State-Sponsored Cyber Weapons: Development, Stockpiling, Ethical Implications, and Global Impact

Abstract

The proliferation of state-sponsored cyber capabilities has profoundly reshaped the strategic landscape of international security and modern warfare. These sophisticated instruments, developed and maintained by nation-states, represent a significant paradigm shift, offering unparalleled avenues for espionage, sabotage, and influence in the digital realm. This research report undertakes an exhaustive examination of the intricate process of developing and stockpiling such cyber weapons, delves deeply into the complex ethical considerations inherent in their potential use and non-use, and comprehensively analyzes the multifaceted geopolitical ramifications of their deployment. Through an in-depth case study focusing on the EternalBlue exploit, originally engineered by the U.S. National Security Agency (NSA) as a premier offensive tool, this report meticulously highlights the severe, often unpredictable, risks associated with the unauthorized leakage, widespread proliferation, or indiscriminate application of advanced cyber instruments. Particular emphasis is placed on the catastrophic potential for disruption and damage to global critical infrastructure, underscoring the urgent imperative for a robust and internationally coordinated framework for governance and oversight in cyberspace.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

1. Introduction: The Evolving Landscape of Cyber Warfare

In the contemporary geopolitical arena, cyber capabilities have transcended their nascent role to become an indispensable component of national defense strategies, intelligence operations, and intricate diplomatic maneuvering. The digital domain, once primarily a realm for communication and commerce, has irrevocably transformed into a contested battlespace, where nation-states actively develop and deploy sophisticated cyber weapons. These state-sponsored cyber weapons, often referred to as advanced persistent threats (APTs) when their operations are clandestine and enduring, serve as potent instruments for achieving a wide spectrum of strategic objectives: from clandestine intelligence gathering and economic espionage to the disruption of adversary infrastructure and, in extreme scenarios, as direct tools of warfare. The inherent advantages of cyber operations—including their potential for deniability, asymmetric impact, and pervasive reach—have cemented their position at the forefront of modern national security considerations.

The year 2017 marked a watershed moment with the unprecedented leakage of the EternalBlue exploit, a powerful tool attributed to the NSA’s highly secretive Equation Group. This incident serves as a quintessential illustration of the profound and often unforeseen consequences that can arise when such highly potent offensive cyber tools are exposed to unauthorized entities. The fallout from the EternalBlue leak extended far beyond the immediate technical compromise; it not only illuminated the latent vulnerabilities endemic within global critical infrastructure but also ignited a widespread and urgent discourse among policymakers, academics, and the public concerning the ethical dimensions, legal boundaries, and governance frameworks necessary for the responsible development, deployment, and stewardship of cyber weapons. This report will unpack the layers of complexity surrounding EternalBlue, positioning it as a pivotal case study that encapsulates the promises and perils of the digital age’s most formidable weapons.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

2. Development and Stockpiling of State-Sponsored Cyber Weapons

2.1. The Genesis of Cyber Capabilities: From Espionage to Strategic Warfare

The origins of state-sponsored cyber weapon development can be traced back to the early days of networked computing, when intelligence agencies recognized the potential of digital infiltration for espionage. Initially focused on intelligence collection, these capabilities gradually expanded to include disruptive and destructive potential. Early examples, though often clandestine and unconfirmed, suggest a continuous evolution from simple data exfiltration to complex systems capable of manipulating industrial control systems (ICS). The concept of ‘zero-day exploits’—vulnerabilities unknown to the vendor and thus unpatched—became the holy grail for intelligence agencies, offering exclusive access and persistent footholds into target networks. These exploits, once discovered or developed, are often integrated into sophisticated frameworks designed for mass deployment and remote control, forming the backbone of a nation-state’s offensive cyber arsenal.

The strategic rationale for stockpiling such vulnerabilities and exploits is multifaceted. For intelligence agencies, these tools represent a strategic advantage, providing access to adversary networks for intelligence gathering, pre-positioning for future operations, or as a deterrent. The decision to stockpile is often weighed against the alternative of disclosing vulnerabilities to vendors, which would allow for patching and enhance overall global cybersecurity. This ‘stockpile versus disclose’ dilemma is central to the ethical debate surrounding state-sponsored cyber weapons, reflecting a tension between national security interests and the broader imperative of securing the digital commons. The global investment in offensive cyber capabilities has escalated into what many observers describe as a ‘cyber arms race,’ with nations continuously seeking to enhance their digital warfare prowess, creating a dynamic environment of innovation and potential instability.

2.2. The Equation Group and the Creation of EternalBlue

The Equation Group, a highly advanced threat actor, has been widely characterized by cybersecurity researchers as being an elite unit operating within the U.S. National Security Agency’s (NSA) Tailored Access Operations (TAO). Its reputation stems from the exceptional sophistication of its malware, its ability to persistently infiltrate high-value targets, and its extensive operational history, dating back to at least 2001 [Kaspersky Lab, 2015]. The group is known for its custom-built malware, advanced encryption techniques, and, notably, its ability to reprogram hard drive firmware, allowing for nearly undetectable and highly persistent infections [Kaspersky Lab, 2015].

