Posts

The Russian Metadata in the Shadow Brokers Dump

/29 Comments/in , /by

When I first noted, back in April, that there was metadata in one of the Shadow Brokers dumps, I suggested two possible motives for the doxing of several NSA hackers. First (assuming Russia had a role in the operation), to retaliate against US indictments of Russian hackers, including several believed to be tied to the DNC hack.

A number of the few people who’ve noted this doxing publicly have suggested that it clearly supports the notion that a nation-state — most likely Russia — is behind the Shadow Brokers leak. As such, the release of previously unannounced documents to carry out this doxing would be seen as retaliation for the US’ naming of Russia’s hackers, both in December’s election hacking related sanctions and more recently in the Yahoo indictment, to say nothing of America’s renewed effort to arrest Russian hackers worldwide while they vacation outside of Russia.

But leaving the metadata in the documents might also make the investigation more difficult.

[F]our days before Shadow Brokers started doxing NSA hackers, Shadow Brokers made threats against those who’ve commented on the released Shadow Brokers files specifically within the context of counterintelligence investigations, even while bragging about having gone unexposed thus far even while remaining in the United States.

Whatever else this doxing may do, it will also make the investigation into how internal NSA files have come to be plastered all over the Internet more difficult, because Shadow Brokers is now threatening to expose members of TAO.

With that in mind, I want to look at a Brian Krebs piece that makes several uncharacteristic errors to get around to suggesting a Russian-American might have been the guy who leaked the files in question.

He sets out to read the metadata I noted (but did not analyze in detail, because why make the dox worse?) in April to identify who the engineer was that had NSA files discovered because he was running Kaspersky on his home machine.

In August 2016, a mysterious entity calling itself “The Shadow Brokers” began releasing the first of several troves of classified documents and hacking tools purportedly stolen from “The Equation Group,” a highly advanced threat actor that is suspected of having ties to the U.S. National Security Agency. According to media reports, at least some of the information was stolen from the computer of an unidentified software developer and NSA contractor who was arrested in 2015 after taking the hacking tools home. In this post, we’ll examine clues left behind in the leaked Equation Group documents that may point to the identity of the mysterious software developer.

He links to the WSJ and cites, but doesn’t link, this NYT story on the Kaspersky related breach.

Although Kaspersky was the first to report on the existence of the Equation Group, it also has been implicated in the group’s compromise. Earlier this year, both The New York Times and The Wall Street Journal cited unnamed U.S. intelligence officials saying Russian hackers were able to obtain the advanced Equation Group hacking tools after identifying the files through a contractor’s use of Kaspersky Antivirus on his personal computer. For its part, Kaspersky has denied any involvement in the theft.

Then he turns to NYT’s magnum opus on Shadow Brokers to substantiate the claim the government has investigations into three NSA personnel, two of whom were related to TAO.

The Times reports that the NSA has active investigations into at least three former employees or contractors, including two who had worked for a specialized hacking division of NSA known as Tailored Access Operations, or TAO.

[snip]

The third person under investigation, The Times writes, is “a still publicly unidentified software developer secretly arrested after taking hacking tools home in 2015, only to have Russian hackers lift them from his home computer.”

He then turns to the Shadow Brokers’ released metadata to — he claims — identify the two “unnamed” NSA employees and the contractor referenced in The Times’ reporter.”

So who are those two unnamed NSA employees and the contractor referenced in The Times’ reporting?

From there, he points to a guy that few reports that analyzed the people identified in the metadata had discussed, A Russian! Krebs decides that because this guy is Russian he’s likely to run Kaspersky and so he must be the guy who lost these files.

The two NSA employees are something of a known commodity, but the third individual — Mr. Sidelnikov — is more mysterious. Sidelnikov did not respond to repeated requests for comment. Independent Software also did not return calls and emails seeking comment.

Sidelnikov’s LinkedIn page (PDF) says he began working for Independent Software in 2015, and that he speaks both English and Russian. In 1982, Sidelnikov earned his masters in information security from Kishinev University, a school located in Moldova — an Eastern European country that at the time was part of the Soviet Union.

Sildelnikov says he also earned a Bachelor of Science degree in “mathematical cybernetics” from the same university in 1981. Under “interests,” Mr. Sidelnikov lists on his LinkedIn profile Independent Software, Microsoft, and The National Security Agency.

Both The Times and The Journal have reported that the contractor suspected of leaking the classified documents was running Kaspersky Antivirus on his computer. It stands to reason that as a Russian native, Mr. Sildelnikov might be predisposed to using a Russian antivirus product.

Krebs further suggests Sidelnikov must be the culprit for losing his files in the Kaspersky incident because the guy who first pointed him to this metadata, a pentester named Mike Poor, said a database expert like Sidelnikov shouldn’t have access to operational files.

“He’s the only one in there that is not Agency/TAO, and I think that poses important questions,” Poor said. “Such as why did a DB programmer for a software company have access to operational classified documents? If he is or isn’t a source or a tie to Shadow Brokers, it at least begets the question of why he accessed classified operational documents.”

There are numerous problems with Krebs’ analysis — which I pointed out this morning but which he blew off with a really snotty tweet.

First, the NYT story he cites but doesn’t link to notes specifically that the Kaspersky related breach is unrelated to the Shadow Brokers leak, something that I also  pointed out was logically obvious given how long the NSA claimed Hal Martin was behind the Shadow Brokers leak after the government was known to be investigating the Kaspersky related guy.

It does not appear to be related to a devastating leak of N.S.A. hacking tools last year to a group, still unidentified, calling itself the Shadow Brokers, which has placed many of them online.

Krebs also misreads the magnum opus NYT story. The very paragraph he quotes from reads like this:

The agency has active investigations into at least three former N.S.A. employees or contractors. Two had worked for T.A.O.: a still publicly unidentified software developer secretly arrested after taking hacking tools home in 2015, only to have Russian hackers lift them from his home computer; and Harold T. Martin III, a contractor arrested last year when F.B.I. agents found his home, garden shed and car stuffed with sensitive agency documents and storage devices he had taken over many years when a work-at-home habit got out of control, his lawyers say. The third is Reality Winner, a young N.S.A. linguist arrested in June, who is charged with leaking to the news site The Intercept a single classified report on a Russian breach of an American election systems vendor.

