August 20, 2016

Is the Shadow Brokers leak the latest in a series?

(Updated: December 7, 2020)

Earlier this week, a group or an individual called the Shadow Brokers published a large set of files containing the computer code for hacking tools. They were said to be from the Equation Group, which is considered part of the NSA's hacking division TAO.

The leak got quite some media attention, but so far it was not related to some earlier leaks of highly sensitive NSA documents. These show interesting similarities with the Shadow Brokers files, which were also not attributed to Edward Snowden, but seem to come from an unknown second source.



Screenshot of some computer code with instructions
from the Shadow Brokers archive from August 2016
(click to enlarge)


The Shadow Brokers files

Since August 13, Shadow Brokers posted a manifesto and two large encrypted files on Pastebin, on GitHub, on Tumblr and on DropBox (all of them closed or deleted meanwhile).

One of the encrypted files could be decrypted into a 301 MB archive containing a large number of computer codes for server side utility scripts and exploits for a variety of targets like firewalls from Cisco, Juniper, Fortinet and TOPSEC. The files also include different versions of several implants and instructions on how to use them, so they're not just the malware that could have been found on the internet, but also files that were only used internally.

A full and detailed list of the exploits in this archive can be found here.

Security experts as well as former NSA employees considered the files to be authentic, and earlier today the website The Intercept came with some unpublished Snowden documents that confirm the Shadow Brokers files are real.

Besides the accessible archive, Shadow Brokers also posted a file that is still encrypted, and for which the key would only be provided to the highest bidder in an auction. Would the auction raise 1 million bitcoins (more than 500 million US dollars), then Shadow Brokers said they would release more files to the public. This auction however is likely just meant to attract attention.

Updates:

Shadow Brokers, or people posing like them, posted an short announcement on Pastebin on August 28, and a third, long message including a "self-interview" on Medium.com on October 1. On October 15, a fourth message was published on Medium, saying that the auction was cancelled.

On October 31, 2016, Shadow Brokers came with a "Halloween message" on Medium, this time including a new file, which contains "configuration data for an as-yet-undisclosed toolkit for a variety of UNIX platforms" and also a list of 352 IP addresses and 306 domain names the NSA's hacking team Equation Group may have used for their operations. These addresses include timestamps from August 22, 2000, to August 18, 2010. The 10 most impacted countries are China, Japan, Korea, Spain, Germany, India, Taiwan, Mexico, Italy and Russia.

On December 14, 2016, someone calling himself Boceffus Cleetus published a post on Medium, saying that Shadow Brokers were now selling the supposed NSA hacking tools one by one, for prices between 1 and 100 bitcoins (780 - 78,000 USD), or 1000 bitcoins (780,000 USD) for the whole lot. Included is a list with codenames of the exploits as well as a file signed with a PGP key with an identical fingerprint as the original Shadow Brokers dump from August.

On January 12, 2017, the Shadow Brokers published a final message accompanied by 61 Windows-formatted binary files, including executables, dynamic link libraries, and device drivers, which are also considered to have been tools from the NSA's TAO hacking division. Most of these files had remained undetected by the most-used anti-virus tools. Images included with these files showed they were included on a Drive D that was most likely a USB drive, which, according to an independent researcher "lends credibility to the argument the leak came from an insider who stole, and subsequently lost control of, a USB stick, rather than a direct hack of the NSA."

On April 8, 2017, the Shadow Brokers were back and released a range of exploits for the Unix operating system Solaris and on April 14, 2017 they published an archive containing a series of Windows exploits that it had offered for sale in January and documents about NSA's infiltration of SWIFT, for the first time also including several Top Secret NSA powerpoint presentations, similar to those leaked by Snowden. The latest timestamp found in these files is October 17, 2013, which is one day before the latest one in the first Shadow Brokers release.




Screenshot of a file tree from the Shadow Brokers archive from August 2016
(click to enlarge)


From the Snowden documents?

According to security experts Bruce Schneier and Nicholas Weaver the new files aren't from the Snowden trove. Like most people, they apparently assume that Snowden took mostly powerpoint presentations and internal reports and newsletters, but that's not the whole picture. The Snowden documents also include various kinds of operational data, but this rarely became public.

