September 14, 2017

Are the Shadow Brokers identical with the Second Source?

(Updated: December 7, 2020)

What a lot of people don't know, is that a range of classified documents from the NSA have not been attributed to Edward Snowden, which means that there was at least one other leaker inside the NSA.

Initially, this leaker was called the "Second Source", and although he was responsible for significant leaks, they got little attention in the US. More media coverage gained the release, since 2016, of NSA hacking tools by the mysterious "Shadow Brokers".

Now, a close look at documents published by the German magazine Der Spiegel in December 2013 provided new indications that the Second Source could be identical with the leaker behind the Shadow Brokers.



NSA's Cryptologic Center in San Antonio, Texas (2013)
(photo: William Luther - click to enlarge)


The second source

The first leak that was not attributed to Snowden, was of an internal NSA tasking record, showing that German chancellor Angela Merkel was apparently on the NSA's targeting list. The second revelation that was said to come from the same source as the Merkel record, was that of the ANT product catalog, containing a wide range of sophisticated eavesdropping gadgets and techniques.

Security expert Bruce Schneier, who was probably the first to write about the possibility of a second source, said that this source apparently passed his documents to a small group of people in Germany, including hacktivist Jacob Appelbaum and documentary film maker Laura Poitras.

Because Poitras also received one of the initial sets of documents from Snowden, it is sometimes assumed that the documents from the Second Source may actually stem from the Snowden trove, despite not being attributed as such. For some of the individual documents this was contradicted by Glenn Greenwald and Edward Snowden though.


Spiegel reportings

The ANT catalog was published by the German magazine Der Spiegel on December 29, 2013. The original article was in German and written by Jacob Appelbaum, Judith Horchert, Ole Reißmann, Marcel Rosenbach, Jörg Schindler and Christian Stöcker. A translation in English mentioned the names of Jacob Appelbaum, Judith Horchert and Christian Stöcker.

Although this catalog got most of the attention, not at least because Appelbaum explained the various tools during a presentation at the hackers conference CCC on December 30, it was actually just an addition to Der Spiegel's extensive main piece about the hacking division of the NSA, called Tailored Access Operations (TAO).

This article was written by Jacob Appelbaum, Marcel Rosenbach, Jörg Schindler, Holger Stark and Christian Stöcker, with the cooperation of Andy Müller-Maguhn, Judith Horchert, Laura Poitras and Ole Reißmann. There was also a translation in English prepared by the Spiegel staff based upon reporting "by Jacob Appelbaum, Laura Poitras, Marcel Rosenbach, Christian Stöcker, Jörg Schindler and Holger Stark."


TAO documents

This main piece was accompanied by various NSA documents: one slide about FOXACID, a partial presentation about QUANTUM, two separate pages from other documents, as well as complete powerpoint presentations about QUANTUM tasking, the TAO unit at NSA/CSS Texas, and the QFIRE architecture:



(click to go to the various documents)


Not Snowden?

Apparently never noticed before, is that not only the ANT product catalog, but also these other presentations and documents were not attributed to Snowden. In both the German and the English version, the whole lengthy article contains multiple times phrases like "internal NSA documents viewed by SPIEGEL" but never in combination with the name of Edward Snowden.

This is remarkable, because for the media, it's usually almost some kind of honor to publish documents provided by Snowden, which is then clearly mentioned in their reporting. In those cases, the byline includes the name of the one who actually provided the documents on Snowden's behalf, often Glenn Greenwald and for Der Spiegel, Laura Poitras.

But both articles from December 29 have Jacob Appelbaum, instead of Poitras in the byline, which seems to be an indication that here, the top secret NSA documents were provided by Appelbaum, likely as the middleman for the mysterious second source.


Exception: FOXACID slide

There's one exception though: the description of the FOXACID slide says that it is from an NSA presentation from the Snowden cache - this was confirmed when on August 19, 2016, The Intercept eventually published the full presentation about FOXACID.

This slide was probably provided by Laura Poitras, from her cache of Snowden documents, which would explain why she was mentioned as one of the persons that provided assistance for Der Spiegel's main piece of December 29.

The other presentations have not been published as part of the Snowden revelations, there's only one with a similar layout (from Booz Allen's SDS unit), but is about a different topic.


Significance

If not only the ANT Product Catalog, but also these other NSA presentations about the TAO division were not provided by Snowden, but by the second source, what's the significance of that?