That is, there aren’t “two unnamed NSA employees and [a] contractor referenced in The Times’ reporting.” The paragraph he refers to names two of the targets: Hal Martin (the other TAO employee) and Reality Winner. Which leaves just the Kaspersky related guy.

Krebs seemed unaware of the WaPo versions of the story, which include this one where Ellen Nakashima (who was the first to identify this guy last year) described the engineer as a Vietnamese born US citizen. Not a Russian-American, a Vietnamese-American.

Mystery solved Scoob! All without even looking at the Shadow Brokers’ metadata. There’s one more part of the Krebs story which is weird — that he takes the same non-response he got from the known NSA guys doxed by Shadow Brokers from Sidelnikov as somehow indicative of anything, even while if he had been “arrested” as Krebs’ headline mistakenly suggests, then you’d think his phone might not be working at all.

There’s more I won’t say publicly about Krebs’ project, what he really seems to be up to.

But the reason I went through the trouble of pointing out the errors is precisely because Krebs went so far out of his way to find a Russian to blame for … something.

We’ve been seeing Russian metadata in documents for 17 months. Every time such Russian metadata is found, everyone says, Aha! Russians! That, in spite of the fact that the Iron Felix metadata was obviously placed there intentionally, and further analysis showed that some of the other Russian metadata was put there intentionally, too.

At some point, we might begin to wonder why we’re finding so much metadata screaming “Russia”?

Update: After the Vietnamese-American’s guilty plea got announced, Krebs unpublished his doxing post.

A note to readers: This author published a story earlier in the week that examined information in the metadata of Microsoft Office documents stolen from the NSA by The Shadow Brokers and leaked online. That story identified several individuals whose names were in the metadata from those documents. After the guilty plea entered this week and described above, KrebsOnSecurity has unpublished that earlier story.

The Implicit Threat in Julian Assange’s Ambassador Tweet

/37 Comments/in , , /by

The other day, I suggested the Twitter Direct Messages between Wikileaks and Don Jr were underwhelming, in that some of the more damning things we might have expected did not show up in those DMs. Since then, several things have become clear. First, there were some time zone inaccuracies behind the timestamps on one of the most inflammatory claims (that Trump immediately tweeted in response to an October 12 DM from Assange; it probably was 75 minutes). And the password Wikileaks shared with Don Jr had been made available to journalists and may have been passed on by Chuck Johnson, who was currying favor with Assange at the time; that minimizes the possibility that such sharing could be deemed a CFAA or other kind of technical violation though puts Johnson more centrally in this picture.

I didn’t say explicitly enough in that post and I should have, though, that I was speaking about Don Jr, not about Wikileaks.

Wikileaks’ contributions do show the organization (and Assange in particular, in those DMs we know involved him) to be self-interested and rabidly anti-Clinton If you haven’t known the latter fact to be true since Hillary did some pretty crazy things in 2010, then you’re new to this rodeo. That said, the tweets did elicit some righteous betrayal from Barrett Brown, which I totally respect given the price he has paid for the claimed idealism of Wikileaks (see also this story).

It’s worth remembering, as Emma Best notes, because they’ve been under unrelenting surveillance since 2010, “WikiLeaks *knew* the DMs were being monitored in real time. It was inevitable that this would leak. Simply calling this dumb misses the point and ignores the tradecraft at play.” Assange, from the refusal of inside information to the demand for an Ambassadorship, was staging a show, and we should remember that.

That said, I’m far more interested in Assange’s subsequent response to the disclosure of the emails, specifically this tweet. In the full DMs released by Don Jr (I think Wikileaks can fairly claim Atlantic took out some context — Atlantic came close to and I think should have just replicated the content of all the DMs, though Brown disagrees), this was the comment Assange made on December 16 asking to be Ambassador.

Hi Don. Hope you’re doing well! In relation to Mr. Assange: Obama/Clinton placed pressure on Sweden, UK and Australia (his home country) to illicitly go after Mr. Assange. It would be real easy and helpful for your dad to suggest that Australia appoint Assange ambassador to DC “That’s a really smart tough guy and the most famous australian you have! ” or something similar. They won’t do it, but it will send the right signals to Australia, UK + Sweden to start following the law and stop bending it to ingratiate themselves with the Clintons. 12/16/16 12:38PM

On Tuesday, Assange posted an ostensible follow-up to that one, renewing his offer to serve as Ambassador.

Note, Assange had originally misspelled Don Jr’s twitter handle, so deleted and reposted it.

This has been taking as trolling, with Assange’s notion that he’d open a hotel in DC, as the Trumps have, with “luxury immunity suites” for whistleblowers.

But even that’s not trolling. It’s a public renewal, more explicit this time, of Assange’s request for a pardon from Trump Sr, though here he drops the “offer” of the claims laundered through Dana Rohrabacher that the emails Assange published to help Trump get elected came from an insider and not Russia. Assange wants the fuck out of his embassy closet, and he’s willing to say that explicitly, now, in a public tweet (as Best noted, making this request visible for all).

Remember, Rohrabacher was always clear that someone (or someones, but Chuck Johnson is clearly one of those people) had made clear that Trump wanted this information. Was Don Jr in on that loop?

It’s the rest of the tweet that got less attention. First, Assange’s promise of “a turbo-charged flow of intel about the latest CIA plots to undermine democracy,” a remarkable reference coming as it does in the wake of Mike Pompeo’s consideration of an alternative narrative for how Wikileaks got emails (as I noted, scheduled even as John Kelly thwarted Rohrabacher’s attempts to meet with Trump directly), not to mention Trump’s screed at John Brennan and others over the weekend.