Most notable was a large set of raw communications content collected by NSA under FISA and FAA authority, which also included incidentally collected data from Americans, as was reported by The Washington Post on July 5, 2014. The Snowden documents also include technical reports, which are often very difficult to understand and rarely provide a newsworthy story on their own.

Someone reminded me as well that in January 2015, the German magazine Der Spiegel published the full computer code of a keylogger implant codenamed QWERTY, which was a component of the NSA's WARRIORPRIDE malware framework. So with the Snowden trove containing this one piece of computer code, there's no reason why it should not contain more.

Contradicting the option that the Shadow Brokers files could come from Snowden is the fact that some of the files have timestamps as late as October 18, 2013, which is five months after Snowden left NSA. Timestamps are easy to modify, but if they are authentic, then these files have to be from another source.


A second source?

This brings us to a number of leaks that occured in recent years and which were also not attributed to Snowden. These leaks involved highly sensitive NSA files and were often more embarrassing than stuff from the Snowden documents - for example the catalog of hacking tools and techniques, the fact that chancellor Merkel was targeted and intelligence reports proving that NSA was actually successful at that.


It is assumed that these and some other documents came from at least one other leaker, a "second source" besides Snowden, which is something that still not many people are aware of. The files that can be attributed to this second source have some interesting similarities with the Shadow Brokers leak. Like the ANT catalog published in December 2013, they are about hacking tools and like the XKEYSCORE rules published in 2014 and 2015 they are internal NSA computer code.

This alone doesn't say much, but it's the choice of the kind of files that makes these leaks look very similar: no fancy presentations, but plain technical data sets that make it possible to identify specific operations and individual targets - the kind of documents many people are most eager to see, but which were rarely provided through the Snowden reporting.

As mainstream media became more cautious in publishing such files, it is possible that someone who also had access to the Snowden cache went rogue and started leaking documents just for harming NSA and the US - without attributing these leaks to Snowden because he would probably not approve them, and also to suggest that more people followed Snowden's example.

Of course the Shadow Brokers leak can still be unrelated to the earlier ones. In that case it could have been that an NSA hacker mistakenly uploaded his whole toolkit to a server outside the NSA's secure networks (also called a "staging server" or "redirector" to mask his true location) and that someone was able to grab the files from there - an option favored by for example Edward Snowden and security researcher the grugq.



Diagram showing the various stages and networks involved
in botnet hacking operations by NSA's TAO division
(source - click to enlarge)


An insider?

Meanwhile, several former NSA employees have said that the current Shadow Brokers leak might not be the result of a hack from the outside, but that it's more likely that the files come from an insider, who stole them like Snowden did earlier.

Of course it's easier for an insider to grab these files than for a foreign intelligence agency, let alone an ordinary hacker, to steal them from the outside. But if that's the case, it would mean that this insider would still be able to exfiltrate files from NSA premises (something that shouldn't be possible anymore after Snowden), and that this insider has the intent to embarrass and harm the NSA (Snowden at least said he just wanted to expose serious wrongdoings).

Here we should keep in mind that such an insider is not necessarily just a frustrated individual, but can also be a mole from a hostile foreign intelligence agency.

Update:
On August 21, NSA expert James Bamford also confirmed that TAO's ANT catalog wasn't included in the Snowden documents (Snowden didn't want to talk about it publicly though). Bamford favors the option of a second insider, who may have leaked the documents through Jacob Appelbaum and Julian Assange.


Russian intelligence?

On Twitter, Edward Snowden said that "Circumstantial evidence and conventional wisdom indicates Russian responsibility", but it's not clear what that evidence should be. It seems he sees this leak as a kind of warning from the Russians not to take revenge for the hack of the Democratic National Committee (DNC) e-mails, which was attributed to Russian intelligence.

This was also what led Bruce Schneier to think it might be the Russians, because who other than a state actor would steal so much data and wait three years before publishing? Not mentioned by Schneier is that this also applies to the documents that can be attributed to the second source: they also pre-date June 2013.

A related point of speculation is the text that accompanied the Shadow Brokers files, which is in bad English, as if it was written by a Russian or some other non-western individual. This is probably distraction, as it looks much more like a fluent American/English speaker who tried to imitate unexperienced English.

