{{Short description|Hacker group}} {{Use mdy dates |date=June 2020}}
'''The Shadow Brokers''' ('''TSB''') are a hacker group that emerged in mid-2016.<ref name=":0">{{Cite news|url=http://www.ibtimes.co.uk/president-trump-what-fk-are-you-doing-say-shadow-brokers-dump-more-nsa-hacking-tools-1616141|title='President Trump what the f**k are you doing' say Shadow Brokers and dump more NSA hacking tools|last=Ghosh|first=Agamoni|date=April 9, 2017|work=International Business Times UK|access-date=April 10, 2017|archive-date=May 14, 2017|archive-url=https://web.archive.org/web/20170514041019/http://www.ibtimes.co.uk/president-trump-what-fk-are-you-doing-say-shadow-brokers-dump-more-nsa-hacking-tools-1616141|url-status=live}}</ref><ref>{{Cite news|url=https://www.bbc.co.uk/news/technology-39553241|title='NSA malware' released by Shadow Brokers hacker group|date=April 10, 2017|work=BBC News|access-date=April 10, 2017|language=en-GB|archive-date=July 22, 2025|archive-url=https://web.archive.org/web/20250722230100/https://www.bbc.co.uk/news/technology-39553241|url-status=live}}</ref> They published several leaks containing hacking tools, including several zero-day exploits,<ref name=":0" /> from the "Equation Group" who are widely suspected to be a branch of the National Security Agency (NSA) of the United States.<ref>{{Cite web|last=Brewster|first=Thomas|title=Equation = NSA? Researchers Uncloak Huge 'American Cyber Arsenal'|url=https://www.forbes.com/sites/thomasbrewster/2015/02/16/nsa-equation-cyber-tool-treasure-chest/|access-date=2020-11-25|website=Forbes|language=en|archive-date=July 20, 2025|archive-url=https://web.archive.org/web/20250720170540/https://www.forbes.com/sites/thomasbrewster/2015/02/16/nsa-equation-cyber-tool-treasure-chest/|url-status=live}}</ref><ref name="ConfirmsNSA" /> Specifically, these exploits and vulnerabilities<ref>{{cite news |newspaper=The Washington Post |date=August 16, 2016 |first=Ellen |last=Nakashima |url=https://www.washingtonpost.com/world/national-security/powerful-nsa-hacking-tools-have-been-revealed-online/2016/08/16/bce4f974-63c7-11e6-96c0-37533479f3f5_story.html |title=Powerful NSA hacking tools have been revealed online |archive-date=May 19, 2017 |access-date=August 18, 2016 |archive-url=https://web.archive.org/web/20170519221709/https://www.washingtonpost.com/world/national-security/powerful-nsa-hacking-tools-have-been-revealed-online/2016/08/16/bce4f974-63c7-11e6-96c0-37533479f3f5_story.html |url-status=live }}</ref><ref name="pastebin.com">{{cite web|url=http://pastebin.com/NDTU5kJQ|title=Equation Group - Cyber Weapons Auction - Pastebin.com|date=16 August 2016|url-status=dead|archive-url=https://archive.today/20160815133924/http://pastebin.com/NDTU5kJQ|archive-date=15 August 2016}}</ref> targeted enterprise firewalls, antivirus software, and Microsoft products.<ref>{{cite web|url=https://arstechnica.com/security/2017/01/nsa-leaking-shadow-brokers-lob-molotov-cocktail-before-exiting-world-stage/|title=NSA-leaking Shadow Brokers lob Molotov cocktail before exiting world stage|website=Ars Technica|author=Dan Goodin|access-date=January 14, 2017|date=January 12, 2017|archive-date=May 24, 2017|archive-url=https://web.archive.org/web/20170524164318/https://arstechnica.com/security/2017/01/nsa-leaking-shadow-brokers-lob-molotov-cocktail-before-exiting-world-stage/|url-status=live}}</ref> The Shadow Brokers originally attributed the leaks to the Equation Group threat actor, who have been tied to the NSA's Tailored Access Operations unit.