Assange is agreeing with Trump, even if no one else is, even as the two of them both seek to push an alternative narrative that doesn’t have the Russians orchestrating Assange’s actions for Trump’s benefit, that the CIA is undermining Trump’s presidency.

It’s the hashtag, though, that most observers missed: Vault 8.

Vault 8 is the name Wikileaks has given for its release — started just Friday — of actual source code for CIA’s hacking tools, after long releasing “just” the development notes and manuals for the same tools. I noted then both the way Wikileaks was picking up Shadow Brokers’ narrative about Kaspersky, but also the multiple references to Wikileaks having the same set of NSA files as Shadow Brokers had.

I noted last December that with the December 14 Shadow Brokers release of new NSA tools (just days before Assange joked about being ambassador), the persona seemed to be engaging in extortion: “Nice little NSA here, it’d be shame if anything would happen to it.” Since that time, Shadow Brokers made good on the threat, leading to global cyberattacks. What Assange seems to be doing is similar: no longer a quid pro quo for safety in DC, but now a threat, using CIA, and tools released in CIA’s name, as hostage.

Assange is not offering to release secrets about CIA, but instead weapons leaked or stolen from them. Sure, to the extent the Vault 7 releases haven’t already, that’ll allow others to attribute CIA attacks. But it’ll also devastate the agency and badly undermine US power.

That appears to be where Assange’s request for immunity has gotten.

Why Is WikiLeaks Reading from ShadowBrokers’ Kaspersky Script?

/6 Comments/in /by

A few weeks ago, when ShadowBrokers was telling the world they should pay attention to my journalism, I was noting that TSB’s complaints about the Intelligence Community claim it obtained NSA files from Kaspersky were bogus. TSB himself had made such insinuations early in the year.

TSB tries to claim that the Kaspersky stories are a US government attempt to explain how TSB got the files he is dumping. But as I have pointed out — even the NYT story on this did — it doesn’t make sense. That’s true, in part because if the government had identified the files the TAO hacker exposed to Kaspersky in spring 2016 as Shadowbrokers’, they wouldn’t have gone on to suggest the files came from Hal Martin when they arrested him. Mind you, Martin’s case has had a series of continuations, which suggests he may be cooperating, so maybe he confessed to be running Kaspersky on his home machine too? But even there, they’d have known that long before now.

Plus, TSB was the first person to suggest he got his files from Kaspersky. TSB invoked Kaspersky in his first post.

We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic.

And TSB more directly called out Kaspersky in the 8th message, on January 8, just as the US government was unrolling its reports on the DNC hack.

Before go, TheShadowBrokers dropped Equation Group Windows Warez onto system with Kaspersky security product. 58 files popped Kaspersky alert for equationdrug.generic and equationdrug.k TheShadowBrokers is giving you popped files and including corresponding LP files.

The latter is a point fsyourmoms made in a post and an Anon made on Twitter; I had made it in an unfinished post I accidentally briefly posted on September 15.

Today, as part of its roll-out of a plan to release, in TSB fashion, the source code behind CIA’s hacking tools, WikiLeaks is similarly focusing on Kaspersky. WikiLeaks released the code for Hive, which it describes as,

a back-end infrastructure malware with a public-facing HTTPS interface which is used by CIA implants to transfer exfiltrated information from target machines to the CIA and to receive commands from its operators to execute specific tasks on the targets.

In its second tweet advertising the new dump, it focused not on the functionality of the code, but on CIA’s use of certificates appearing to be Kaspersky AV to exfiltrate its data.

As WikiLeaks explains:

Digital certificates for the authentication of implants are generated by the CIA impersonating existing entities. The three examples included in the source code build a fake certificate for the anti-virus company Kaspersky Laboratory, Moscow pretending to be signed by Thawte Premium Server CA, Cape Town. In this way, if the target organization looks at the network traffic coming out of its network, it is likely to misattribute the CIA exfiltration of data to uninvolved entities whose identities have been impersonated.

The Kaspersky bit is nowhere near the most interesting thing about the release, but it nevertheless is a focus where it hadn’t been when WikiLeaks first introduced Hive.

It seems, then, that WikiLeaks is picking up where TSB’s most recent post left off — not just in dumping US intelligence community toys for others’ use, but to do so while using Kaspersky to confuse issues.

I find the move all the more interesting given the two references TSB made to WikiLeaks’ own dumps, as I laid out in March (at a time when it seemed TSB was done leaking).

Several days after Shadow Brokers first announced an auction of a bunch of NSA tools last August, Wikileaks announced it had its own “pristine” copy of the files, which it would soon release.

Wikileaks never did release that archive.

On January 7-8, Shadow Brokers got testy with Wikileaks, suggesting that Wikileaks had grown power hungry.

Shadow Brokers threw in several hashtags, two of which could be throw-offs or cultural references to a range of things (though as always with pop culture references, help me out if I’m missing something obvious). The third — “no more secrets” — in context invokes Sneakers, a movie full of devious US intelligence agencies, double dealing Russians, and the dilemma of what you do when you’ve got the power that comes from the ability to hack anything.

Moments later, Shadow Brokers called out Wikileaks, invoking (in the language of this season’s South Park) Wikileaks’ promise to release the file.

Of course, within a week, Shadow Brokers had reneged on a promise of sorts. Less than an hour before calling out Wikileaks for growing power hungry, Shadow Brokers suggested it would sell a range of Windows exploits. Four days later, it instead released a limited (and dated) subset of Windows files — ones curiously implicating Kaspersky Labs. All the “bullshit political talk,” SB wrote in a final message, was just marketing.

Despite theories, it always being about bitcoins for TheShadowBrokers. Free dumps and bullshit political talk was being for marketing attention.

And with that, the entity called Shadow Brokers checked out, still claiming to be in possession of a range of (dated) NSA hacking exploits.

We seem to have come full circle since that moment, with WikiLeaks picking where TSB left off in his last post. Which raises real questions about what this conversation has been about for the last year.

