Minggu, 03 Maret 2019

Is The Shadow Brokers Leak The Latest Inwards A Series?

(Latest UPDATE: Apr 15, 2017)

Earlier this week, a grouping or an private called the Shadow Brokers published a large fix of files containing the calculator code for hacking tools. They were said to hold upwardly from the Equation Group, which is considered work of the NSA's hacking segmentation TAO.

The leak got quite approximately media attention, but thence far it was non related to approximately before leaks of highly sensitive NSA documents. These present interesting similarities amongst the Shadow Brokers files, which were also non attributed to Edward Snowden, but appear to come upwardly from an unknown minute source.



Screenshot of approximately calculator code amongst instructions
from the Shadow Brokers archive from August 2016
(click to enlarge)


The Shadow Brokers files

Since August 13, Shadow Brokers posted a manifesto as well as 2 large encrypted files on Pastebin, on GitHub, on Tumblr as well as on DropBox (all of them shut or deleted meanwhile).

One of the encrypted files could hold upwardly decrypted into a 301 MB archive containing a large issue of calculator codes for server side utility scripts as well as exploits for a diversity of targets similar firewalls from Cisco, Juniper, Fortinet as well as TOPSEC. The files also include dissimilar versions of several implants as well as instructions on how to work them, thence they're non merely the malware that could direct maintain been works life on the internet, but also files that were entirely used internally.

Influenza A virus subtype H5N1 total as well as detailed listing of the exploits inward this archive tin lav hold upwardly works life here.

Security experts equally good equally erstwhile NSA employees considered the files to hold upwardly authentic, as well as before today the website The Intercept Bruce Schneier as well as Nicholas Weaver the novel files aren't from the Snowden trove. Like most people, they patently assume that Snowden took generally powerpoint presentations as well as internal reports as well as newsletters, but that's non the whole picture. The Snowden documents also include diverse kinds of operational data, but this rarely became public.

Most notable was a large fix of raw communications content collected past times NSA nether FISA as well as FAA authority, which also included incidentally collected information from Americans, equally was reported past times The Washington Post on July 5, 2014. The Snowden documents also include technical reports, which are oft rattling hard to sympathise as well as rarely render a newsworthy even on their own.

Someone reminded me equally good that inward Jan 2015, the High German journal Der Spiegel published the total calculator code of a keylogger implant codenamed QWERTY, which was a element of the NSA's WARRIORPRIDE malware framework. So amongst the Snowden trove containing this i slice of calculator code, there's no argue why it should non incorporate more.

Contradicting the alternative that the Shadow Brokers files could come upwardly from Snowden is the fact that approximately of the files direct maintain timestamps equally belatedly equally Oct 18, 2013, which is 5 months afterward Snowden left NSA. Timestamps are slowly to modify, but if they are authentic, thence these files direct maintain to hold upwardly from approximately other source.


A minute source?

This brings us to a issue of leaks that occured inward recent years as well as which were also non attributed to Snowden. These leaks involved highly sensitive NSA files as well as were oft to a greater extent than embarrassing than materials from the Snowden documents - for illustration the catalog of hacking tools as well as techniques, the fact that chancellor Merkel was targeted as well as intelligence reports proving that NSA was truly successful at that.


It is assumed that these as well as approximately other documents came from at to the lowest degree i other leaker, a "second source" equally good Snowden, which is something that withal non many people are aware of. The files that tin lav hold upwardly attributed to this minute rootage direct maintain approximately interesting similarities amongst the Shadow Brokers leak. Like the ANT catalog published inward Dec 2013, they are virtually hacking tools as well as similar the XKEYSCORE rules published inward 2014 as well as 2015 they are internal NSA calculator code.

This lone doesn't tell much, but it's the alternative of the variety of files that makes these leaks hold off rattling similar: no fancy presentations, but acre technical information sets that larn inward possible to position specific operations as well as private targets - the variety of documents many people are most eager to see, but which were rarely provided through the Snowden reporting.