<ref>{{cite web|url=https://arstechnica.com/information-technology/2016/08/code-dumped-online-came-from-omnipotent-nsa-tied-hacking-group/ |first=Dan |last=Goodin |date=August 16, 2016 |title=Confirmed: hacking tool leak came from "omnipotent" NSA-tied group|website=Ars Technica|access-date=January 14, 2017}}</ref><ref>{{cite web|url=https://securelist.com/the-equation-giveaway/75812/|title=The Equation giveaway - Securelist|date=August 16, 2016|access-date=May 19, 2020|archive-date=August 15, 2017|archive-url=https://web.archive.org/web/20170815010337/https://securelist.com/the-equation-giveaway/75812/|url-status=live}}</ref><ref>{{cite web|url=https://arstechnica.com/security/2016/08/group-claims-to-hack-nsa-tied-hackers-posts-exploits-as-proof/|title=Group claims to hack NSA-tied hackers, posts exploits as proof|date=August 16, 2016|access-date=June 15, 2017|archive-date=May 24, 2017|archive-url=https://web.archive.org/web/20170524164145/https://arstechnica.com/security/2016/08/group-claims-to-hack-nsa-tied-hackers-posts-exploits-as-proof/|url-status=live}}</ref><ref name="ConfirmsNSA">{{cite web |url=https://theintercept.com/2016/08/19/the-nsa-was-hacked-snowden-documents-confirm/ |title=The NSA Leak is Real, Snowden Documents Confirm |website=The Intercept |author=Sam Biddle |date=August 19, 2016 |access-date=April 15, 2017 |archive-date=May 25, 2017 |archive-url=https://web.archive.org/web/20170525192507/https://theintercept.com/2016/08/19/the-nsa-was-hacked-snowden-documents-confirm/ |url-status=live }}</ref>
==Name and alias== Several news sources noted that the group's name was likely in reference to a character from the ''Mass Effect'' video game series.<ref>{{cite news|url=https://www.extremetech.com/extreme/234031-your-guide-to-the-shadow-brokers-nsa-theft-which-puts-the-snowden-leaks-to-shame|title=The 'Shadow Brokers' NSA theft puts the Snowden leaks to shame - ExtremeTech|newspaper=Extremetech|date=19 August 2016|archive-date=May 3, 2017|access-date=January 20, 2017|archive-url=https://web.archive.org/web/20170503173653/https://www.extremetech.com/extreme/234031-your-guide-to-the-shadow-brokers-nsa-theft-which-puts-the-snowden-leaks-to-shame|url-status=live}}</ref><ref>{{cite web|url=http://www.dailydot.com/layer8/shadow-brokers-nsa-equation-group-hack/|title=Shadow Brokers: Hackers Claim to have Breached NSA's Equation Group|website=The Daily Dot|date=15 August 2016|access-date=January 20, 2017|archive-date=May 27, 2017|archive-url=https://web.archive.org/web/20170527081843/https://www.dailydot.com/layer8/shadow-brokers-nsa-equation-group-hack/|url-status=live}}</ref> Matt Suiche quoted the following description of that character: "The Shadow Broker is an individual at the head of an expansive organization which trades in information, always selling to the highest bidder. The Shadow Broker appears to be highly competent at its trade: all secrets that are bought and sold never allow one customer of the Broker to gain a significant advantage, forcing the customers to continue trading information to avoid becoming disadvantaged, allowing the Broker to remain in business."<ref>{{cite web|url=https://medium.com/@msuiche/shadow-brokers-nsa-exploits-of-the-week-3f7e17bdc216|title=Shadow Brokers: NSA Exploits of the Week|date=15 August 2016|publisher=Medium.com|access-date=January 20, 2017|archive-date=February 14, 2017|archive-url=https://web.archive.org/web/20170214233229/https://medium.com/@msuiche/shadow-brokers-nsa-exploits-of-the-week-3f7e17bdc216|url-status=live}}</ref>