Among the Equation Group’s formidable arsenal, EternalBlue stands out as a particularly potent and strategically significant exploit. This tool targeted a critical vulnerability, designated CVE-2017-0144, within Microsoft’s Server Message Block (SMB) protocol, specifically SMBv1. The SMB protocol is a network file sharing protocol that enables applications and users to access files and other resources on remote servers. SMBv1, an older version of the protocol, was pervasive across millions of Windows systems globally, ranging from individual workstations to critical enterprise servers. The vulnerability exploited by EternalBlue allowed for remote code execution (RCE) on unpatched Windows systems, meaning an attacker could execute arbitrary code on a target machine without requiring any user interaction or authentication. This capability made EternalBlue an exceptionally powerful tool for network compromise and lateral movement within an infected network. The NSA’s decision to develop and then carefully guard such a potent exploit, rather than disclose it to Microsoft for patching, underscores a deliberate and strategic approach to cultivating offensive cyber capabilities, aiming to maintain a decisive intelligence advantage, even at the potential cost of broader systemic cybersecurity.

2.3. The Shadow Brokers and the Unprecedented Leak of Cyber Weapons

In August 2016, a hitherto unknown hacker group, identifying themselves as ‘The Shadow Brokers,’ made international headlines by claiming to have successfully breached the Equation Group and subsequently initiated a series of public disclosures. These disclosures involved the highly sensitive leakage of a substantial cache of NSA-developed cyber tools, including, most infamously, EternalBlue, alongside other potent exploits such as EternalRomance, EternalSynergy, and the DoublePulsar backdoor [NopSec, 2017]. This leak was unprecedented in its scope and significance, marking the first time such an extensive collection of advanced cyber weaponry, developed by a leading nation-state, had been exposed to the public domain.

The Shadow Brokers’ initial communications were cryptic, often featuring broken English and demands for cryptocurrency in exchange for the full cache of tools. They framed their actions as a protest against the perceived hypocrisy of the U.S. government’s cyber policies [Wired, 2017]. While the exact identity and motivations of the Shadow Brokers remain a subject of intense speculation—with theories ranging from disgruntled insiders to state-sponsored proxies—their actions had immediate and profound repercussions. The leak not only validated the long-held suspicions about the existence and sophistication of state-level offensive cyber capabilities but also raised critical questions about the security protocols, accountability, and ethical oversight governing the stockpiling and management of such sensitive assets by intelligence agencies. The incident forcefully highlighted the inherent vulnerabilities in even the most secure cyber arsenals and starkly demonstrated the potential for catastrophic misuse when these powerful tools escape their intended confines and fall into the hands of a diverse array of malicious actors, from rival nation-states to transnational criminal organizations [GamTech, 2017].

Many thanks to our sponsor Esdebe who helped us prepare this research report.

3. Ethical Implications of State-Sponsored Cyber Weapons

3.1. The Ethical Quandaries of Offensive Cyber Operations

The development, maintenance, and potential deployment of cyber weapons by nation-states introduce a complex web of ethical challenges that profoundly intersect with international law and established principles of warfare. The traditional frameworks of ‘Just War Theory,’ which provide ethical guidance for the resort to armed conflict (jus ad bellum) and conduct within conflict (jus in bello), encounter significant difficulties when applied to the cyber domain. While cyber operations can be used to protect national interests, deter adversaries, and gather critical intelligence, their inherent characteristics—such as stealth, speed, and potential for widespread, indiscriminate impact—often make the application of principles like necessity, proportionality, and distinction exceptionally challenging.

Jus ad bellum criteria, such as ‘just cause’ (e.g., self-defense against an armed attack) and ‘proportionality of ends’ (the expected good outweighs the harm), are difficult to assess in cyber operations. Is a cyber intrusion that exfiltrates data an ‘armed attack’? At what point does a cyber disruption escalate to a level justifying conventional military response? The ‘legitimate authority’ criterion also becomes ambiguous when clandestine groups or proxies are employed, blurring the lines of state responsibility. Within jus in bello, the principles of ‘distinction’ (differentiating between combatants and non-combatants, military and civilian objects) and ‘proportionality of means’ (avoiding excessive harm to civilians or civilian infrastructure) are particularly vexing. Cyber attacks often traverse civilian networks and infrastructure, making it exceedingly difficult to limit their effects to purely military targets. The dual-use nature of many digital systems—serving both civilian and military functions—further complicates this distinction, increasing the likelihood of collateral damage to innocent parties and essential public services, as starkly demonstrated by incidents like WannaCry and NotPetya. The pervasive and often invisible nature of cyber tools can also erode societal trust, infringe upon individual privacy, and undermine fundamental tenets of national sovereignty without direct physical aggression.

