that unknown hackers used the leaked tools to exploit this particular vulnerability and attack Cisco devices, indicating that the leaked material is actively used in the real world.     

The potential value of Shadow Brokers’ disclosures for cyber criminals are highlighted by Ars Technica. Ars Technica reported the case of researchers from a security consultancy company in Hungary, who were able to modify the code of the exploit EXTRABACON and adapt it for newer versions of Cisco’s targeted software, which were not supported by the original version of the exploit.

Fortinet also reported that some of its products released prior to August 2012 contained a vulnerability that could allow an attacker to take execution control over a device. More recent versions are not affected, albeit investigation is ongoing.

Juniper Networks have also been investigating the released toolkit and initial analysis indicated an attack on the bootloader of certain devices rather than an exploit. Further investigation confirmed that there is no vulnerability being exploited thus no patches are required.    


The extensions of the Shadow Broker’s story both in a political level and in the overall security of the network infrastructure are not yet fully clear. A good article showing the shift of cyber criminals towards targeting the network infrastructure instead of end-points is published by DarkReading, the article is also one of the few that indicates some basic recommendations resulting from the incident.

Readers need to be attentive with regard to published content, in order to distinguish between speculation and facts. As usual in such high profile, government-state-actor related attacks, speculation is vast and actual facts are frugal.  

About “Suggested Reading” from ENISA

With the “Suggested Reading” series ENISA aims at giving the interested reader guidance on controversial and inscrutable NIS related discussions that are carried out in Media, by suggesting selected pre-reviewed articles that in our view explain the issue at hand and related circumstances in a reasonable and understandable manner. This view is derived from past experiences and common sense; in no way should “Suggested Reading” be understood as recommended course of action in a specific incident or investigation, or being a final conclusion. Feel free to get in touch with ENISA to discuss or inquire more information to the “Suggested Reading” series (

We use cookies on our website to support technical features that enhance your user experience.
We also use analytics. To opt-out from analytics, click for more information.

I've read it More information