==Leak history== ===Equation Group leaks=== While the exact date is unclear, reports suggested that the preparation of the leak started at least in the beginning of August,<ref>{{cite web|url=https://www.riskbasedsecurity.com/2016/08/the-shadow-brokers-lifting-the-shadows-of-the-nsas-equation-group/|title=The Shadow Brokers: Lifting the Shadows of the NSA's Equation Group?|date=August 15, 2016|access-date=August 18, 2016|archive-date=June 28, 2017|archive-url=https://web.archive.org/web/20170628205400/https://www.riskbasedsecurity.com/2016/08/the-shadow-brokers-lifting-the-shadows-of-the-nsas-equation-group/|url-status=live}}</ref> and that the initial publication occurred August 13, 2016 with a Tweet from a Twitter account "@shadowbrokerss" announcing a Pastebin page<ref name="pastebin.com" /> and a GitHub repository containing references and instructions for obtaining and decrypting the content of a file supposedly containing tools and exploits used by the Equation Group. The initial response to the publication was met with some uncertainty about its authenticity.<ref name="businessinsider_2016_NSA_TSB">{{cite web |url=http://www.businessinsider.com/shadow-brokers-claims-to-hack-equation-group-group-linked-to-nsa-2016-8?r=US&IR=T&IR=T |title='Shadow Brokers' claim to have hacked an NSA-linked elite computer security unit |author=Rob Price |website=Business Insider |date=August 15, 2016 |access-date=April 15, 2017 |archive-date=June 20, 2025 |archive-url=https://web.archive.org/web/20250620120813/https://www.businessinsider.com/shadow-brokers-claims-to-hack-equation-group-group-linked-to-nsa-2016-8?r=US&IR=T&IR=T |url-status=live }}</ref>
On October 31, 2016, The Shadow Brokers published a list of servers supposedly compromised by the Equation Group, as well as references to seven supposedly undisclosed tools (DEWDROP, INCISION, JACKLADDER, ORANGUTAN, PATCHICILLIN, RETICULUM, SIDETRACK AND STOICSURGEON) also used by the threat actor.<ref>{{Cite web|url=http://fortunascorner.com/2016/11/01/shadow-brokers-reveal-list-of-servers-hacked-by-the-nsa-china-japan-and-korea-the-top-3-targeted-countries-49-total-countries-including-china-japan-germany-korea-india-italy-mexico-sp/|title='Shadow Brokers' Reveal List Of Servers Hacked By The NSA; China, Japan, And Korea The Top 3 Targeted Countries; 49 Total Countries, Including: China, Japan, Germany, Korea, India, Italy, Mexico, Spain, Taiwan, & Russia|date=2016-11-01|website=Fortuna's Corner|access-date=2017-01-14|archive-date=January 16, 2017|archive-url=https://web.archive.org/web/20170116172122/http://fortunascorner.com/2016/11/01/shadow-brokers-reveal-list-of-servers-hacked-by-the-nsa-china-japan-and-korea-the-top-3-targeted-countries-49-total-countries-including-china-japan-germany-korea-india-italy-mexico-sp/|url-status=dead}}</ref>
On April 8, 2017, the Medium account used by The Shadow Brokers posted a new update.<ref>{{cite web|author1=theshadowbrokers|title=Don't Forget Your Base|url=https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1|publisher=Medium|access-date=April 9, 2017|date=April 8, 2017}}</ref> The post revealed the password <code>CrDj"(;Va.*NdlnzB9M?@K2)#>deB7mN</code> to encrypted files released the previous year, which allegedly had more NSA hacking tools.<ref>{{cite web|last1=Cox|first1=Joseph|title=They're Back: The Shadow Brokers Release More Alleged Exploits|url=https://www.vice.com/en/article/theyre-back-the-shadow-brokers-release-more-alleged-exploits/ |date=April 8, 2017 |website=Motherboard|publisher=Vice Motherboard|access-date=April 8, 2017|language=en-us}}</ref> This posting explicitly stated that the post was partially in response to President Trump's attack against a Syrian airfield, which was also used by Russian forces.