3.2. The Stockpile vs. Disclosure Dilemma: A Policy Conundrum

Central to the ethical debate surrounding state-sponsored cyber weapons is the ‘stockpile versus disclose’ dilemma. Nation-states, particularly those with advanced offensive capabilities, face a perpetual choice: either to hoard newly discovered vulnerabilities and develop exploits for their own intelligence or military advantage, or to disclose these vulnerabilities responsibly to vendors, thereby enabling patches that enhance global cybersecurity. The U.S. government, for instance, operates under the Vulnerabilities Equities Process (VEP), a formalized interagency mechanism designed to weigh these competing interests. Proponents of stockpiling argue that these zero-day exploits are vital assets for national security, providing critical intelligence collection capabilities, enabling strategic deterrence, and offering options for offensive operations in times of conflict. They contend that disclosing such vulnerabilities would disarm intelligence agencies and leave the nation vulnerable to adversaries who might discover and exploit the same flaws.

Conversely, advocates for disclosure emphasize the profound public interest in a secure and stable cyberspace. They argue that stockpiling vulnerabilities inherently creates a latent risk, transforming a potential weakness into an active threat that can be exploited by any malicious actor should the exploit leak or be independently discovered. The EternalBlue incident serves as a powerful testament to this risk, demonstrating how a government-developed tool, once exposed, can be weaponized by criminals and other state actors, causing widespread harm to civilian infrastructure globally. The ethical argument for disclosure posits that the collective security benefits of patching vulnerabilities often outweigh the individual intelligence advantages of exploiting them. Furthermore, the practice of stockpiling contributes to a ‘security dilemma’ in cyberspace: one nation’s pursuit of offensive capabilities is perceived as a threat by others, prompting them to develop their own, leading to an escalating arms race and a net reduction in global security rather than an enhancement.

3.3. The Intricacies of Attribution and the Risk of Escalation

The inherent anonymity and often convoluted pathways of cyber operations present formidable challenges to accurate attribution, which in turn carries significant ethical and geopolitical risks. Unlike conventional warfare, where a state’s military actions are often clearly identifiable, cyber attacks can be launched from virtually anywhere, through multiple intermediary servers, and can be designed to mimic the tactics of other actors (‘false flags’). This makes it exceedingly difficult to definitively identify the responsible party with the speed and certainty often required for a timely and appropriate response. The technical complexities of tracing an attack are compounded by political motivations, as states may choose to conceal their involvement, employ proxy groups, or deliberately create ambiguity to sow confusion and deniability.

This ambiguity in attribution has several critical implications. Firstly, it can lead to misattribution, where an attack is wrongly ascribed to an innocent party, potentially escalating tensions or even triggering retaliatory actions against an undeserving target. Secondly, the difficulty in assigning responsibility undermines international norms and legal frameworks, making it challenging to hold actors accountable for malicious cyber activities. This lack of accountability can embolden hostile actors, fostering an environment of impunity. Thirdly, the inability to swiftly and definitively attribute an attack complicates deterrence strategies. If an adversary cannot be certain that their actions will be met with a proportionate and targeted response, the deterrent effect is diminished. The case of EternalBlue vividly illustrates this point: once leaked, the exploit was repurposed by a myriad of actors, including state-sponsored groups and cybercriminals, for various purposes, making it difficult to pinpoint the original source of subsequent attacks leveraging the tool. This amplification of potential for widespread disruption, coupled with the attribution challenge, creates a volatile environment where miscalculation and unintended escalation, potentially bridging the gap between cyber and kinetic conflict, remain ever-present dangers [Privacy International, 2017].

Many thanks to our sponsor Esdebe who helped us prepare this research report.

4. Geopolitical Landscape of Cyber Warfare

4.1. Cyber Weapons as Instruments of Statecraft in International Relations

Cyber weapons have rapidly cemented their position as crucial instruments of statecraft, fundamentally altering the dynamics of international relations and power projection. Nations across the globe, recognizing the strategic utility of these tools, now integrate cyber capabilities into their broader foreign policy, defense, and intelligence doctrines. Cyber capabilities offer a unique form of ‘asymmetric warfare,’ enabling states to achieve strategic objectives against more powerful adversaries without resorting to traditional military force. This democratizes influence, allowing smaller or less militarily powerful nations to project power in ways previously unimaginable.