Analysing the range of revelations that were not attributed to Snowden, resulted in the following list of documents that were likely leaked by the second source:

- Chancellor Merkel tasking record
- TAO product catalog
- XKEYSCORE rules: TOR and TAILS
- XKEYSCORE rules: New Zealand
- NSA tasking & reporting France, Germany, Brazil, Japan
- XKEYSCORE agreement between NSA, BND and BfV(?)
- NSA tasking & reporting EU, Italy, UN

Except for the TAO catalog, one of the things that all these documents have in common, is that they are different from the usual powerpoint presentations, program manuals and internal wiki pages that make up the biggest part of the Snowden revelations.

(Of course, absence of evidence is no evidence of absence, but as these second source documents are often more significant than many other Snowden files, there seems to be no reason not to publish them)

The additional December 29 files do actually fit the typical sort of documents from Snowden, which makes it more difficult to distinguish between documents from Snowden and those from the other leaker(s).



The Shadow Brokers

If we look at the content of the files, we see that those from Der Spiegel's December 29 article are all about NSA's hacking operations. There have been several Snowden stories about that topic, but more spectacular became the release, since August 2016, of actual NSA hacking tools by a mysterious person or group called The Shadow Brokers (TSB or SB).

There has been a lot of speculation about who could be behind this and how he, she or they got access to these sensitive files. One option is an NSA insider, either on his own, in cooperation with crypto-anarchists, or as a mole directed by a hostile intelligence agency.

Another suggestion was that an NSA hacker mistakenly uploaded his whole toolkit to a server outside the NSA's secure networks (also called a "staging server" or "redirector" to mask its true location) and that someone was able to grab the files from there - this option was for example favored by Snowden.


Insider

The latter theory was falsified when on April 14, 2017, the Shadow Brokers did not only publish an archive containing a series of Windows exploits, but also several documents and top secret presentation slides about NSA's infiltration of the banking network SWIFT - things unlikely to be on a staging server, which makes that the source behind the Shadow Brokers is most likely an insider. Also, maybe one or two of these hacking tools may have been on a staging server for a specific mission, but not all those that were published by the Shadow Brokers?

On July 28, the website CyberScoop reported that as part of their investigation into the Shadow Brokers leaks, US government counterintelligence investigators contacted former NSA employees in an effort to identify a possible disgruntled insider.

(just a few days ago, the Shadow Brokers released a manual for the hacking framework UNITEDRAKE, strangely enough without date and classification markings, but again something that one wouldn't find on an outside staging server)



Same source?

With the documents published by the Shadow Brokers apparently being stolen by an insider at NSA, the obvious question is: could the Shadow Brokers be identical with the Second Source? (see update)

One interesting fact is that the last revelation that could be attributed to the second source occured on February 23, 2016, and that in August of that year the Shadow Brokers started with their release of hacking files. This could mean that the second source decided to publish his documents in the more distinct and noticeable way under the guise of the Shadow Brokers.

But there's probably also a much more direct connection: the batch of documents published along with Der Spiegel's main piece from December 29, 2013 include a presentation about the TAO unit at NSA's Cryptologic Center in San Antonio, Texas, known as NSA/CSS Texas (NSAT):



TAO Texas presentation, published by Der Spiegel in December 2013
(click for the full presentation)


And surprisingly, the series of three slides that were released by the Shadow Brokers on April 14 were also from NSA/CSS Texas. They show three seals: in the upper left corner those of NSA and CSS and in the upper right corner that of the Texas Cryptologic Center:



TAO Texas slide, published by the Shadow Brokers in April 2017
(click for the full presentation)


NSA/CSS Texas

It's quite remarkable that among the hundreds of NSA documents that have been published so far, there are only these two sets from NSA/CSS Texas. This facility is responsible for operations in Latin America, the Caribbean, and along the Atlantic littoral of Africa in support of the US Southern and Central Commands.

Update: The three Shadow Brokers slides from NSA/CSS Texas show operations against EastNets and Business Computer Group (BCG), which are both Service Bureaus for the banking network SWIFT. EastNets has offices in Belgium, Jordan, Egypt and UAE and was targeted under the codename JEEPFLEA_MARKET, while BCG serves Panama and Venezuela and was targeted under JEEPFLEA_POWDER.

Besides the one in San Antonio, Texas, NSA has three other regional Cryptologic Centers in the US: in Augusta, Georgia, in Honolulu, Hawaii and in Denver, Colorado. These four locations were established in 1995 as Regional Security Operations Centers (RSOC) in order to disperse operational facilities from the Washington DC area, providing redundancy in the event of an emergency.

