KALYPTO (IN)SECURITY

Research, demonstrations, and popcorn

The NSA and The Shadow Brokers

As most everyone is well aware, there has been a breach at the National Security Agency.  At some point, data and tools from some of the most protected areas of the NSA were stolen.  On Monday (2016-08-15), a sample of the data stolen, as well as details on an auction for the full data set, was posted online by a group using the name “The Shadow Brokers.”

Within minutes of the information landing, you had people from all over the world crawling out from under their rocks to post “insider” information on what happened, how it happened, who was involved, etc.  Theories started popping up like crazy that it was Russia, Snowden, the FBI trying to sting people, etc.

Not one of the people posting, knows a damn thing about what really happened.

Most of these people are doing a shotgun approach.  They are posting a bunch of made up things all over, and then once the truth comes out, they will cleanup everything that doesn’t fit the truth.  Then you will see a bunch of “See, I said it first http://herpblog.derp” tweets and posts.

What REALLY Happened

So… want to know what really happened?  So do I.

I don’t know what really happened.  The people that know the truth about the source of the tools leaked are not talking.  Would you really expect them to?  Their whole job is to keep secrets.  The least likely time to expect them to open up is when a giant spotlight is shining on them.

Information about what is going on is going to be very compartmentalized right now.  Very few people know the truth.  Very few people at the NSA know everything the NSA knows about this.  Standard operating procedure, while investigating,  is to shut the hell up.

Just because someone works at the NSA or used to work at the NSA, does NOT mean they know what is going on or how this happened.  It means they have an insiders view of the culture at the NSA, but still know as much as your local Uber driver.

What are my thoughts?

Like I said, I have no clue what happened.  All I can do is speculate like the rest of you.  But here are my opinions on what could possibly have happened:

  1. Third-party Nation State:  In terms of leaks and not physics, this means a third party actor infiltrated the NSA and stole this information.  Is it possible that someone defected?  Of course.  It happens because people are the weakest part of any intelligence organization.  People are both the cause and solution to issues.If a nation state convinced someone (other than Snowden) to leak information, do not expect to hear about it.  The easiest way to hide an active mole, is to attribute the leak to someone we already know leaked data.  This is the same thing that happened with Robert Hanssen and the FBI.  They had him investigate his own leaks because they attributed it to someone they knew already leaked information.
  2. Edward Snowden:  While he parades as a freedom fighter and martyr, Edward Snowden is a coward and an anarchist.  He didn’t do what he did because it was against his morals.  If it was, he wouldn’t have worked for the CIA, NSA, and several private information security organizations around the country for over a decade.  He was angry and saw an opportunity… then when the shit hit the fan, he ran to one of The United States worst foes when it comes to information; Russia.  In fact, his trip to Russia, started with a who’s-who trip around the world hitting all the enemy embassies and countries that hate the United States.If Snowden had leaked these tools, they would have been one of the first things dropped by WikiLeaks.  Their entire M.O. is to release the most damaging data at the right time.  That would have been years ago.  The emails and documents released were fast-food napkins in comparison to some of the 0-Day vulnerabilities in the tools released.
  3. A Mistake from Within:  One of the more popular theories I have read, is that a careless CNO left them attached to a server and someone found them.  I don’t buy this as it’s not like a single person connects to an operating server, mounts an ISO, and goes to work taking over networks around the world.  Their work is coordinated, scripted, and pre-planned.  They also do not take the entire library of vulnerabilities.  Operators pick only the tools they need for the job and use only those tools.The tools are created and managed by a different group within the NSA called the TAO group (Tailored Access Operations).  TAO is the group that cultivates the library and make sure the operators have the tools, vulnerabilities, and access needed to accomplish operations.  The TAO group doesn’t just say “Hmm, I bet they will need a vulnerability for X model of Cisco firewall at some point… I’ll create a tool for it.”  They receive full requirements documentation and create tools and exploits to accomplish specific DOCUMENTED tasks.  The idea that a CNO or TAO member would upload an entire library to a server and leave it, is ridiculous.

So, then what happened?

I still don’t know… stop asking.

On a Side Note:

I saw a post from one of the few people I still respect in the Information Security world (Krypt3ia) regarding the BitCoin addresses being used by the Shadow Brokers.  I disagree with his findings.  I don’t see any transactions from the Silk Road BitCoin addresses, I only see outgoing transactions.  Someone appears to have sent a fraction of a BitCoint TO the Shadow Brokers account at the same time as sending to a couple other addresses (including a seized Silk Road address).

 

brokerhacknsashadowshadowbrokertool

Kalypto • August 24, 2016


Previous Post

Next Post