===April 14 hacking tool leak=== On April 14, 2017, The Shadow Brokers released, amongst other things, the tools and exploits codenamed: DANDERSPRITZ, ODDJOB, FUZZBUNCH, DARKPULSAR, ETERNALSYNERGY, ETERNALROMANCE, ETERNALBLUE, EXPLODINGCAN and EWOKFRENZY.<ref name="Ars Technica"/><ref>{{Cite web|url=https://medium.com/@networksecurity/latest-shadow-brokers-dump-owning-swift-alliance-access-cisco-and-windows-7b7782270e70|title=Latest Shadow Brokers dump — owning SWIFT Alliance Access, Cisco and Windows|date=2017-04-14|website=Medium|access-date=2017-04-15|archive-date=May 18, 2017|archive-url=https://web.archive.org/web/20170518174743/https://medium.com/@networksecurity/latest-shadow-brokers-dump-owning-swift-alliance-access-cisco-and-windows-7b7782270e70|url-status=live}}</ref><ref>{{Cite web|url=https://github.com/misterch0c/shadowbroker|title=misterch0c|website=GitHub|language=en|access-date=2017-04-15|archive-date=April 9, 2022|archive-url=https://web.archive.org/web/20220409131834/https://github.com/misterch0c/shadowbroker|url-status=live}}</ref>
The leak was suggested to be the "most damaging release yet"<ref name="Ars Technica">{{Cite news|url=https://arstechnica.com/security/2017/04/nsa-leaking-shadow-brokers-just-dumped-its-most-damaging-release-yet/|title=NSA-leaking Shadow Brokers just dumped its most damaging release yet|work=Ars Technica|access-date=2017-04-15|language=en-us|archive-date=May 13, 2017|archive-url=https://web.archive.org/web/20170513050743/https://arstechnica.com/security/2017/04/nsa-leaking-shadow-brokers-just-dumped-its-most-damaging-release-yet/|url-status=live}}</ref> and CNN quoted Matthew Hickey saying, "This is quite possibly the most damaging thing I've seen in the last several years".<ref>{{Cite web|url=https://money.cnn.com/2017/04/14/technology/windows-exploits-shadow-brokers/index.html|title=NSA's powerful Windows hacking tools leaked online|last=Larson|first=Selena|date=2017-04-14|website=CNNMoney|access-date=2017-04-15|archive-date=May 1, 2025|archive-url=https://web.archive.org/web/20250501161535/https://money.cnn.com/2017/04/14/technology/windows-exploits-shadow-brokers/index.html|url-status=dead}}</ref>
Some of the exploits targeting the Microsoft Windows operating system had been patched in a Microsoft Security Bulletin on March 14, 2017, a month before the leak occurred.<ref>{{Cite news|url=https://apnews.com/7100004c2d7e4cc28b7e6b7d4e40f812/Microsoft-says-users-are-protected-from-alleged-NSA-malware|title=Microsoft says users are protected from alleged NSA malware|work=AP News|access-date=April 15, 2017|language=en-US|archive-date=July 6, 2022|archive-url=https://web.archive.org/web/20220706000714/https://apnews.com/7100004c2d7e4cc28b7e6b7d4e40f812/Microsoft-says-users-are-protected-from-alleged-NSA-malware|url-status=live}}</ref><ref>{{Cite news|url=https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/|title=Protecting customers and evaluating risk|work=MSRC|access-date=2017-04-15|language=en-US|archive-date=October 24, 2017|archive-url=https://web.archive.org/web/20171024034323/https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/|url-status=live}}</ref> Some speculated that Microsoft may have been tipped off by the NSA about the release of the exploits.<ref>{{Cite web|url=https://www.engadget.com/2017/04/15/microsoft-says-it-already-patched-several-shadow-brokers-nsa-l/|title=Microsoft says it already patched 'Shadow Brokers' NSA leaks|website=Engadget|date=April 15, 2017|access-date=April 15, 2017|archive-date=August 22, 2019|archive-url=https://web.archive.org/web/20190822131134/https://www.engadget.com/2017/04/15/microsoft-says-it-already-patched-several-shadow-brokers-nsa-l/|url-status=live}}</ref>
====EternalBlue==== {{main article|EternalBlue}} Over 200,000 systems were infected with tools from this leak within the first two weeks,<ref>{{Cite web|url=https://www.cyberscoop.com/leaked-nsa-tools-now-infecting-over-200000-machines-will-be-weaponized-for-years/|title=Leaked NSA tools, now infecting over 200,000 machines, will be weaponized for years|website=CyberScoop|date=April 24, 2017|access-date=April 24, 2017}}</ref> and in May 2017, the major WannaCry ransomware attack used the ETERNALBLUE exploit on Server Message Block (SMB) to spread itself.