A group of hackers that previously leaked alleged U.S. National Security Agency exploits claims to have even more attack tools in its possession and plans to release them in a new subscription-based service.
The group also has intelligence gathered by the NSA on foreign banks and ballistic missile programs, it said.
The Shadow Brokers was responsible for leaking EternalBlue, the Windows SMB exploit that was used by attackers in recent days to infect hundreds of thousands of computers around the world with the WannaCry ransomware program.
The group first appeared online in August and claimed that it had access to the arsenal of a cyberespionage group known in the security industry as the Equation, widely believed to be a hacking division of the NSA.
On Tuesday, following the WannaCry attacks, the Shadow Brokers posted a new message online in which they claim to have many more Equation exploits that haven’t been leaked yet. The group wants to make them available as part of a new subscription-based service that it plans to launch in June.
The group initially released a set of hacking tools for routers and firewall products but claimed it had much more it was willing to sell for 10,000 bitcoins or more — around US$12 million. After failing to attract any bids, the group dumped more information, including IP addresses of systems targeted by the Equation.
The Shadow Brokers eventually called it quits in January and disabled its online accounts, only to return in April in a surprise move that involved publishing the password for an encrypted archive containing many Linux and Windows exploits, as well as malware implants supposedly used by the Equation.
Most of the vulnerabilities targeted by the leaked exploits had already been patched by that time, including EternalBlue, which Microsoft fixed in March.
According to the hackers, data that will be leaked monthly through the new subscription service could include exploits for web browsers, routers, mobile devices, and Windows 10, as well as data extracted by the Equation during its cyberespionage operations. The information is supposed to include data stolen from SWIFT providers and central banks and data from “Russian, Chinese, Iranian, or North Korean nukes and missile programs.”
What subscribers will do with these exploits and data will be up to them, the group said.