Beyond direct aggression or sabotage, cyber weapons are extensively employed for a range of objectives. They are paramount in espionage, allowing for the clandestine acquisition of sensitive political, economic, and military intelligence from rival nations, corporations, and international organizations. This intelligence can provide significant advantages in diplomatic negotiations, economic competition, and military planning. Furthermore, cyber operations are increasingly used for influence operations and information warfare, where disinformation campaigns, propaganda, and targeted social media manipulation aim to shape public opinion, destabilize political systems, or interfere in democratic processes within other countries. The aim is often to sow discord, erode trust in institutions, or promote a particular narrative favorable to the attacker’s interests. This form of digital intervention blurs the lines between peacetime competition and active conflict, operating in the grey zone beneath the threshold of armed attack. The leak of tools like EternalBlue, by effectively ‘democratizing’ access to advanced cyber capabilities, has inadvertently empowered a broader spectrum of state and non-state actors, thereby profoundly altering the existing balance of power and introducing new complexities into the international security paradigm.

4.2. The Profound Impact on Global Critical Infrastructure and National Security

The indiscriminate use or, perhaps more dangerously, the unauthorized leakage of potent cyber weapons poses an existential threat to global critical infrastructure. Critical infrastructure encompasses the essential systems and assets vital for the functioning of a society and economy, including energy grids, transportation networks, financial systems, healthcare facilities, water treatment plants, and telecommunications. These sectors are increasingly interconnected and reliant on digital networks, making them prime targets for disruption through cyber attacks. An attack on one component can trigger cascading failures across interdependent systems, leading to widespread societal and economic paralysis.

The WannaCry ransomware attack of May 2017 serves as a stark, global illustration of this vulnerability. Leveraging the leaked EternalBlue exploit, WannaCry rapidly infected over 300,000 computers across 150 countries within days, causing massive disruptions. It crippled operations in hospitals (notably affecting the UK’s National Health Service, leading to cancelled appointments and emergency diversions), major financial institutions, manufacturing plants, and logistics companies worldwide [Medium, 2017]. The economic damage was estimated to be in the billions of dollars. Another devastating incident was the NotPetya attack, also in 2017, which similarly utilized EternalBlue for initial access and lateral movement. While disguised as ransomware, NotPetya was, in fact, a destructive wiper, primarily targeting Ukrainian entities but rapidly spreading globally, impacting major corporations like Maersk (shipping), Mondelez International (food and beverage), and FedEx’s TNT Express. This attack alone caused billions of dollars in losses and demonstrated the potential for cyber weapons to cause direct, widespread economic havoc and undermine national security through infrastructure paralysis [Medium, 2017].

These incidents underscore several critical points: firstly, the pervasive vulnerability of interconnected digital systems; secondly, the severe economic and social harm that cyber weapons can inflict; and thirdly, how a single, leaked state-sponsored exploit can be weaponized by diverse malicious actors to achieve destructive outcomes far beyond its original intent. Such attacks erode public trust in essential services, destabilize economies, and can even compromise a nation’s ability to respond to emergencies, highlighting the urgent need for robust cybersecurity measures and international cooperation to safeguard these vital societal pillars.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

5. Case Study: The EternalBlue Exploit in Detail

5.1. Technical Analysis of the EternalBlue Exploit and SMBv1 Vulnerability (CVE-2017-0144)

EternalBlue is a sophisticated network exploit developed by the NSA’s Equation Group, specifically designed to target a critical remote code execution vulnerability (CVE-2017-0144) in Microsoft’s implementation of the Server Message Block version 1 (SMBv1) protocol. The SMB protocol, fundamental for file sharing, printer sharing, and inter-process communication across Windows networks, operates over TCP port 445. SMBv1, an archaic version of the protocol, had been largely deprecated by Microsoft in favor of more secure versions (SMBv2 and SMBv3) but remained enabled by default on many legacy systems and was often not explicitly disabled on newer ones.

The technical core of EternalBlue lies in its exploitation of a buffer overflow vulnerability within the srv2.sys driver, which is responsible for handling SMB traffic in the Windows kernel. Specifically, the vulnerability resides in how the SMBv1 server handles certain specially crafted SMBv1 ‘transaction’ requests, particularly when processing SRV_MOVE or SRV_COPY operations. An attacker could send a maliciously crafted SMBv1 packet to a target server. This packet, when processed by the vulnerable srv2.sys driver, would cause it to allocate an insufficient buffer size for the incoming data, leading to a heap buffer overflow. By carefully controlling the overflow, the attacker could overwrite critical memory regions within the kernel, specifically targeting function pointers or return addresses. This allowed the attacker to inject and execute arbitrary code at the kernel level with SYSTEM privileges, granting full control over the compromised system without requiring any user interaction or authentication.

The Equation Group’s exploit framework, ‘FuzzBunch,’ was designed to chain EternalBlue with other tools. A critical component was the ‘DoublePulsar’ backdoor, which EternalBlue would inject into the kernel of the target system after successful exploitation. DoublePulsar served as a versatile implant, providing a stealthy remote access point and allowing attackers to load additional payloads or execute arbitrary shellcode directly in kernel memory. This enabled persistent access and facilitated the deployment of further malicious software, making the entire chain exceptionally potent for sustained network compromise and lateral movement. The technical sophistication of EternalBlue highlights the advanced capabilities developed by state-sponsored actors and underscores the significant challenges faced by defenders in protecting against such expertly engineered threats [The Woodford Spider, 2023; Strategic Focus, 2019].