<ref>{{cite web|url=https://arstechnica.com/security/2017/05/an-nsa-derived-ransomware-worm-is-shutting-down-computers-worldwide/?comments=1|title=An NSA-derived ransomware worm is shutting down computers worldwide|date=May 12, 2017|access-date=May 12, 2017|archive-date=July 11, 2017|archive-url=https://web.archive.org/web/20170711220118/https://arstechnica.com/security/2017/05/an-nsa-derived-ransomware-worm-is-shutting-down-computers-worldwide/?comments=1|url-status=live}}</ref> The exploit was also used to help carry out the 2017 NotPetya cyberattack on June 27, 2017.<ref>{{cite web |url=https://www.nytimes.com/2017/06/27/technology/ransomware-hackers.html |title=Cyberattack Hits Ukraine Then Spreads Internationally |last1=Perlroth |first1=Nicole |last2=Scott |first2=Mark |last3=Frenkel |first3=Sheera |date=June 27, 2017 |website=The New York Times |pages=1 |access-date=June 27, 2017 |archive-date=April 13, 2018 |archive-url=https://web.archive.org/web/20180413005050/https://mobile.nytimes.com/2017/06/27/technology/ransomware-hackers.html |url-status=live }}</ref>
ETERNALBLUE contains kernel shellcode to load the non-persistent DoublePulsar backdoor.<ref>{{Cite web|url=https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html|title=zerosum0x0: DoublePulsar Initial SMB Backdoor Ring 0 Shellcode Analysis|last=Sum|first=Zero|date=2017-04-21|website=zerosum0x0|access-date=2017-11-15|archive-date=August 12, 2017|archive-url=https://web.archive.org/web/20170812215057/https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html|url-status=live}}</ref> This allows for the installation of the PEDDLECHEAP payload which would then be accessed by the attacker using the DanderSpritz Listening Post (LP) software.<ref>{{Cite news|url=https://www.tripwire.com/state-of-security/security-data-protection/shining-light-shadow-brokers/|title=Shining Light on The Shadow Brokers|date=2017-05-18|work=The State of Security|access-date=2017-11-15|language=en-US|archive-date=September 26, 2022|archive-url=https://web.archive.org/web/20220926065511/https://www.tripwire.com/state-of-security/security-data-protection/shining-light-shadow-brokers/|url-status=live}}</ref><ref>{{Cite news|url=https://www.forcepoint.com/sites/default/files/resources/files/datasheet_security_labs_dander_spritz_peddle_cheap_traffic_analysis_en.pdf|title=DanderSpritz/PeddleCheap Traffic Analysis|date=2018-02-06|work=Forcepoint|access-date=2018-02-07|language=en-US|archive-date=March 27, 2023|archive-url=https://web.archive.org/web/20230327230158/https://www.forcepoint.com/sites/default/files/resources/files/datasheet_security_labs_dander_spritz_peddle_cheap_traffic_analysis_en.pdf|url-status=dead}}</ref>
==Speculations and theories on motive and identity== ===NSA insider threat=== James Bamford along with Matt Suiche speculated<ref>{{cite news | title=Shadow Brokers: The insider theory|date=August 17, 2016|url=https://medium.com/@msuiche/shadowbrokers-the-insider-theory-ded733b39a55#.qmppg2xj6}}</ref> that an insider, "possibly someone assigned to the [NSA's] highly sensitive Tailored Access Operations", stole the hacking tools.<ref>{{cite news |title=Commentary: Evidence points to another Snowden at the NSA |work=Reuters |date=August 23, 2016 |url=https://www.reuters.com/article/us-intelligence-nsa-commentary-idUSKCN10X01P |archive-date=February 24, 2022 |access-date=July 2, 2017 |archive-url=https://web.archive.org/web/20220224013929/https://www.reuters.com/article/us-intelligence-nsa-commentary-idUSKCN10X01P |url-status=live }}</ref><ref>{{cite news |title=Hints suggest an insider helped the NSA "Equation Group" hacking tools leak |work=Ars Technica |date=August 22, 2016 |url=https://arstechnica.com/security/2016/08/hints-suggest-an-insider-helped-the-nsa-equation-group-hacking-tools-leak/ |archive-date=May 18, 2017 |access-date=June 15, 2017 |archive-url=https://web.archive.org/web/20170518180412/https://arstechnica.com/security/2016/08/hints-suggest-an-insider-helped-the-nsa-equation-group-hacking-tools-leak/ |url-status=live }}</ref> In October 2016, ''The Washington Post'' reported that Harold T. Martin III, a former contractor for Booz Allen Hamilton accused of stealing approximately 50 terabytes of data from the National Security Agency (NSA), was the lead suspect. Martin had worked with the NSA's Tailored Access Operations from 2012 to 2015 in a support role. He pleaded guilty to retaining national defense information in 2019, but it is not clear whether the Shadow Brokers obtained their material from him. The Shadow Brokers continued posting messages that were cryptographically-signed and were interviewed by media while Martin was detained.<ref>{{cite news|last1=Cox|first1=Joseph|title=NSA Exploit Peddlers The Shadow Brokers Call It Quits|url=https://www.vice.com/en/article/nsa-exploit-peddlers-the-shadow-brokers-call-it-quits/|work=Motherboard|date=January 12, 2017|language=en-us}}</ref>
