Group called Shadow Brokers says it infiltrated NSA’s elite Equation Group and teases files including some named in documents leaked by Edward Snowden

A mysterious online group called the Shadow Brokers claims to have infiltrated an elite hacking unit linked to the National Security Agency and stolen state “cyber weapons”, and is now auctioning them off to the highest bidder.

The stolen malware is said to belong to Equation Group, a sophisticated hacking team believed to be operated by the NSA. So far, the Shadow Brokers have only released a few taster files and images of the cache, but security researchers said they appear to be legitimate.

The leak, announced in broken English by the group in a series of posts on Twitter, Tumblr, Pastebin and Github, was accompanied by claims that the group was in possession of state-sponsored “cyber weapons”.

“We auction best files to highest bidder. Auction files better than Stuxnet,” said the group, referring to the sophisticated digital weapon, believed to be funded by the US and Israel, that sabotaged Iran’s nuclear programme. The hackers are asking for a whopping 1m bitcoins, which is around $580m, to release the best files.

The files and pictures of the cache that were offered for free as “proof” include filenames correspond to those mentioned in documents leaked by whistleblower Edward Snowden, including “BANANAGLEE”, “JETPLOW” and “EPICBANANA”. There are also a number of hacking tools used for penetrating network gear including routers and firewalls created by major companies like Cisco and Juniper – spy tools which it is already known the NSA uses.

Facebook Twitter Pinterest Evidence of the NSA ‘hack’, as released by mysterious group the Shadow Brokers. Photograph: The Shadow Brokers

“These files are not fully fake for sure,” said security researcher Bencsáth Boldizsár, who is credited with discovering the state-sponsored Flame malware, in an interview with Ars Technica.

“Most likely they are part of the NSA toolset, judging just by the volume and peeps into the samples. At first glance it is sound that these are important attack-related files, and yes, the first guess would be Equation Group.”

Kaspersky Lab, the security company that first exposed Equation Group’s cyber-espionage in 2015, has published a detailed blogpost showing a “strong connection” between the files found in the leak and their earlier findings about Equation Group. Kaspersky has found encryption algorithms among more than 300 files in the Shadow Brokers’ cache used in a way that has only been seen before in Equation Group malware.

“The chances of all these being faked or engineered is highly unlikely,” says the security company.

Although this sounds like a nightmare for the NSA on the face of it, a number of researchers have pointed out that this doesn’t necessarily mean the NSA has been hacked directly. The leaked information is more likely to come from a compromised system outside the NSA’s networks that was hosting NSA malware. If the Shadow Brokers really did have access to the NSA’s network, they wouldn’t blow their cover with a leak.

Stefan Rothenbuehler (@creative83) Access to #NSA would be too valuable to spoil in a leak. Don't believe in an actual hack. #ShadowBrokers

At this stage, it’s not clear who Shadow Brokers are, but some security researchers are speculating that in the wake of the Democratic National Committee hack, which has been publicly attributed to Russian intelligence agencies by Hillary Clinton, this could be retaliation.

“Given the timeframe (Post-DNC hack), this could possibly be orchestrated by the Russian government so America will be stuck with Donald Trump as a President,” said Matt Suiche in a Medium post.



In a series of tweets, Snowden has outlined his own theory about what happened. He suggests that it is a Russian-originated attack designed to expose evidence of NSA cyber warfare activities.

“Why did they do it? No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack,” he posted.

“This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server. That could have significant foreign policy consequences. Particularly if any of those operations targeted US allies.

“This leak looks like a somebody sending a message that an escalation in the attribution game could get messy fast,” he said.