30 August 2016

Is the Shadow Brokers leak the latest in a series?

Earlier this week, a group or an individual called the Shadow Brokers published a large set of files containing the computer code for hacking tools. They were said to be from the Equation Group, which is considered part of the NSA's hacking division TAO.

The leak got quite some media attention, but so far it was not related to some earlier leaks of highly sensitive NSA documents. These show interesting similarities with the Shadow Brokers files, which were also not attributed to Edward Snowden, but seem to come from an unknown second source.


Screenshot of some computer code with instructions
from the Shadow Brokers archive

The Shadow Brokers files

Since August 13, Shadow Brokers posted a manifesto and two large encrypted files on Pastebin, on GitHub, on Tumblr and on DropBox (all of them closed or deleted meanwhile).

One of the encrypted files could be decrypted into a 301 MB archive containing a large number of computer codes for server side utility scripts and exploits for a variety of targets like firewalls from Cisco, Juniper, Fortinet and TOPSEC. The files also include different versions of several implants and instructions on how to use them, so they're not just the malware that could have been found on the internet, but also files that were only used internally.

A full and detailed list of the exploits in this archive can be found here.

Security experts as well as former NSA employees considered the files to be authentic, and earlier today the website The Intercept came with some unpublished Snowden documents that confirm the Shadow Brokers files are real.

Besides the accessible archive, Shadow Brokers also posted a file that is still encrypted, and for which the key would only be provided to the highest bidder in an auction. Would the auction raise 1 million bitcoins (more than 500 million US dollars), then Shadow Brokers said they would release more files to the public. This auction however is likely just meant to attract attention.


Screenshot of a file tree from the Shadow Brokers archive

From the Snowden documents?

According to security experts Bruce Schneier and Nicholas Weaver the new files aren't from the Snowden trove. Like most people, they apparently assume that Snowden took mostly powerpoint presentations and internal reports and newsletters, but that's not the whole picture. The Snowden documents also include various kinds of operational data, but this rarely became public.

Most notable was a large set of raw communications content collected by NSA under FISA and FAA authority, which also included incidentally collected data from Americans, as was reported by The Washington Post on July 5, 2014. The Snowden documents also include technical reports, which are often very difficult to understand and rarely provide a newsworthy story on their own.

Someone reminded me as well that in January 2015, the German magazine Der Spiegel published the full computer code of a keylogger implant codenamed QWERTY, which was a component of the NSA's WARRIORPRIDE malware framework. So with the Snowden trove containing this one piece of computer code, there's no reason why it should not contain more.

Contradicting the option that the Shadow Brokers files could come from Snowden is the fact that some of the files have timestamps as late as October 18, 2013, which is five months after Snowden left NSA. Timestamps are easy to modify, but if they are authentic, then these files have to be from another source.

A second source?

This brings us to a number of leaks that occured in recent years and which were also not attributed to Snowden. These leaks involved highly sensitive NSA files and were often more embarrassing than stuff from the Snowden documents - for example the catalog of hacking tools and techniques, the fact that chancellor Merkel was targeted and intelligence reports proving that NSA was actually successful at that.

It is assumed that these and some other documents came from at least one other leaker, a "second source" besides Snowden, which is something that still not many people are aware of. The files that can be attributed to this second source have some interesting similarities with the Shadow Brokers leak. Like the ANT catalog published in December 2013, they are about hacking tools and like the XKEYSCORE rules published in 2014 and 2015 they are internal NSA computer code.

This alone doesn't say much, but it's the choice of the kind of files that makes these leaks look very similar: no fancy presentations, but plain technical data sets that make it possible to identify specific operations and individual targets - the kind of documents many people are most eager to see, but which were rarely provided through the Snowden reporting.

As mainstream media became more cautious in publishing such files, it is possible that someone who also had access to the Snowden cache went rogue and started leaking documents just for harming NSA and the US - without attributing these leaks to Snowden because he would probably not approve them, and also to suggest that more people followed Snowden's example.