So far, no documents from any of these regional centers have been published, except for the two from NSA/CSS Texas. This could be a strong indication that they came from the same source - and it seems plausible to assume that that source is someone who actually worked at that NSA location in San Antonio.

Access

This person may only have stolen files that were available at his own workplace, as it should be realized that not every leaker necessarily has similar broad access like Snowden had (and gained) in his job as a systems administrator.

Snowden on the other hand may only have downloaded things from an intranet for NSA as a whole (assuming that would contain the most interesting files) and leaving the local network for his Hawaii office untouched - which would explain why we never saw any documents marked NSA/CSS Hawaii (another reason could be that such documents would have made it easier to identify him).
Update: One rare 2007 message from NSA Hawaii was, among some other documents, published by The Intercept on March 1, 2018.

Given the many hacking files, it's tempting to assume that the second source/Shadow Brokers was an NSA hacker at the Texas TAO unit. It's not clear though whether someone in such a position would also have had the access to the intelligence reports and traditional tasking lists which were published by Wikileaks. It's also possible that those documents came from a different source.


Motivation

One final thing that the revelations from the second source and the Shadow Brokers seem to have in common is the motivation: none of their documents reveal serious abuses or illegal methods, but only compromise methods and operations, and discredit US intelligence.

Most of these documents weren't vetted by professional journalists either: although initially published by Der Spiegel and some other German media, later files were made public by the uncritical website Wikileaks, while the Shadow Brokers postings come without any intermediary on sites like Pastebin, Medium and Steemit.

(In March 2017, Wikileaks started the "Vault 7" series in which they publish secret hacking tools from the CIA. These files have dates between November 2003 and March 2016 and are therefore more recent that those from the Shadow Brokers, with their newest files being dated October 18, 2013 - some 5 months after Snowden left the NSA and around the same time when Der Spiegel published the first document from the second source)
 

Update #1:

On the weblog Emptywheel.net there are some additional thoughts about this issue: the author is, for various reasons, skeptical about the Shadow Brokers being a disgruntled NSA employee or contractor, and therefore that he could be identical with the Second Source. As an alternative, Emptywheel suggests that Jakob Appelbaum and the Shadow Brokers may have a mutually shared source.

I can agree with that, as I may not have made clear enough that the Second Source is the person who was able to actually steal documents from inside NSA, while the Shadow Brokers is a group or a single person who is responsible for publishing the files, just like Der Spiegel and Wikileaks did for most of the documents attributed to the Second Source.

Of course it would be possible that the Second Source eventually started to publish his documents himself under the covername Shadow Brokers, but as noted by Emptywheel, there are several indications that makes this less likely.

A slightly different option is that the Second Source provided his documents to Jacob Appelbaum and that he had them published by Der Spiegel and Wikileaks, and that later on, either Appelbaum himself acted as the Shadow Brokers, or gave the files to someone else operating under that guise.

Update #2:

In November 2013, the New York Times published a slide with a pie chart showing the sources of 103 collection accesses at the NSA's station in San Antonio, Texas. It's not clear though whether only this individual slide/chart is about NSA Texas, or the presentation as a whole.

Update #3:

An updated overview of the Shadow Brokers story was published by the New York Times on November 12, 2017, saying that investigators were worried that one or more leakers may still be inside NSA and also that the small number of specialists who have worked both at TAO and at the CIA came in for particular attention, out of concern that a single leaker might be responsible for both the Shadow Brokers and the files published by Wikileaks as part of their Vault7 and Vault8 series (although the CIA files are more recent).

Update #4:

In November 2020, national security blogger emptywheel reported that she had information that someone had logged into one of the Guccifer 2.0 accounts (involved in leaking the DNC documents hacked by the GRU) using the same IP address as someone who logged into the early staging sites (either Pastebin or GitHub) used by the Shadow Brokers. This could be an indication that the Shadow Brokers was an operation of Russian intelligence.





Links and sources
- The New York Times: Security Breach and Spilled Secrets Have Shaken the N.S.A. to Its Core (2017)
- Emptywheel.net: UNITEDRAKE and hacking under FISA Orders (2017)
- Emptywheel.net: Shadow Brokers' Persistence: Where TSB has signed, message, hosted, and collected
- Schneier.com: The US Intelligence Community has a Third Leaker (2014)