Update: William Ockham notes that Trust No One is a reference to the X Files generally as well as one episode focusing on electronic surveillance.

ShadowBrokers’ Kiss of Death

/19 Comments/in /by

In the ShadowBrokers’ latest post, I got a kiss of death. At the end of a long rambling post, TSB called me out — misspelled “EmptyWheel” with initial caps — as “true journalist and journalism is looking like.”

TSB special shouts outs to Marcy “EmptyWheel” Wheeler, is being what true journalist and journalism is looking like thepeoples!

TheShadowBrokers, brokers of shadows.

Forgive me for being an ingrate, but I’m trying to engage seriously on Section 702 reform. Surveillance boosters are already fighting this fight primarily by waging ad hominem attacks. Having TSB call me out really makes it easy for surveillance boosters to suggest I’m not operating in the good faith I’ve spent 10 years doing.

Way to help The Deep State, TSB.

Worse still, TSB lays out a load of shit. A central focus of the post (and perhaps the reason for my Kiss of Death) is the latest fear-mongering about Russian AV firm, Kaspersky.

Are ThePeoples enjoying seven minutes of hate at Russian hackers and Russian security company? Is after October 1st, new moneys is being in US government budgets for making information warfares payments. Is many stories of NSA + lost data. Is all beings true? Is NSA chasing shadowses? Is theequationgroup still not knowing hows thems getting fucked? Is US government trying out storieses to be seeing responses? TheShadowBrokers be telling ThePeoples year ago how theshadowbrokers is getting data. ThePeoples is no believing. ThePeoples is got jokes. ThePeoples is making shits up. So TheShadowBrokers then saying fucks it, theshadowbrokers can be doings that too.

TheShadowBrokers is thinkings The Peoples is missings most important part of storieses. Corporate media company (WSJ) publishes story with negative financial impacts to foreign company (Kaspersky Labs) FROM ANONYMOUS SOURCE WITH NO PHYSICAL EVIDENCE. WTF? Can they being doing that? Libel law suits? But is ok, Kaspersky is Russian security peoples. Russian security peoples is being really really, almost likes, nearly sames as Russian hackers. Is like werewolves. Russian security peoples is becoming Russian hackeres at nights, but only full moons. AND AMERICA HATES RUSSIAN HACKERS THEY HACKED OUR ELECTION CIA, GOOGLE, AND FACEBOOK SAID. If happening to one foreign company can be happening to any foreign company? If happening to foreign company can be happen to domestic? Microsoft Windows 10 “free” = “free” telemetry in Microsoft cloud.

TSB tries to claim that the Kaspersky stories are a US government attempt to explain how TSB got the files he is dumping. But as I have pointed out — even the NYT story on this did — it doesn’t make sense. That’s true, in part because if the government had identified the files the TAO hacker exposed to Kaspersky in spring 2016 as Shadowbrokers’, they wouldn’t have gone on to suggest the files came from Hal Martin when they arrested him. Mind you, Martin’s case has had a series of continuations, which suggests he may be cooperating, so maybe he confessed to be running Kaspersky on his home machine too? But even there, they’d have known that long before now.

Plus, TSB was the first person to suggest he got his files from Kaspersky. TSB invoked Kaspersky in his first post.

We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic.

And TSB more directly called out Kaspersky in the 8th message, on January 8, just as the US government was unrolling its reports on the DNC hack.

Before go, TheShadowBrokers dropped Equation Group Windows Warez onto system with Kaspersky security product. 58 files popped Kaspersky alert for equationdrug.generic and equationdrug.k TheShadowBrokers is giving you popped files and including corresponding LP files.

The latter is a point fsyourmoms made in a post and an Anon made on Twitter; I had made it in an unfinished post I accidentally briefly posted on September 15.

But I don’t think the Kaspersky call-out in January is as simple as people make it out to be.

First, as Dan Goodin and Jake Williams noted collectively at the time, the numbers were off, particularly with regards to whether all of them were detected by Kaspersky products.

The post included 61 Windows-formatted binary files, including executables, dynamic link libraries, and device drivers. While, according to this analysis, 43 of them were detected by antivirus products from Kaspersky Lab, which in 2015 published a detailed technical expose into the NSA-tied Equation Grouponly one of them had previously been uploaded to the Virus Total malware scanning service. And even then, Virus Total showed that the sample was detected by only 32 of 58 AV products even though it had been uploaded to the service in 2009. After being loaded into Virus Total on Thursday, a second file included in the farewell post was detected by only 12 of the 58 products.

Most weren’t uploaded to Virus Total, but that’s interesting for another reason. The dig against Kaspersky back in 2015 — based off leaked emails that might have come from hacking it — is that in 2009 they were posting legit files onto Virus Total to catch other companies lifting its work.

At that level, then, the reference to Kaspersky could be another reference to insider knowledge, as TSB made elsewhere.

But there are several other details of note regarding that January post.

First, it was a huge headfake. It came four days after TSB had promised to post the guts of the Equation Group warez — Danderspritz and the other powerful tools that would eventually get released in April in the Lost in Translation post, which would in turn lead to WannaCry. Having promised some of NSA’s best and reasonably current tools (which may have led NSA to give Microsoft the heads up to patch), TSB instead posted some older ones that mostly embarrassed Kaspersky.

And that was supposed to be the end of things. TSB promised to go away forever.

So long, farewell peoples. TheShadowBrokers is going dark, making exit. Continuing is being much risk and bullshit, not many bitcoins.

As such, the events of that week were almost like laying an implicit threat as the US intelligence community’s Russian reports came out and the Trump administration began, but backing off that threat.

But I’m not sure why anyone would have an incentive to out Kaspersky like this. Why would TSB want to reveal the real details how he obtained these files?

Two other things may be going on.

First, the original TSB post was accompanied by the characters shi pei.

