Anatomy of a Breach

Anatomy of a Breach: The Shadow Brokers — When the NSA's Own Cyber Weapons Were Stolen and Auctioned

> series: anatomy_of_a_breach —— part: 092 —— source: nsa_equation_group —— stolen: cyber_weapons —— consequence: wannacry_is_coming<span class="cursor-blink">_</span>_

Hedgehog Security 31 August 2016 13 min read
shadow-brokers nsa equation-group eternalblue cyber-weapons exploit-leak nation-state series
Breach #092

The NSA's own hacking tools. Stolen. Auctioned. And WannaCry was coming.

On 13 August 2016, a group calling itself The Shadow Brokers announced via social media that it had obtained cyber weapons from the Equation Group — a threat actor widely attributed to the NSA's Tailored Access Operations (TAO), the agency's elite offensive hacking unit. The Shadow Brokers published a sample of the stolen tools — including exploits for Cisco ASA firewalls, Juniper NetScreen devices, and Fortinet FortiGate appliances — and offered to auction the remainder for one million Bitcoin (approximately $580 million at the time).

The published exploits were authentic. Cisco and Fortinet both confirmed the vulnerabilities and released emergency patches. The leaked tools demonstrated capabilities consistent with a nation-state offensive programme: sophisticated exploits for widely-deployed enterprise network equipment, designed to be deployed covertly and persist undetected. But the August 2016 leak was merely the prologue. In April 2017, the Shadow Brokers would release a far more devastating batch — including EternalBlue, the Windows SMB exploit that would power WannaCry and NotPetya, causing billions of dollars in damage worldwide and devastating the UK's NHS.

The Significance
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Nation-state weapons in everyone's hands.

Cyber Weapons Proliferation
The Shadow Brokers leak was the cyber equivalent of losing nuclear material — nation-state offensive tools, developed at enormous expense by the world's most capable signals intelligence agency, were now available to every criminal, hacktivist, and hostile state. The <a href="/blog/anatomy-of-a-breach-hacking-team">Hacking Team leak</a> of 2015 had demonstrated this dynamic on a smaller scale; the Shadow Brokers leak operated at a different magnitude entirely.
Enterprise Network Equipment Targeted
The leaked exploits targeted Cisco, Juniper, and Fortinet equipment — the firewalls and routers that protect corporate networks worldwide. The implication was clear: the NSA had the capability to compromise the perimeter security of virtually any organisation. Our <a href="/penetration-testing/infrastructure">infrastructure penetration testing</a> assesses network equipment security, including firmware versions and known vulnerability exposure.
Patch Immediately — Or Else
Cisco and Fortinet released emergency patches within days of the leak. Organisations that applied the patches were protected; those that did not were exposed to NSA-grade exploitation. <a href="/cyber-essentials">Cyber Essentials Danzell's</a> 14-day patching mandate exists precisely for moments like this. Our <a href="/vulnerability-scanning">vulnerability scanning</a> identifies affected devices.
EternalBlue Was Coming
The August 2016 leak was the warning shot. In April 2017, the Shadow Brokers released EternalBlue — a Windows SMB exploit that would be weaponised into WannaCry (which devastated the NHS) and NotPetya (which caused over $10 billion in global damage). Organisations that took the August 2016 leak seriously and hardened their patch management were better prepared for what came next. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for exploitation attempts using known leaked tools.
Lessons

When nation-state tools leak, the clock starts ticking.

The Shadow Brokers leak established that nation-state cyber weapons — once stolen and published — become available to every threat actor worldwide. The only defence is the same defence this series has advocated for eight years: patch promptly (Cyber Essentials Danzell), test continuously (penetration testing), monitor 24/7 (SOC in a Box), and prepare for the worst (UK Cyber Defence incident response). Because when the next leak happens — and it will — the organisations that survive are the ones that were already patched, already monitored, and already prepared.

Patch Before the Exploit Arrives

The NSA's tools were stolen in August 2016. WannaCry hit in May 2017. The patch was available in March. Were you ready?

<a href="/cyber-essentials">Cyber Essentials</a> mandates 14-day patching. <a href="/vulnerability-scanning">Vulnerability scanning</a> identifies affected systems. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for exploitation.

Commission a Vulnerability Assessment Next: Yahoo 500 Million
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 April 2017

Anatomy of a Breach: EternalBlue Released — The NSA Exploit That Would Power WannaCry and NotPetya

Breach #100. On 14 April 2017, the Shadow Brokers released their most devastating dump yet — including EternalBlue (an exploit for a critical vulnerability in Windows' SMB protocol, CVE-2017-0144) and DoublePulsar (a backdoor implant). Microsoft had released patch MS17-010 one month earlier, on 14 March — suggesting the NSA had warned Microsoft before the public release. The clock was now ticking: every unpatched Windows system in the world was vulnerable to remote code execution. WannaCry would arrive in 28 days. NotPetya in 74.

eternalblue shadow-brokers
14 min read
Anatomy of a Breach 31 March 2017

Anatomy of a Breach: Vault 7 — WikiLeaks Publishes the CIA's Cyber Arsenal

Breach #099. On 7 March 2017, WikiLeaks began publishing 'Vault 7' — a collection of 8,761 documents and files from the CIA's Center for Cyber Intelligence, representing what WikiLeaks described as the CIA's 'entire hacking capacity.' The documents detailed the CIA's tools for exploiting iPhones, Android devices, Windows, macOS, Linux, smart TVs (Samsung), and vehicle computer systems. Coming after the Shadow Brokers' theft of NSA tools, Vault 7 confirmed that the second major US intelligence agency had also lost control of its cyber weapons.

vault-7 cia
13 min read
Anatomy of a Breach 31 July 2025

Anatomy of a Breach: Microsoft SharePoint — Zero-Day Exploited by Three Chinese Groups, 400+ Organisations Compromised Including NNSA

Breach #199. In July 2025, it was revealed that a zero-day vulnerability in Microsoft SharePoint had been exploited by three Chinese state-linked hacking groups to compromise over 400 organisations worldwide — including the US National Nuclear Security Administration (NNSA), the federal agency responsible for maintaining the US nuclear weapons stockpile. The vulnerability enabled remote code execution against self-hosted SharePoint servers. Thousands of vulnerable servers remained online even after the vulnerability was disclosed. The breach demonstrated the extraordinary risk of centralising sensitive data in a single collaboration platform — especially when that platform is targeted by nation-state adversaries.

microsoft-sharepoint zero-day
14 min read
All Posts Get in Touch