5.2. The Aftermath of the Leak: Global Outbreaks and Lasting Impact

Following the Shadow Brokers’ leak of EternalBlue in April 2017, the cybersecurity community and governments braced for impact. Microsoft, having been privately alerted to the vulnerability potentially by the NSA or through its own intelligence, had already released security patches (MS17-010) in March 2017. However, due to the rapid dissemination of the exploit and the widespread presence of unpatched systems, the global response was reactive and struggled to contain the ensuing digital contagion.

5.2.1. The WannaCry Ransomware Outbreak

Just weeks after the leak, in May 2017, the world witnessed the rapid emergence of WannaCry ransomware. This novel form of malware incorporated the EternalBlue exploit as its primary propagation mechanism, allowing it to rapidly infect vulnerable Windows machines without any user interaction. Once a machine was infected, WannaCry would encrypt its files and demand a ransom in Bitcoin for their release. Its worm-like capability, enabled by EternalBlue, allowed it to spread autonomously across local networks and the broader internet, infecting over 300,000 computers in more than 150 countries within days. Major disruptions occurred in critical sectors globally: the UK’s National Health Service (NHS) experienced widespread service cancellations, affecting emergency rooms and patient care; Spanish telecommunications giant Telefónica was crippled; and numerous other corporations, including FedEx and Renault, reported severe operational impediments. The rapid spread was temporarily halted by a serendipitous discovery of a ‘kill switch’ domain by a security researcher, but the incident highlighted the catastrophic potential of combining state-level exploits with financially motivated cybercrime [Medium, 2017].

5.2.2. The NotPetya ‘Wiper’ Attack

Even more devastating, in June 2017, the NotPetya attack (also known as Petya.A or ExPetr) emerged, again leveraging EternalBlue. While initially disguised as ransomware, demanding Bitcoin payments, forensic analysis quickly revealed that NotPetya was, in fact, a highly destructive ‘wiper’ malware designed to permanently render systems inoperable rather than encrypt for ransom. It propagated using EternalBlue, much like WannaCry, but also incorporated other propagation methods, including legitimate Windows tools like PsExec and Windows Management Instrumentation (WMI), to spread laterally within compromised networks even if the EternalBlue vulnerability was patched. NotPetya primarily targeted Ukraine, causing immense disruption to government agencies, banks, power companies, and Kyiv’s Boryspil Airport. Its impact, however, rapidly spread globally, crippling major multinational corporations such as Maersk (one of the world’s largest shipping companies), Merck (pharmaceuticals), and Mondelēz International (food and beverage), leading to estimated damages in excess of $10 billion, making it one of the costliest cyber attacks in history [Medium, 2017]. Attribution for NotPetya was swiftly pointed towards Russia’s GRU military intelligence agency, specifically the Sandworm group, underscoring the shift from mere espionage to highly destructive state-sponsored cyber warfare.

5.2.3. Lingering Threats and Lessons Learned

The aftermath of the EternalBlue leak extended beyond WannaCry and NotPetya. The exploit continued to be incorporated into various other malware families and attack toolkits, proving its enduring utility for malicious actors. The incidents served as a harsh wake-up call, emphasizing the critical importance of timely patching, the dangers of relying on outdated legacy systems (like SMBv1), and the profound interconnectedness of global digital infrastructure. They underscored the dire need for organizations to implement robust cybersecurity measures, including network segmentation, intrusion detection systems, and comprehensive incident response plans. The global response, while initially chaotic, also highlighted the necessity for international cooperation, information sharing, and a concerted effort to mitigate the risks associated with such potent, publicly available cyber weapons [Wikipedia, 2025].

Many thanks to our sponsor Esdebe who helped us prepare this research report.

6. Risks and Consequences of Leaked or Indiscriminate Use of Cyber Weapons

6.1. The Proliferation and Democratization of Advanced Cyber Capabilities

One of the most profound and unsettling consequences of the EternalBlue leak was the dramatic proliferation and ‘democratization’ of advanced cyber capabilities. Previously, exploits of such sophistication were largely confined to the arsenals of well-resourced nation-states, requiring significant investment in research, development, and talent. The public release of EternalBlue, however, effectively lowered the barrier to entry for conducting highly impactful cyber attacks. Suddenly, cybercriminals, less sophisticated state-sponsored groups, hacktivists, and even amateur ‘script kiddies’ gained access to a powerful, proven exploit that could rapidly compromise a vast number of systems globally [The Register, 2017].