I haven’t figured out what that was supposed to mean. It might mean something like “screw up,” or it might be reference using the wrong characters to Madame Butterfly (is this even called a homophone in Mandarin, where intonations mean all?), Shi Pei Pu, the drag Chinese opera singer who spied on France for 20 years. [Update: Google Translate says it is “loser”.] I welcome better explanations for what the characters might mean in this context. But if it means either of those things, they might be a reference to the December arrest, on treason charges, of Kaspersky researcher Ruslan Stoyanov, who along with cooperating with US authorities against some Russian spammers, may have also received payment from foreign companies. That is, either one might have been a warning to Kaspersky as much as an expose of TSB’s sources.

[Update on shi pei, from LG’s comment: “It’s a polite formula meaning: “excuse me (I must be going)” or simply “goodbye”, which would make sense given that the post indicated that they intended to retire.”]

All of which is to say, I have no idea what this January post was really intended to accomplish (I have some theories I won’t make public), but it seems far more complex than an early admission that Russia was stealing NSA files by exploiting Kaspersky AV. And if it was meant to expose TSB’s own source, it was likely misdirection.

For what it’s worth, with respect to my Kiss of Death, my post on the possibility TSB shares “the second source” with Jake Appelbaum got at least as much interesting attention as my briefly posted post on the earlier TSB Kaspersky post.

In any case, I think the far more interesting call out than mine in TSB’s post is that he gives Matt Suiche. Ostensibly, TSB apologizes for missing his Black Hat talk.

TheShadowBrokers is sorry TheShadowBrokers is missing you at theblackhats or maybe not? TSB is not seeing hot reporter lady giving @msuiche talk, was that not being clear required condition? TheShadowBrokers is being sures you understanding, law enforcements, not being friendly fans of TSB. Maybe someday. Dude? “…@shadowbrokerss does not do thanksgiving. TSB is the real Infosec Santa Claus…” really? “Trick or Treet”, cosplay and scarring shits out of thepeoples? TheShadowBrokers favorite holiday, not holiday, but should be being, Halloween!

Of course, TSB could have done that in last month’s post. Instead, this reference is a response to this thread on whether he might dump something on Thanksgiving to be particularly disruptive. In which case, it seems to be a tacit threat: that he will dump on Halloween, just a few weeks away.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Shadow Brokers and the “Second Source”

/3 Comments/in , , , /by

When I emphasized Der Spiegel’s reporting on TAO in this post on the tool for which Shadow Brokers recently released a manual, UNITEDRAKE, I was thinking along the same lines Electrospaces was here. Electrospaces lays out a universe of documents and reporting that doesn’t derive from Edward Snowden leaked documents, notes some similarity in content (a focus on NSA’s Tailored Access Operations), and the inclusion of documents from NSA’s San Antonio location. From that, Electrospaces posits that Shadow Brokers could be “identical with the Second Source.”

With the documents published by the Shadow Brokers apparently being stolen by an insider at NSA, the obvious question is: could the Shadow Brokers be identical with the Second Source?

One interesting fact is that the last revelation that could be attributed to the second source occured on February 23, 2016, and that in August of that year the Shadow Brokers started with their release of hacking files. This could mean that the second source decided to publish his documents in the more distinct and noticeable way under the guise of the Shadow Brokers.

But there’s probably also a much more direct connection: the batch of documents published along with Der Spiegel’s main piece from December 29, 2013 include a presentation about the TAO unit at NSA’s Cryptologic Center in San Antonio, Texas, known as NSA/CSS Texas (NSAT):


TAO Texas presentation, published by Der Spiegel in December 2013
(click for the full presentation)And surprisingly, the series of three slides that were released by the Shadow Brokers on April 14 were also from NSA/CSS Texas. They show three seals: in the upper left corner those of NSA and CSS and in the upper right corner that of the Texas Cryptologic Center:

TAO Texas slide, published by the Shadow Brokers in April 2017
(click for the full presentation)NSA/CSS TexasIt’s quite remarkable that among the hundreds of NSA documents that have been published so far, there are only these two sets from NSA/CSS Texas, which is responsible for operations in Latin America, the Caribbean, and along the Atlantic littoral of Africa in support of the US Southern and Central Commands.Besides the one in San Antonio, Texas, NSA has three other regional Cryptologic Centers in the US: in Augusta, Georgia, in Honolulu, Hawaii and in Denver, Colorado. These four locations were established in 1995 as Regional Security Operations Centers (RSOC) in order to disperse operational facilities from the Washington DC area, providing redundancy in the event of an emergency.So far, no documents from any of these regional centers have been published, except for the two from NSA/CSS Texas. This could be a strong indication that they came from the same source – and it seems plausible to assume that that source is someone who actually worked at that NSA location in San Antonio.

Frankly, I’m skeptical of the underlying reports that Shadow Brokers must be a disgruntled NSA employee or contractor, which derives in part from the conclusion that many of the files released include documents that had to be internal to NSA, and in part from this report that says that’s the profile of the suspect the government is looking for.

The U.S. government’s counterintelligence investigation into the so-called Shadow Brokers group is currently focused on identifying a disgruntled, former U.S. intelligence community insider, multiple people familiar with the matter told CyberScoop.

Sources tell CyberScoop that former NSA employees have been contacted by investigators in the probe to discover how a bevy of elite computer hacking tools fell into the Shadow Brokers’ possession.

Those sources asked for anonymity due to sensitivity of the investigation.

While investigators believe that a former insider is involved, the expansive probe also spans other possibilities, including the threat of a current intelligence community employee being connected to the mysterious group.

The investigatory effort is being led by a combination of professionals from the FBI, National Counterintelligence and Security Center (NCSC), and NSA’s internal policing group known as Q Group.

It’s not clear if the former insider was once a contractor or in-house employee of the secretive agency. Two people familiar with the matter said the investigation “goes beyond” Harold Martin, the former Booz Allen Hamilton contractor who is currently facing charges for taking troves of classified material outside a secure environment.

The report clearly suggests (and I confirmed with its author, Chris Bing) that the government is still testing out theories, and that the current profile (or the one they were chasing in July) happens to be an insider of some sort, but that they didn’t have a specific insider in mind as the suspect.