The text also holds accusations against "Elites", in a style which very much resembles the language used by anarchist hacker groups, but that can also be faked to distract from the real source (it was also noticed that the e-mail address used by Shadow Brokers (userll6gcwaknz@tutanota.com) seems to refer to the manga Code Geass in which an exiled prince takes revenge against the "Britannian Empire").



Screenshot of some file folders from the Shadow Brokers archive
(click to enlarge)


Conclusion

With the authenticity of the Shadow Brokers files being confirmed, the biggest question is: who leaked them? There's a small chance that it was a stupid accident in which an NSA hacker uploaded his whole toolkit to a non-secure server and someone (Russians?) found it there.

Somewhat more likely seems the option that they came from an insider, and in that case, this leak doesn't stand alone, but fits into a series of leaks in which, since October 2013, highly sensitive NSA data sets were published.

So almost unnoticed by the mainstream media and the general public, someone was piggybacking on the Snowden-revelations with leaks that were often more embarrassing for NSA than many reportings based upon the documents from Snowden.

Again, obtaining such documents through hacking into highly secured NSA servers seems less likely than the chance that someone from inside the agency took them. If that person was Edward Snowden, then probably someone with access to his documents could have started his own crusade against NSA.

If that person wasn't Snowden, then it's either another NSA employee who was disgruntled and frustrated, or a mole for a hostile foreign intelligence agency. But for an individual without the protection of the public opinion like Snowden, it must be much harder and riskier to conduct these leaks than for a foreign state actor.

Former NSA counterintelligence officer John Schindler also thinks there could have been a (Russian) mole, as the agency has a rather bad track record in finding such spies. If this scenario is true, then it would be almost an even bigger scandal than that of the Snowden-leaks.

Update #1:
During an FBI-led investigation of the ShadowBrokers leak, NSA officials reportedly said that a former agency operative carelessly left the hacking tool files available on a remote computer, where Russian hackers found them. After this was discovered, NSA tuned its sensors to detect use of any of the tools by other parties, like China and Russia. But as that wasn't the case, NSA did not feel obligated to warn the US manufacturers.

Update #2:
On October 6, 2016, The New York Times reported that on August 27, 2016, the FBI arrested 51-year old Harold T. Martin III, who worked at NSA as a contractor for Booz Allen Hamilton. In his home in Glen Burnie, Maryland, "many terabytes" of highly classified information was found, from the 1990s until 2014. Hal Martin was described as a hoarder, but so far, investigators are not sure he was also responsible for the various leaks that could not be attributed to Snowden.

Update #3:
On November 19, it was reported by the Washington Post that there had been yet another, previously undisclosed breach of cybertools, which was discovered in the summer of 2015. This was also carried out by a TAO employee, who had also been arrested, but his case was not made public. An official said that it is not believed that this individual shared the material with another country.

Update #4:
In November 2020, national security blogger emptywheel reported that she had information that someone had logged into one of the Guccifer 2.0 accounts (involved in leaking the DNC documents hacked by the GRU) using the same IP address as someone who logged into the early staging sites (either Pastebin or GitHub) used by the Shadow Brokers. This could be an indication that the Shadow Brokers was an operation of Russian intelligence.



Links and Sources
- EmptyWheel.com: The Shadow Brokers: “A nice little NSA you've got here: It'd be a shame if…”
- TheWeek.com: How the NSA got hacked
- EmptyWheel.com: Where Are NSA’s Overseers on the Shadow Brokers Release?
- Observer.com: NSA ‘Shadow Brokers’ Hack Shows SpyWar With Kremlin Is Turning Hot
- TechCrunch.com: Everything you need to know about the NSA hack (but were afraid to Google)
- WashingtonPost.com: Powerful NSA hacking tools have been revealed online
- NYTimes.com: ‘Shadow Brokers’ Leak Raises Alarming Question: Was the N.S.A. Hacked?
- LawfareBlog.com: NSA and the No Good, Very Bad Monday

In Dutch: Meer over het wetsvoorstel voor de Tijdelijke wet cyberoperaties