This proliferation has fundamentally altered the threat landscape. It means that the responsibility for mitigating the risks associated with these powerful tools shifts from a small number of accountable state actors to an almost limitless number of potentially malicious entities. Once an exploit is leaked into the public domain, it is virtually impossible to contain or recall. It becomes a permanent part of the global cyber toolkit, ready to be repurposed, modified, and integrated into new attack campaigns. This dynamic increases the frequency and severity of attacks, making it harder for defensive efforts to keep pace, and creates a perpetual arms race where defenders must constantly adapt to the reuse of old, potent weapons by new adversaries.

6.2. Enormous Economic and Societal Costs

The economic and societal consequences of leaked or indiscriminately used cyber weapons are staggering, extending far beyond the immediate financial losses. The WannaCry and NotPetya attacks, both leveraging EternalBlue, incurred global economic damages estimated to be in the tens of billions of dollars collectively [Wired, 2017]. These costs manifest in various ways:

• Direct Financial Losses: Ransom payments (though often discouraged), costs of system recovery, data restoration, and direct revenue loss due to operational downtime.
• Operational Disruption: Extended periods of business interruption, leading to production stoppages, supply chain breakdowns, and significant delays in essential services. The impact on critical infrastructure like healthcare (NHS), logistics (Maersk), and energy can have cascading effects throughout entire economies and societies.
• Reputational Damage: Organizations suffer a loss of customer trust, shareholder confidence, and brand value, which can have long-term negative impacts on their market position and viability.
• Indirect Economic Costs: Increased cybersecurity spending, insurance premiums, regulatory fines, and legal expenses. Furthermore, the diversion of resources from productive activities to cybersecurity remediation represents a significant societal cost.
• Societal Impact: Beyond economic figures, there are profound non-monetary costs. The disruption of essential services can cause significant public inconvenience, anxiety, and even endanger public safety (e.g., hospital disruptions). The erosion of trust in digital systems and institutions can have long-lasting effects on social cohesion and stability. Such attacks demonstrate how cyber warfare can inflict widespread societal harm without a single bullet being fired.

6.3. Erosion of Trust and International Stability

The continuous development, stockpiling, and particularly the leakage and indiscriminate use of cyber weapons, profoundly erode trust at multiple levels—between nations, between governments and their citizens, and within the digital ecosystem itself. When a state’s advanced offensive tools are leaked and subsequently weaponized against global civilian infrastructure, it breeds cynicism about the responsible stewardship of such capabilities by powerful nations. This undermines efforts to establish international norms and fosters an environment of suspicion and mistrust, where nations are less willing to collaborate on cybersecurity initiatives or share threat intelligence.

Furthermore, the ambiguity of attribution in cyber attacks exacerbates geopolitical tensions. Without clear accountability, states may resort to accusations and retaliatory measures, risking cycles of escalation that could spill over into conventional conflict. The very nature of cyber operations, often conducted in secret and with potential for deniability, makes it difficult to distinguish between espionage, sabotage, and acts of war, thereby complicating diplomatic responses and hindering the development of stable international relations in cyberspace. This environment of mistrust can lead to a ‘digital dark age,’ where pervasive threats and a lack of cooperative defense undermine the open, secure, and reliable internet that underpins modern society and commerce. The challenge lies not just in technical defense, but in rebuilding and maintaining a foundation of trust essential for global stability in the digital era.

6.4. The Challenge of Attribution and Accountability Revisited

The persistent difficulty in attributing cyber attacks with high confidence remains a critical obstacle to establishing effective deterrence and accountability in the cyber domain. While technical forensics can often identify the tools and methods used (e.g., EternalBlue), definitively linking these to a specific perpetrator—whether a nation-state, a state-sponsored proxy, or an independent criminal group—is fraught with complexity. Actors intentionally obscure their tracks through sophisticated anonymization techniques, proxy servers, and the use of ‘false flags’ designed to mislead attribution efforts. For instance, the Shadow Brokers’ identity remains unconfirmed, adding to the ambiguity surrounding the source of the EternalBlue leak itself. The NotPetya attack, initially attributed to financially motivated criminals, was later firmly linked to a state actor (Russia’s GRU) only after extensive intelligence analysis.

This inherent challenge in attribution has profound consequences for accountability and international law. If states cannot confidently identify the aggressor, it becomes nearly impossible to apply existing international legal frameworks, such as those governing state responsibility or the use of force. This creates a perceived impunity for malicious actors, which can encourage further attacks and escalate the frequency and severity of cyber incidents. The lack of a clear, universally accepted legal and diplomatic framework for attribution and response in cyberspace leaves a vacuum, potentially leading to unilateral actions, miscalculations, and an unstable global security environment. Addressing this challenge requires not only enhanced technical capabilities for forensic analysis but also robust international intelligence sharing, diplomatic mechanisms, and the development of clear, agreed-upon international norms for responsible state behavior in cyberspace.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

7. Recommendations for Governance and Oversight

Navigating the complex and perilous landscape of state-sponsored cyber weapons necessitates a multi-faceted approach encompassing robust international cooperation, the establishment of clear norms, and continuous advancements in national cybersecurity resilience. The EternalBlue saga serves as a compelling impetus for urgent action across these domains.

