The Shadow Brokers have not gone quiet after WannaCry (malware which uses their leaked EternalBlue exploit) hit. Days after WannaCry, they threatened to leak new exploits and data in June. Now, with June nearly over, they're striking again.
The Petya variants that hit European utilities and enterprises earlier this week also used their EternalBlue exploit. The Shadow Brokers were quick to brag about it. Yesterday, the Shadow Brokers boasted their subscription monthly dump service, with the next release dated for July.
“Another global cyber attack is fitting end for first month of theshadowbrokers dump service. There is much theshadowbrokers can be saying about this, but what is point and having not already being said? So to business! Time is still being left to make subscribe and getting June dump. Don’t be let company fall victim to next cyber attack, maybe losing big bonus or maybe price on stock options be going down after attack. June dump service is being great success for theshadowbrokers, many many subscribers, so in July theshadowbrokers is raising price.”
That's not all. Now they're trying to blackmail the NSA, threatening to expose an NSA worker who they accuse of cyber-attacking China.
“TheShadowBrokers is having special invitation message for 'doctor' person theshadowbrokers is meeting on Twitter. 'Doctor' person is writing ugly tweets to theshadowbrokers not unusual but 'doctor' person is living in Hawaii and is sounding knowledgeable about theequationgroup. Then 'doctor' person is deleting ugly tweets, maybe too much drinking and tweeting? Is very strange, so theshadowbrokers is doing some digging. TheShadowBrokers is thinking 'doctor' person is former EquationGroup developer who built many tools and hacked organization in China.”
“Doctor” is an interesting codename for the NSA worker whom they're threating to expose. Someone on Twitter, using the @drwolfff account, says he's the person the Shadow Brokers are talking about. He says that the Shadow Brokers are making false accusations about him, and he'll “dox” himself later today. In a pinned tweet dated 10 October 2016, he verified that he's the person who uses the “drwolf” account on Keybase.io.
This is turning out to be a very interesting story which has serious implications, even if the parties involved aren't completely honest.