Menu
Browse

Cyber Threat Actor: SXUL

Actor Type Location Known Incidents
 Icon
Criminal
United States of America
3 incidents
Profile

The threat actor known as The Shadow Brokers, also referred to by the abbreviation TSB, is publicly associated with the United States of America as its known location. This actor has been linked to three distinct cyber incidents that are described in the provided sources. The first incident occurred on December 1 2023 when a Florida‑based consumer data broker, NationalPublicData.com, suffered a breach that resulted in the theft and subsequent leak of billions of records containing personal information such as names, Social Security numbers, addresses, phone numbers and email addresses; the compromised data spanned more than three decades and primarily affected older individuals in the United States, Canada and the United Kingdom, leading to a class‑action lawsuit and the public release of the data on underground forums. The second incident took place on May 12 2017 when ransomware was deployed against Harapan Kita Hospital in Jakarta as part of a broader global campaign that also impacted healthcare providers, automotive manufacturers, telecommunications firms and government services, causing operational disruptions such as cancelled patient treatments and halted production lines. The third incident, also dated May 12 2017, involved ransomware that disrupted operations at Renault’s manufacturing sites, temporarily halting production at several plants while the company reported no lasting effect on customer deliveries and noted that systems running non‑Windows operating systems were spared.

These incidents illustrate that the actor’s activities have affected sectors including healthcare, automotive manufacturing, telecommunications and government services, as well as large‑scale consumer data repositories. The described operations involve the exfiltration and sale of massive datasets, the deployment of ransomware that encrypts files and demands cryptocurrency payments, and the subsequent public release or sale of stolen data on cybercriminal forums. No explicit statements regarding the actor’s strategic objectives, motivational factors, technical capabilities, specific malware families, initial access vectors, tooling preferences, or any state or criminal affiliations are provided in the supplied material, and therefore those aspects are not included in this profile. The available information limits the description to the actor’s aliases, geographic attribution, and the three publicly reported campaigns outlined above. This completes the profile based solely on the evidence presented.

Incidents
Attributed incidents available to members
3 incidents
Sources
Sources available to members
2 sources