There's been a tendency to romanticize leaking and even espionage, a tendency that US Director of Central Intelligence Pompeo has recently deplored as "leaker worship."
But as blurry as the lines that separate them can get, leakers and spies aren't necessarily public-spirited whistleblowers. EternalBlue apparently got out as a leak via the ShadowBrokers. Would their code dump seem as charming if they were, say, passing out stolen Stinger air defense missiles in Long Island parking lots? We don't think so, either.
The ShadowBrokers and EternalBlue.
The ShadowBrokers claimed that EternalBlue was obtained from NSA (and many, including Microsoft, have agreed). How the ShadowBrokers got EternalBlue and the other items they're now offering in their exploit-of-the-month club remains unclear, but the effects have been rough. RT, the news organization formerly known as Russia Today, says it knows where blame for the Petya outbreak lies: with NSA. And they say you can take Edward Snowden's word for it. That's hardly a disinterested opinion, still less an admission against interest (one suspects RT and for that matter Sputnik may be close enough to the sources feeding the ShadowBrokers to make an educated guess as to how the exploits were obtained) but the painful point is worth making—leaked exploits can do considerable collateral damage.
We heard from Nir Giller, CTO of CyberX, a company that specializes in industrial control system security. Before he co-founded CyberX, Giller served in an Israeli Defense Forces unit charged with critical infrastructure protection. He had this to say in an email. "Let's face it — when the Shadow Brokers leaked the NSA’s hacking tools, they let the genie out of the bottle and there’s no putting it back in. We should expect to see all kinds of cyber-adversaries playing with and building on top of them. Some of us in the ICS cyber security community are braced for the worst - mainly that some creative hacker will find a way to cross-pollinate elements of WannaCry/Petya with the destructive payloads of the ICS-specific Industroyer/CrashOverride malware. If that were to happen, then we're playing a whole new ballgame."