===Alleged Russian ties=== Edward Snowden stated on Twitter on August 16, 2016 that "circumstantial evidence and conventional wisdom indicates Russian responsibility"<ref name="twitter_Snowden_2016">{{cite web |url=https://twitter.com/Snowden/status/765514891813945344 |title=Circumstantial evidence and conventional wisdom indicates Russian responsibility. Here's why that is significant |date=August 16, 2016 |access-date=August 22, 2016 |work=Twitter |archive-date=August 16, 2016 |archive-url=https://web.archive.org/web/20160816220126/https://twitter.com/Snowden/status/765514891813945344 |url-status=live }}</ref> and that the leak "is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server"<ref>{{cite web |title=This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server |url=https://twitter.com/Snowden/status/765515087062982656 |date=August 16, 2016|access-date=August 22, 2016}}</ref> summarizing that it looks like "somebody sending a message that an escalation in the attribution game could get messy fast".<ref>{{cite web |title=TL;DR: This leak looks like a somebody sending a message that an escalation in the attribution game could get messy fast |url=https://twitter.com/Snowden/status/765515884647636992 |access-date=22 August 2016 |website=twitter.com |archive-date=August 26, 2016 |archive-url=https://web.archive.org/web/20160826034411/https://twitter.com/Snowden/status/765515884647636992 |url-status=live }}</ref><ref>{{cite web|last1=Price|first1=Rob|title=Edward Snowden: Russia might have leaked alleged NSA cyberweapons as a 'warning'|url=https://www.businessinsider.com/edward-snowden-shadow-brokers-russia-leaked-nsa-equation-group-files-warning-dnc-hacking-2016-8|date=August 16, 2016|website=Business Insider|access-date=August 22, 2016|archive-date=May 1, 2025|archive-url=https://web.archive.org/web/20250501145306/https://www.businessinsider.com/edward-snowden-shadow-brokers-russia-leaked-nsa-equation-group-files-warning-dnc-hacking-2016-8|url-status=live}}</ref>
''The New York Times'' put the incident in the context of the Democratic National Committee cyber attacks and hacking of the Podesta emails. As US intelligence agencies were contemplating counter-attacks, the Shadow Brokers code release was to be seen as a warning: "Retaliate for the D.N.C., and there are a lot more secrets, from the hackings of the State Department, the White House and the Pentagon, that might be spilled as well. One senior official compared it to the scene in ''The Godfather'' where the head of a favorite horse is left in a bed, as a warning."<ref>{{cite news |title=The Perfect Weapon: How Russian Cyberpower Invaded the U.S. |work=New York Times |date=December 13, 2016 |url=https://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html |author1=Eric Lipton |author2=David E. Sanger |author3=Scott Shane |access-date=April 15, 2017 |archive-date=May 27, 2017 |archive-url=https://web.archive.org/web/20170527134128/https://www.nytimes.com/2016/12/13/us/politics/russia-hack-election-dnc.html |url-status=live }}</ref>
In 2019, David Aitel, a computer scientist formerly employed by the NSA, summarized the situation with: "I don't know if anybody knows other than the Russians. And we don't even know if it's the Russians. We don't know at this point; anything could be true."<ref>{{Cite news|last1=Abdollah |first1=Tami |last2=Tucker |first2=Eric |agency=Associated Press |date=6 July 2019 |title=Mystery of NSA leak lingers as stolen document case winds up |url=https://abcnews.go.com/Technology/wireStory/mystery-nsa-leak-lingers-stolen-document-case-winds-64163448 |archive-url=https://web.archive.org/web/20190706152343/https://abcnews.go.com/Technology/wireStory/mystery-nsa-leak-lingers-stolen-document-case-winds-64163448 |archive-date=6 July 2019 |url-status=live}}</ref>
==References== {{Reflist}}
{{Hacking in the 2010s}} {{Authority control}}
{{DEFAULTSORT:Shadow Brokers}} Category:Cyberwarfare Category:Hacker groups Category:2010s in hacking