7.1. Towards a Framework for Responsible State Behavior in Cyberspace

Establishing and enforcing international norms for responsible state behavior in cyberspace is paramount to mitigating the risks associated with cyber weapons. Analogous to arms control treaties for nuclear or chemical weapons, such frameworks are essential for managing escalation and ensuring stability.

7.1.1. Developing and Adhering to International Norms and Confidence-Building Measures

Existing efforts, such as those undertaken by the United Nations Group of Governmental Experts (UN GGE) and the Open-Ended Working Group (OEWG), have laid foundational principles, including the applicability of international law to cyberspace and voluntary, non-binding norms. These efforts must be reinvigorated and expanded upon. Key norms for state behavior should include:

• Non-targeting of Critical Infrastructure: States should unequivocally commit to not conducting or supporting cyber attacks against the critical infrastructure of other nations, particularly those providing essential services to the public (e.g., healthcare, energy, water, financial services). The devastating impact of WannaCry and NotPetya on civilian infrastructure underscores the humanitarian imperative of this norm.
• Prohibition on the Use of Proxies: States should be held accountable for cyber operations originating from their territory or conducted by actors under their effective control, irrespective of whether they are non-state actors or criminal groups. This would help address the attribution challenge and prevent deniable ‘grey zone’ warfare.
• Transparency in Vulnerability Handling (VEP Refinement): Nation-states should establish and adhere to more transparent and accountable processes, such as a reformed Vulnerabilities Equities Process (VEP). This process should include clear, publicly stated criteria for deciding whether to stockpile a vulnerability or disclose it. The default presumption should be disclosure to vendors unless there is an overwhelming, demonstrably time-limited national security imperative, subject to independent review. This shift would prioritize global cybersecurity over short-term offensive advantage, reducing the risk of tools like EternalBlue being weaponized against the public.
• Information Sharing and Mutual Assistance: Fostering agreements for rapid sharing of cyber threat intelligence and offering mutual assistance in incident response, especially for attacks on critical infrastructure. This would enhance collective defense capabilities and reduce the impact of widespread outbreaks.

7.1.2. Strengthening Legal Frameworks and Accountability Mechanisms

Beyond voluntary norms, there is a pressing need to clarify and potentially expand international legal frameworks applicable to cyberspace. Efforts like the Tallinn Manual on the International Law Applicable to Cyber Warfare provide scholarly guidance but are not legally binding. States should work towards:

• Clarifying the Threshold for ‘Use of Force’: Define what constitutes an ‘armed attack’ or ‘use of force’ in cyberspace, triggering the right to self-defense under Article 51 of the UN Charter. This would reduce ambiguity and potential for escalation.
• Developing Dispute Resolution Mechanisms: Establish forums or processes for states to address allegations of malicious cyber activity and seek redress, potentially through international tribunals or mediation, to prevent unilateral retaliatory actions.

7.2. Enhancing Global Cybersecurity Practices and Resilience

While international agreements are crucial, they must be complemented by a relentless focus on improving the technical and organizational resilience of nations and critical infrastructure operators.

7.2.1. Proactive Defense and Resilience Building

• Prioritizing Timely Patching and Updates: Emphasize the critical importance for all organizations, especially those managing critical infrastructure, to implement rigorous patch management policies and ensure operating systems and software are regularly updated. The fact that EternalBlue continued to be effective due to unpatched systems highlights this fundamental weakness.
• Legacy System Decommissioning: Governments and industries must accelerate the deprecation and secure replacement of outdated protocols (like SMBv1) and end-of-life operating systems (e.g., Windows XP). Where immediate replacement is not feasible, robust network segmentation and air-gapping strategies are essential.
• Robust Network Segmentation: Implement strict network segmentation to limit the lateral movement of malware. If one segment is compromised, others remain isolated, preventing widespread infection as seen with WannaCry and NotPetya.
• Multi-Factor Authentication (MFA): Mandate MFA for all critical systems and user accounts to significantly reduce the risk of unauthorized access even if credentials are stolen.
• Supply Chain Security: Implement stringent security requirements and audits for vendors and third-party suppliers, as attackers increasingly target weaker links in the supply chain to gain access to primary targets.
• Incident Response Planning: Develop, regularly test, and update comprehensive incident response and disaster recovery plans. This includes clear communication protocols, forensic capabilities, and robust backup and restoration procedures.