Of course the Shadow Brokers leak can still be unrelated to the earlier ones. In that case it could have been that an NSA hacker mistakenly uploaded his whole toolkit to a server outside the NSA's secure networks (also called a "staging server" or "redirector" to mask his true location) and that someone was able to grab the files from there - an option favored by for example Edward Snowden and security researcher the grugq.


Diagram showing the various stages and networks involved
in botnet hacking operations by NSA's TAO division

An insider?

Meanwhile, several former NSA employees have said that the current Shadow Brokers leak might not be the result of a hack from the outside, but that it's more likely that the files come from an insider, who stole them like Snowden did earlier.

Of course it's easier for an insider to grab these files than for a foreign intelligence agency, let alone an ordinary hacker, to steal them from the outside. But if that's the case, it would mean that this insider would still be able to exfiltrate files from NSA premises (something that shouldn't be possible anymore after Snowden), and that this insider has the intent to embarrass and harm the NSA (Snowden at least said he just wanted to expose serious wrongdoings).

Here we should keep in mind that such an insider is not necessarily just a frustrated individual, but can also be a mole from a hostile foreign intelligence agency.

Update:

On August 21, NSA expert James Bamford also confirmed that TAO's ANT catalog wasn't included in the Snowden documents (Snowden didn't want to talk about it publicly though). Bamford favors the option of a second insider, who may have leaked the documents through Jacob Appelbaum and Julian Assange.

Russian intelligence?

On Twitter, Edward Snowden said that "Circumstantial evidence and conventional wisdom indicates Russian responsibility", but it's not clear what that evidence should be. It seems he sees this leak as a kind of warning from the Russians not to take revenge for the hack of the Democratic National Committee (DNC) e-mails, which was attributed to Russian intelligence.

This was also what led Bruce Schneier to think it might be the Russians, because who other than a state actor would steal so much data and wait three years before publishing? Not mentioned by Schneier is that this also applies to the documents that can be attributed to the second source: they also pre-date June 2013.

A related point of speculation is the text that accompanied the Shadow Brokers files, which is in bad English, as if it was written by a Russian or some other non-western individual. This is probably distraction, as it looks much more like a fluent American/English speaker who tried to imitate unexperienced English.

The text also holds accusations against "Elites", in a style which very much resembles the language used by anarchist hacker groups, but that can also be faked to distract from the real source (it was also noticed that the e-mail address used by Shadow Brokers (userll6gcwaknz@tutanota.com) seems to refer to the manga Code Geass in which an exiled prince takes revenge against the "Britannian Empire").


Screenshot of some file folders from the Shadow Brokers archive

Conclusion

With the authenticity of the Shadow Brokers files being confirmed, the biggest question is: who leaked them? There's a small chance that it was a stupid accident in which an NSA hacker uploaded his whole toolkit to a non-secure server and someone (Russians?) found it there.

Somewhat more likely seems the option that they came from an insider, and in that case, this leak doesn't stand alone, but fits into a series of leaks in which, since October 2013, highly sensitive NSA data sets were published.

So almost unnoticed by the mainstream media and the general public, someone was piggybacking on the Snowden-revelations with leaks that were often more embarrassing for NSA than many reportings based upon the documents from Snowden.

Again, obtaining such documents through hacking into highly secured NSA servers seems less likely than the chance that someone from inside the agency took them. If that person was Edward Snowden, then probably someone with access to his documents could have started his own crusade against NSA.

If that person wasn't Snowden, then it's either another NSA employee who was disgruntled and frustrated, or a mole for a hostile foreign intelligence agency. But for an individual without the protection of the public opinion like Snowden, it must be much harder and riskier to conduct these leaks than for a foreign state actor.

Former NSA counterintelligence officer John Schindler also thinks there could have been a (Russian) mole, as the agency has a rather bad track record in finding such spies. If this scenario is true, then it would be almost an even bigger scandal than that of the Snowden-leaks.

Links and Sources

- TheWeek.com: How the NSA got hacked

No comments: