THE NSA-SHADOW BROKERS HACKS: MORE RECONNAISSANCE?November 29, 2017
Mr. T.M. shared this story, and it's quite revealing, especially as I have entertained the idea, in previous blogs and in some interviews, that the massive amount of hacking occurring against major western institutions might represent an activity being conducted by more than the usual suspects (i.e., Russia and China), and might represent a non-territorial actor or actors. Additionally, I've also advanced the high octane hypothesis that this "entity" or these "entities" might actually be doing something rather different than just conventional hacking, namely, that the activities appear to be a kind of "internet reconnaissance activity," mapping the actual "architecture" of the internet. Consider just the scale of the activity that we've seen over the years: Sony, various major banking institutions including Chase Manhattan and a few others, the Federal Reserve. Add to this the patterns of "information leaks" of various natures, from the Panama Papers to the Snowden affair, to the mysterious sources for Wikileaks, the advent - and "disappearance" - of the hacking group Anonymous, and you get the picture: there is a definite and large pattern of covert internet and hacking activity, and it all at least seems to be connected.
Which brings me to this story shared by Mr. T.M.:
With respect to my "high octane hypothesis" that some entity or entities appears to be "mapping the architecture" of the Internet, there is a statement in this article that caught my attention:
The NSA, which compiles massive troves of data on US citizens and organizes cyberoffensives against the US's enemies, was deeply compromised by a group known as the Shadow Brokers, which has made headlines in the past year in connection to the breach, whose source remains unclear.
The group now posts cryptic, mocking messages pointed toward the NSA as it sells the cyberweapons, created at huge cost to US taxpayers, to any and all buyers, including US adversaries like North Korea and Russia.
Furthermore, a wave of cybercrime has been linked to the release of the NSA's leaked cyberweapons.
A glance at the original NY Times article here
reveals some even more intriguing tidbits:
Mr. Williams had written on his company blog about the Shadow Brokers, a mysterious group that had somehow obtained many of the hacking tools the United States used to spy on other countries. Now the group had replied in an angry screed on Twitter. It identified him — correctly — as a former member of the National Security Agency’s hacking group, Tailored Access Operations, or T.A.O., a job he had not publicly disclosed. Then the Shadow Brokers astonished him by dropping technical details that made clear they knew about highly classified hacking operations that he had conducted.
America’s largest and most secretive intelligence agency had been deeply infiltrated.
“They had operational insight that even most of my fellow operators at T.A.O. did not have,” said Mr. Williams, now with Rendition Infosec, a cybersecurity firm he founded. “I felt like I’d been kicked in the gut. Whoever wrote this either was a well-placed insider or had stolen a lot of operational data.”
There you have it: the NSA has either (1) been hacked, or (2) has a mole or moles inside the agency, or (3) both. If (3) sounds implausible, recall only the case of Edward Snowden. But there is an additional bread crumb of information in the Times article, and for all those following the bizarre story of "Q" and his, her, or their anonymous postings about an ongoing hidden factional war in the deep state, there is this:
Fifteen months into a wide-ranging investigation by the agency’s counterintelligence arm, known as Q Group, and the F.B.I., officials still do not know whether the N.S.A. is the victim of a brilliantly executed hack, with Russia as the most likely perpetrator, an insider’s leak, or both. Three employees have been arrested since 2015 for taking classified files, but there is fear that one or more leakers may still be in place. And there is broad agreement that the damage from the Shadow Brokers already far exceeds the harm to American intelligence done by Edward J. Snowden, the former N.S.A. contractor who fled with four laptops of classified material in 2013. (Emphasis added)
Adding fuel to the flames of the "Q bread crumbs" drop, there's this interesting bit of information as well:
Then there are the Shadow Brokers’ writings, which betray a seeming immersion in American culture. Last April, about the time Mr. Williams was discovering their inside knowledge of T.A.O. operations, the Shadow Brokers posted an appeal to President Trump: “Don’t Forget Your Base.” With the ease of a seasoned pundit, they tossed around details about Stephen K. Bannon, the president’s now departed adviser; the Freedom Caucus in Congress; the “deep state”; the Alien and Sedition Acts; and white privilege.
“TheShadowBrokers is wanting (sic) to see you succeed,” the post said, addressing Mr. Trump. “TheShadowBrokers is wanting America to be great again.”
So how does any of this support the speculation that someone may be "reconnoitering" the internet's architecture? Consider this article on "The Shadow Brokers":
where we find this intriguing and highly suggestive paragraph:
The Shadow Brokers suddenly appeared last August, when they published a series of hacking tools and computer exploits—vulnerabilities in common software—from the NSA. The material was from autumn 2013, and seems to have been collected from an external NSA staging server, a machine that is owned, leased, or otherwise controlled by the U.S., but with no connection to the agency. NSA hackers find obscure corners of the internet to hide the tools they need as they go about their work, and it seems the Shadow Brokers successfully hacked one of those caches. (Emphasis added)
This would seem to suggest once again that either there are some highly placed moles inside the agency who "know" or at least "strongly suspect" where to look, or that the hackers have, already, gained enough information about internet architecture to be able to search for, and target, such information caches. If the latter, then this implies something else, one heavy with implications if one considers this activity to be that of an extra-territorial group, rather than the activity of a state or state-sponsored group: it has access to significant computing power and sophisticated programming capability. But how might one disguise this?
In my typical hack-from-South-Dakota form, I want to advance a bit of (very) high octane speculation: what if this group is sophisticated enough to co-opt computer networks in a kind of "block chain" of hacking technology, a "block chain hacking" tool? What if they have harnessed block chain techniques to access, and then squirrel away, the data they steal? Mind you, I know next to nothing about this sort of stuff, but it seems to me that the idea (or at least something like it) would seem to be suggested by the NSA's inability, thus far, to identify and locate the threats to national security. (And if this scenario or speculation has any merit, then it certainly has significant implications for the security of block chain and crypto-currency technologies.)
In any event, the entire story - with its rumblings of some sort of connection to the "Q" breadcrumb story now circulating on the internet - seems to suggest a group with some very sophisticated techniques at its disposal, and I strongly suspect that this connection may, in fact, be one of the overlooked bread crumbs in the whole affair.
See you on the flip side...