7.2.2. Fostering International Cooperation and Capacity Building

• Public-Private Partnerships: Encourage closer collaboration between government cybersecurity agencies and private sector companies, especially those that own and operate critical infrastructure. This facilitates intelligence sharing, joint threat analysis, and coordinated defense efforts.
• Cross-Border Threat Intelligence Sharing: Establish secure and trusted channels for rapid and actionable threat intelligence sharing between national Computer Emergency Response Teams (CERTs) and Computer Security Incident Response Teams (CSIRTs) globally. Early warnings can significantly mitigate the spread and impact of novel threats.
• Capacity Building for Developing Nations: Invest in programs to enhance the cybersecurity capabilities of nations with fewer resources. A weak link in the global cybersecurity chain can become an entry point for widespread attacks, impacting all. This includes training, technology transfer, and policy development assistance.
• Cybersecurity Education and Workforce Development: Prioritize national and international initiatives to address the acute shortage of skilled cybersecurity professionals through education, training, and awareness campaigns.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

8. Conclusion

The enduring saga of EternalBlue stands as a seminal and stark reminder of the intricate complexities, inherent ethical dilemmas, and profound geopolitical risks inextricably linked with the development, stockpiling, and potential leakage of state-sponsored cyber weapons. These sophisticated tools, while offering significant strategic advantages for national security, simultaneously carry the potential for catastrophic, widespread, and indiscriminate harm to global critical infrastructure and societal stability. The incidents triggered by EternalBlue’s unintended release—most notably the WannaCry and NotPetya outbreaks—transcended national borders, demonstrating with chilling clarity that a single leaked exploit can rapidly evolve into a global contagion, inflicting billions in economic damages and disrupting essential services vital to public welfare.

Navigating this rapidly evolving and increasingly weaponized digital landscape necessitates a comprehensive, collaborative, and ethically grounded approach. This must entail a robust commitment to establishing and adhering to clear, internationally agreed-upon norms for responsible state behavior in cyberspace, focusing on non-targeting of civilian infrastructure and enhanced transparency in vulnerability management. Concurrently, nations must redouble their efforts to strengthen their own cybersecurity posture through proactive defense strategies, timely patching, robust network resilience, and continuous investment in human capital. Furthermore, fostering greater international cooperation, facilitating rapid threat intelligence sharing, and actively engaging in capacity-building initiatives are indispensable steps toward securing the global digital commons. The imperative is not merely to defend against the next EternalBlue, but to collaboratively build a more secure, stable, and resilient cyberspace for all, balancing national security interests with the collective responsibility to protect the interconnected digital fabric of our modern world.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

References

• GamTech. (2017). ‘This Day in Technology History: Shadow Brokers Leak NSA Exploits (EternalBlue).’ Retrieved from https://www.gamtech.ca/this-day-in-technology-history/this-day-in-technology-history-shadow-brokers-leak-nsa-exploits-eternalblue

• Kaspersky Lab. (2015). ‘Equation Group: The Crown Creator of Cyber-Espionage.’ Retrieved from https://securelist.com/equation-group-the-crown-creator-of-cyber-espionage/73604/

• Medium. (2017). ‘From Shadow Brokers to WannaCry: The EternalBlue Saga.’ Retrieved from https://medium.com/@sam_sepiol_/from-shadow-brokers-to-wannacry-the-eternalblue-saga-cefda0df7834

• Medium. (2017). ‘Day 64: EternalBlue. The Shoulders WannaCry and NotPetya…’ Retrieved from https://medium.com/@beingnile/day-64-eternalblue-7f320bf6b6b2

• NopSec. (2017). ‘Shadow Brokers Tools: Leaked Equation Group’s Hacking Tools (Lab-Demo Analysis).’ Retrieved from https://www.nopsec.com/blog/the-shadow-brokers-leaked-equation-groups-hacking-tools-a-lab-demo-analysis/

• Privacy International. (2017). ‘Leaked NSA Exploits Work on All Post-2000 Windows Versions.’ Retrieved from https://privacyinternational.org/examples-abuse/1967/leaked-nsa-exploits-work-all-post-2000-windows-versions

• Strategic Focus. (2019). ‘Eternalblue | The NSA-Developed Exploit That Just Won’t Die.’ Retrieved from https://strategicfocus.com/2019/05/27/eternalblue-the-nsa-developed-exploit-that-just-won-t-die/

• The Register. (2017). ‘Script Kiddies Pwn 1000s of Windows Boxes Using Leaked NSA Hack Tools.’ Retrieved from https://www.theregister.com/2017/04/21/windows_hacked_nsa_shadow_brokers/

• The Woodford Spider. (2023). ‘EternalBlue Analysis.’ Retrieved from https://thewoodfordspider.com/index.php/2023/05/01/eternalblue-analysis/

• Wired. (2017). ‘How Leaked NSA Spy Tool ‘EternalBlue’ Became a Hacker Favorite.’ Retrieved from https://www.wired.com/story/eternalblue-leaked-nsa-spy-tool-hacked-world/

• Wikipedia. (2025). ‘EternalBlue.’ Retrieved from https://en.wikipedia.org/wiki/EternalBlue