There are a number of  reasons I’m skeptical. First, part of that theory is based on Shadow Brokers making comments about Jake Williams that reflects some inside knowledge about an incident that happened while he was at NSA (Shadow Brokers has deleted most of his tweets, but they’re available in this superb timeline).

trying so hard so  helping out…you having big mouth for former  member what was name of.

leak OddJob? Windows BITS persistence? CCI? Maybe not understand gravity of situation USG investigating members talked to Q group yet

theshadowbrokers ISNOT in habit of outing  members but had make exception for big mouth, keep talking shit  your next

Even there, Shadow Brokers was falsely suggesting that Matt Suiche, who’s not even an American citizen, might be NSA. But things got worse in June, when Shadow Brokers thought he had doxed @drwolfff as a former NSA employee, only to have @drwolfff out himself as someone else entirely (see this post, where Shadow Brokers tried to pretend he hadn’t made a mistake). So Shadow Brokers has been wrong about who is and was NSA more often than he has been right.

Another reason I doubt he’s a direct insider is because when he posted the filenames for Message 6, he listed a good many of the files as “unknown.” (Message 6 on Steemit, archived version)

That suggests that even if Shadow Brokers had some insider role, he wasn’t using these particular files directly (or didn’t want to advertise them as what they were).

And because I’m not convinced that Shadow Brokers is, personally, an insider, I’m not convinced that he necessarily is (as Electrospaces argues) “identical with the Second Source.”

Rather, I think it possible that Jacob Appelbaum and Shadow Brokers have a mutually shared source. That’s all the more intriguing given that Wikileaks once claimed that they had a copy of at least the first set of Shadow Brokers files, which Shadow Brokers recalled in January, and that Julian Assange released an insurance file days after Guccifer 2.0 first started posting hacked Democratic documents (see this post on the insurance file and this one on Shadow Brokers calling out WikiLeaks for hoarding that document).

Maybe they’re all bullshitting. But given Electrospaces’ observation that some of the files (covering intercepts of US allies, often pertaining to trade deals) for which there is no known source went straight to WikiLeaks, I think a shared source is possible.

All that said, there’s one more detail I’d add to Electrospaces’ piece. As noted, he finds the inclusion, in both the Shadow Brokers and the Appelbaum files, of documents from NSA’s San Antonio location to be intriguing. So do I.

Which is why it’s worth noting that that location is among the three where — as late as the first half of 2016 — a DOD Inspector General audit found servers and other sensitive equipment unlocked.

An unlocked server would in no way explain all of the files included even in a narrowly scoped collection of “Second Source” files. But it would indicate that the San Antonio facility was among those that wasn’t adequately secured years after the Snowden leaks.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Companies Victimized by Repurposed NSA Tools Don’t Share Those Details with Government

/6 Comments/in /by

Reporting on an appearance by acting DHS undersecretary for the National Protection and Programs Directorate Christopher Krebs, CyberScoop explains that the government only heard from six victims of the WannaCry and NotPetya ransomware outbreaks (two known major victims are Maersk shipping, which had to shut down multiple terminals in the US, and the US law firm DLA Piper).

Christopher Krebs, acting undersecretary for the National Protection and Programs Directorate, told an audience of cybersecurity professionals Wednesday that the biggest issue with both incidents came from an absence of reports from businesses who were affected. While experts say that WannaCry and NotPetya disrupted business operations at American companies, it’s not clear how many enterprises were damaged or to what degree.

The government wanted to collect more information from affected companies in order to better assess the initial infection vector, track the spread of the virus and develop ways to deter similar future attacks.

Collecting data from victim organizations was important, a senior U.S. official who spoke on condition of anonymity told CyberScoop, because the information could have been used to inform policymakers about the perpetrator of the attack and potential responses

The rest of the story explains that private companies are generally reluctant to share details of being a ransomware victim (particularly if a company pays the ransom, there are even legal reasons for that).

But it doesn’t consider another factor. If a cop left his gun lying around and some nutjob stole the gun and killed a kid with it, how likely is that family going to trust the cop in question, who indirectly enabled the murder?

The same problem exists here. Having proven unable to protect its own powerful tools (this is more a factor in WannaCry than NotPetya, though it took some time before people understood that the latter didn’t rely primarily on the NSA’s exploit), the government as a whole may be deemed less trustworthy on efforts to respond to the attack.

Whether that was the intent or just a handy side benefit for the perpetrators of WannaCry (and of Shadow Brokers, who released the exploit) remains unclear. But the effect is clear: attacking people with NSA tools may undermine the credibility of the government, and in the process, its ability to respond to attacks.

UNITEDRAKE and Hacking under FISA Orders

/5 Comments/in , , , /by

As I noted yesterday, along with the encrypted files you have to pay for, on September 6, Shadow Brokers released the manual for an NSA tool called UNITEDRAKE.

As Bruce Schneier points out, the tool has shown up in released documents on multiple occasions — in the catalog of TAO tools leaked by a second source (not Snowden) and released by Jacob Appelbaum, and in three other Snowden documents (one, two, three) talking about how the US hacks other computers, all of which first appeared in Der Spiegel’s reporting (one, two, three). [Update: See ElectroSpaces comments about this Spiegel reporting and its source.]

The copy, as released, is a mess — it appears to have been altered by an open source graphics program and then re-saved as a PDF. Along with classification marks, the margins and the address for the company behind it appears to have been altered.

The NSA is surely doing a comparison with the real manual (presumably as it existed at the time it may have been stolen) in an effort to understand how and why it got manipulated.

I suspect Shadow Brokers released it as a message to those pursuing him as much as to entice more Warez sales, for the observations I lay out below.

The tool permits NSA hackers to track and control implants, doing things like prioritizing collection, controlling when an implant calls back and how much data is collected at a given time, and destroying an implant and the associated UNITEDRAKE code (PDF 47 and following includes descriptions of these functions).

