Hackers claim to have stolen offensive cyber weapons from NSA

A mysterious group named the Shadow Brokers is claiming to have​ breached an elite hacking team, known as Equation Group, that is reportedly affiliated with the NSA. The news broke Monday morning when the self-named group posted a downloadable sample of exploit code, supposedly detailing several offensive cyber tools reportedly once used by the NSA.
NSA at night
(CreativeTime / Flickr)

A mysterious group calling themselves the Shadow Brokers claims to have breached an elite hacking team with supposed ties to the National Security Agency.

Downloadable samples of exploit code were posted on several websites Monday, supposedly detailing a series offensive cyber tools reportedly once used by the Equation Group. The group has long been rumored to be affiliated with the NSA.

The Shadow Brokers originally provided code snippets  — some of which appeared to be the building blocks of several surveillance tools. In addition, the group demanded millions of dollars in bitcoin for access to the full files.

“We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons,” a message by Shadow Brokers posted to a Tumblr page reads.


Last year, cybersecurity giant Kaspersky uncovered the existence of the Equation Group in an investigative report. While the Russian cybersecurity firm never explicitly stated that the Equation Group was an official NSA offshoot, the groups’ tools and identifiable connection to several high profile data breaches may suggest the existence of a relationship.

A Kaspersky spokesperson declined to comment but said the firm’s malware analysis team is looking into the event.

It remains unclear whether the leaked files are real, who actually posted them and what their motive may be. GitHub, the popular open source code management platform where a number of the tools were posted, removed the content late Monday afternoon.

“We do not allow the auction or sale of stolen property on GitHub. As such, we have removed the repository in question,” a GitHub spokesperson told Cyberscoop.

Several prominent cybersecurity researchers took to Twitter Monday to share their preliminary analysis of the incident — opinions, however, were divided concerning the data dump’s legitimacy.


If the Equation Group were in fact hacked then it would represent a significant cybersecurity incident, according to Claudio Guarnieri, a technologist for Amnesty International, because it has the potential to disrupt what could be ongoing intelligence gathering operations.

“Many breaches only end up publicly disclosing a very small sample of data to show their authenticity, but the Equation Group teaser data includes a significant trove of exploits designed to compromise firewalls,” writes Risk Based Security, a Richmond, Va.-based risk-based cybersecurity consulting firm. “This data alone has incredible value to a wide variety of companies, both offensive and defensive.”

Several cybersecurity firms told Cyberscoop they plan to release research reports in the coming weeks, which will analyze the incident in greater detail.

Chris Bing

Written by Chris Bing

Christopher J. Bing is a cybersecurity reporter for CyberScoop. He has written about security, technology and policy for the American City Business Journals, DC Inno, International Policy Digest and The Daily Caller. Chris became interested in journalism as a result of growing up in Venezuela and watching the country shift from a democracy to a dictatorship between 1991 and 2009. Chris is an alumnus of St. Marys College of Maryland, a small liberal arts school based in Southern Maryland. He's a fan of Premier League football, authentic Laotian food and his dog, Sam.

Latest Podcasts