A report in Cyberscoop said the counter-intelligence investigation had made contact with a number of ex-NSA employees to try and find out how these tools came into the possession of the Shadow Brokers.
While ex-NSA officials are under suspicion, there is also a theory that someone who is currently employed by the NSA is connected to the group.
The probe is led by a joint team from the FBI, the US National Counter-Intelligence and Security Centre, and the NSA's internal policing group Q Group.
One exploit, known as ETERNALBLUE, was used to craft the ransomware known as WannaCry which hit a number of countries in May.
A second, ETERNALROMANCE, was used to craft ransomware which was given various names — Petya (nomenclature given to ransomware that already existed), NotPetya, ExPetr, Nyetya and GoldenEye — which attacked Windows machines in Europe in June and spread to other countries.
The Shadow Brokers have taken to periodically issuing messages in broken English, advertising new exploits for payment. Two researchers, who tried to raise money to buy the exploits, called off their effort after being advised that they could fall foul of the law.
The Cyberscoop report was unclear on whether the Shadow Brokers' source was an employee of the NSA or a contractor. One contractor, Harold Martin, is in jail at the moment after having been caught with a massive trove of data which he had removed the NSA premises.
Last week, the Shadow Brokers again advertised a subscription service through which they claimed they would share more NSA tools with anyone who was willing to pay a fee that was in the thousands of dollars.