As mainstream media became to a greater extent than cautious inward publishing such files, it is possible that someone who also had access to the Snowden cache went rogue as well as started leaking documents merely for harming NSA as well as the USA - without attributing these leaks to Snowden because he would in all likelihood non approve them, as well as also to propose that to a greater extent than people followed Snowden's example.

Of course of educational activity the Shadow Brokers leak tin lav withal hold upwardly unrelated to the before ones. In that instance it could direct maintain been that an NSA hacker mistakenly uploaded his whole toolkit to a server exterior the NSA's secure networks (also called a "staging server" or "redirector" to mask his truthful location) as well as that someone was able to catch the files from at that spot - an alternative favored past times for illustration Edward Snowden as well as safety researcher the grugq.



Diagram showing the diverse stages as well as networks involved
inward botnet hacking operations past times NSA's TAO division
(source - click to enlarge)


An insider?

Meanwhile, several erstwhile NSA employees direct maintain said that the electrical flow Shadow Brokers leak mightiness non hold upwardly the effect of a hack from the outside, but that it's to a greater extent than probable that the files come upwardly from an insider, who stole them similar Snowden did earlier.

Of course of educational activity it's easier for an insider to catch these files than for a unusual intelligence agency, allow lone an ordinary hacker, to bag them from the outside. But if that's the case, it would hateful that this insider would withal hold upwardly able to exfiltrate files from NSA premises (something that shouldn't hold upwardly possible anymore afterward Snowden), as well as that this insider has the intent to embarrass as well as impairment the NSA (Snowden at to the lowest degree said he merely wanted to expose serious wrongdoings).

Here nosotros should proceed inward hear that such an insider is non necessarily merely a frustrated individual, but tin lav also hold upwardly a mole from a hostile unusual intelligence agency.

Update:
On August 21, NSA skillful James Bamford also confirmed that TAO's ANT catalog wasn't included inward the Snowden documents (Snowden didn't desire to verbalize virtually it publicly though). Bamford favors the alternative of a minute insider, who may direct maintain leaked the documents through Jacob Appelbaum as well as Julian Assange.


Russian intelligence?

On Twitter, Edward Snowden said that "Circumstantial evidence as well as conventional wisdom indicates Russian responsibility", but it's non clear what that evidence should be. It seems he sees this leak equally a variety of alert from the Russians non to direct maintain revenge for the hack of the Democratic National Committee (DNC) e-mails, which was attributed to Russian intelligence.

This was also what led Bruce Schneier to think it mightiness hold upwardly the Russians, because who other than a province instrumentalist would bag thence much information as well as hold off 3 years before publishing? Not mentioned past times Schneier is that this also applies to the documents that tin lav hold upwardly attributed to the minute source: they also pre-date June 2013.

Influenza A virus subtype H5N1 related dot of speculation is the text that accompanied the Shadow Brokers files, which is inward bad English, equally if it was written past times a Russian or approximately other non-western individual. This is in all likelihood distraction, equally it reported that on August 27, 2016, the FBI arrested 51-year old Harold T. Martin III, who worked at NSA equally a contractor for Booz Allen Hamilton. In his domicile inward Glen Burnie, Maryland, "many terabytes" of highly classified information was found, from the 1990s until 2014. Hal Martin was described equally a hoarder, but thence far, investigators are non certain he was also responsible for the diverse leaks that could non hold upwardly attributed to Snowden.

Update #3:
On Nov 19, it was reported past times the Washington Post that at that spot had been yet another, previously undisclosed breach of cybertools, which was discovered inward the summertime of 2015. This was also carried out past times a TAO employee, who had also been arrested, but his instance was non made public. An official said that it is non believed that this private shared the cloth amongst approximately other country.



Links as well as Sources
- EmptyWheel.com: Powerful NSA hacking tools direct maintain been revealed online
- NYTimes.com: ‘Shadow Brokers’ Leak Raises Alarming Question: Was the N.S.A. Hacked?
- LawfareBlog.com: NSA as well as the No Good, Very Bad Monday

Tidak ada komentar:

Posting Komentar