It includes doing things like impersonating the user of an implanted computer.

Depending on how dated this manual is, it may demonstrate that Shadow Brokers knows what ports the NSA will generally use to hack a target, and what code might be associated with an implant.

It also makes clear, at a time when the US is targeting Russia’s use of botnets, that the NSA carries out its own sophisticated bot-facilitated collection.

Finally of particular interest to me, the manual shows that UNITEDRAKE can be used to hack targets of FISA orders.

To use it to target people under a FISA order, the NSA hacker would have to enter both the FISA order number and the date the FISA order expires. After that point, UNITEDRAKE will simply stop collecting off that implant.

Note, I believe that — at least in this deployment — these FISA orders would be strictly for use overseas. One of the previous references to UNITEDRAKE describes doing a USSID-18 check on location.

SEPI analysts validate the target’s identity and location (USSID-18 check), then provide a deployment list to Olympus operators to load a more sophisticated Trojan implant (currently OLYMPUS, future UNITEDRAKE).

That suggests this would be exclusively EO 12333 collection — or collection under FISA 704/705(b) orders.

But the way in which UNITEDRAKE is used with FISA is problematic. Note that it doesn’t include a start date. So the NSA could collect data from before the period when the court permitted the government to spy on them. If an American were targeted only under Title I (permitting collection of data in motion, therefore prospective data), they’d automatically qualify for 705(b) targeting with Attorney General approval if they traveled overseas. Using UNITEDRAKE on — say, the laptop they brought with them — would allow the NSA to exfiltrate historic data, effectively collecting on a person from a time when they weren’t targeted under FISA. I believe this kind of temporal problem explains a lot of the recent problems NSA has had complying with 704/705(b) collection.

In any case, Shadow Brokers may or may not have UNITEDRAKE among the files he is selling. But what he has done by publishing this manual is tell the world a lot of details about how NSA uses implants to collect intelligence.

And very significantly for anyone who might be targeted by NSA hacking tools under FISA (including, presumably, him), he has also made it clear that with the click of a button, the NSA can pretend to be the person operating the computer. This should create real problems for using data hacked by NSA in criminal prosecutions.

Except, of course, especially given the provenance problems with this document, no defendant will ever be able to use it to challenge such hacking.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Shadow Brokers’ Persistence: Where TSB Has Signed, Message, Hosted, and Collected

/4 Comments/in /by

Back in April, Shadow Brokers boasted about his operational security.

TheShadowBrokers is practicing obfuscation as part of operational security (OPSEC). Is being a spy thing. Is being the difference between a contractor tech support guy posing as a infosec expert but living in exile in Russia (yes @snowden) and subject matter experts in Cyber Intelligence like theshadowbrokers. TheShadowBrokers has being operating in country for many months now and USG is still not having fucking clue. Guessing so called global surveillance is not being as good as @snowden is claiming?

I started thinking about this boast again after TSB deleted all his Twitter feed in June (which served to hide the truly moronic failed doxing of @DRWolfff, which he then followed with an even more moronic post claiming he hadn’t failed). Good to know being an asshole on Twitter will keep you alive for more than a year after dumping NSA tools all over the InterWebs.

Still, since then TSB hasn’t tweeted at all. And his September dump — which given the normal pattern, would have been released in the last days of August — didn’t come out until September 6 (just a few days after a bunch of us were wondering if he had finally snuck off to join Snowden in Sheremetyevo). On that day, TSB dumped the files he claims to have dumped in his Warez of the Month club since June, as well links for twice-monthly dumps going through November.

While we were chatting about TSB running off to Sheremetyevo, Matt Suiche raised a point I had been thinking about too: TSB’s key. By now, that key must be set to loud alarms in Fort Meade, such that any time it appears transiting across the InterTubes, lights flash in an attempt to ID TSB’s location.

Of course, all that’s done for the next three months, because everything is safely loaded on Mega’s servers in one fell swoop.

Suiche noted that TSB hadn’t signed a post since June; he actually had in July (but over at ZeroNet rather than on Steemit), but not the for the late June post tied to the July dump.

In other words, since June, TSB has been either not signing posts, or signing them somewhere else, away from the Steemit account that (in the wake of his Twitter demise) has now become his persistent identity, where people can follow him.

Anyway, because I’m a loser, I decided to track what he had done for the entire year plus to be able to sustain a persistent identity while still avoiding drone strikes. A draft table of what TSB has done to sustain persistence with 1) key-signing, 2) stable messaging identity, 3) file-hosting, and 4) payment since August 2016 is here. In addition to increasingly signing remotely, and shifting from Twitter to Steemit to alert followers, TSB has also moved away from stable, public cryptocurrency addresses, and encrypted emails with individual buyers, instead relying on the security of Zcash and its memo line.

  • Zcash only, no Monero, delivery email in encrypted memo field
  • Delivery email address clearnet only, recommend tutanota or protonmail, no need exchange secret, no i2p, no bitmessage, no zeronet

In any case, this is just a draft. I’m sure I fat-fingered some stuff, and I’m sure I didn’t understand some of what I was looking at. But please take a look and see what I’m missing/gotten wrong.

There are some interesting bits even from what’s here. I hadn’t realized, for example, that TSB cashed out his BTC wallets the same day, May 29, he posted the new ZEC and XMR sales. Also, TSB posted “Don’t Forget Your Base” at his old-school haunts — Medium and Reddit — as well as Zero and Steemit (he was transitioning from one to another that day), I guess to reinvigorate his fan base after claiming he was done in January.

 

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Shadow Brokers Gets Results! Congress Finally Moves to Oversee Vulnerabilities Equities Process

/8 Comments/in , /by

Since the Snowden leaks, there has been a big debate about the Vulnerabilities Equities Process — the process by which NSA reviews vulnerabilities it finds in code and decides whether to tell the maker or instead to turn it into an exploit to use to spy on US targets. That debate got more heated after Shadow Brokers started leaking exploits all over the web, ultimately leading to the global WannaCry attack (the NotPetya attack also included an NSA exploit, but mostly for show).

In the wake of the WannaCry attack, Microsoft President Brad Smith wrote a post demanding that governments stop stockpiling vulnerabilities.

Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.

The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.

But ultimately, the VEP was a black box the Executive Branch conducted, without any clear oversight.

The Intelligence Authorization would change that. Starting 3 months after passage of the Intel Authorization, it would require each intelligence agency to report to Congress the “process and criteria” that agency uses to decide whether to submit a vulnerability for review; the reports would be unclassified, with a classified annex.

In addition, each year the Director of National Intelligence would have to submit a classified list tracking what happened with the vulnerabilities reviewed in the previous year. In addition to showing how many weren’t disclosed, it would also require the DNI to track what happened to the vulnerabilities that were disclosed. One concern among spooks is that vendors don’t actually fix their vulnerabilities in timely fashion, so disclosing them may not make end users any safer.

There would be an unclassified report on the aggregate reporting of vulnerabilities both at the government level and by vendor. Arguably, this is far more transparency than the government provides right now on actual spying.

This report would, at the very least, provide real data about what actually happens with the VEP and may show (as some spooks complain) that vendors won’t actually fix vulnerabilities that get disclosed. My guess is SSCI’s mandate for unclassified reporting by vendor is meant to embarrass those (potentially including Microsoft?) that take too long to fix their vulnerabilities.

I’m curious how the IC will respond to this (especially ODNI, which under James Clapper had squawked mightily about new reports). I also find it curious that Rick Ledgett wrote his straw man post complaining that Shadow Brokers would lead people to reconsider VEP after this bill was voted out of the SSCI; was that a preemptive strike against a reasonable requirement?

SEC. 604. REPORTS ON THE VULNERABILITIES EQUITIES POLICY AND PROCESS OF THE FEDERAL GOVERNMENT.

Report Policy And Process.—

(1) IN GENERAL.—Not later than 90 days after the date of the enactment of this Act and not later than 30 days after any substantive change in policy, the head of each element of the intelligence community shall submit to the congressional intelligence committees a report detailing the process and criteria the head uses for determining whether to submit a vulnerability for review under the vulnerabilities equities policy and process of the Federal Government.

(2) FORM.—Each report submitted under paragraph (1) shall be submitted in unclassified form, but may include a classified annex.

(b) Annual Report On Vulnerabilities.—

(1) IN GENERAL.—Not less frequently than once each year, the Director of National Intelligence shall submit to the congressional intelligence committees a report on—

(A) how many vulnerabilities the intelligence community has submitted for review during the previous calendar year;

(B) how many of such vulnerabilities were ultimately disclosed to the vendor responsible for correcting the vulnerability during the previous calendar year; and

(C) vulnerabilities disclosed since the previous report that have either—

(i) been patched or mitigated by the responsible vendor; or

(ii) have not been patched or mitigated by the responsible vendor and more than 180 days have elapsed since the vulnerability was disclosed.

(2) CONTENTS.—Each report submitted under paragraph (1) shall include the following:

(A) The date the vulnerability was disclosed to the responsible vendor.

(B) The date the patch or mitigation for the vulnerability was made publicly available by the responsible vendor.

(C) An unclassified appendix that includes—

(i) a top-line summary of the aggregate number of vulnerabilities disclosed to vendors, how many have been patched, and the average time between disclosure of the vulnerability and the patching of the vulnerability; and

(ii) the aggregate number of vulnerabilities disclosed to each responsible vendor, delineated by the amount of time required to patch or mitigate the vulnerability, as defined by thirty day increments.

(3) FORM.—Each report submitted under paragraph (1) shall be in classified form.

(c) Vulnerabilities Equities Policy And Process Of The Federal Government Defined.—In this section, the term “vulnerabilities equities policy and process of the Federal Government” means the policy and process established by the National Security Council for the Federal Government, or successor set of policies and processes, establishing policy and responsibilities for disseminating information about vulnerabilities discovered by the Federal Government or its contractors, or disclosed to the Federal Government by the private sector in government off-the-shelf (GOTS), commercial off-the-shelf (COTS), or other commercial information technology or industrial control products or systems (including both hardware and software).

Government Changes Its Tune about MalwareTech

/20 Comments/in /by

Marcus Hutchins, AKA MalwareTech, just plead not guilty at his arraignment in Milwaukee, WI. After the hearing, his attorney, Marcia Hofmann, called him a “hero” and said he would be fully vindicated.

A dramatic change in the tone of the government suggested that might well be the case. Whereas at Hutchins’ Las Vegas hearing, the government used his appearance at a tourist-focused gun range in an attempt to deny him bail, here, the government was amenable to lifting many of the restrictions on his release conditions. Hutchins will be able to live in Los Angeles, where his other attorney, Brian Klein, is. He will be able to continue working. He can travel throughout the US, though he cannot leave the country (though his defense tried to get him released to the UK).

About the only major restriction — aside from GPS monitoring and monitoring by pretrial services — is that he can’t touch the WannaCry sinkhole.

The government’s attorney, Michael Chmelar, described Hutchins’ alleged crimes as “historic,” a seeming concession that he’s not currently a threat. That said, while the government had not deemed this a complex crime when they indicted Hutchins back on July 11, Chmelar said he expected they would do so in the coming weeks. The trial is currently scheduled for October, but with a complex designation, that will slide.

Chmelar said that they had or would turn over today both Hutchins’ FBI interview, as well as two other recorded phone calls. The rest of discovery will be delayed until the defense signs a protection order.

Perhaps the funniest part of the hearing came when the lawyers tried to help Magistrate William Duffin understand what a “sinkhole” is.

Update: Fixed spelling of Hofmann’s last name–sorry Marcia!

Update: Forgot to mention — the case was assigned to JP Stadtmueller, a 75-year old Reagan appointee, formerly the Chief Judge of EDWI.