NSA malware released by "The Shadow Brokers"
August 17, 2016 8:34 PM   Subscribe

Was the N.S.A. Hacked? A group calling itself The Shadow Brokers [Google cache], widely supposed to actually be Russian state-backed hackers, released an archive of purported NSA Tailored Access Operations/'Equation Group' malware, including zero-day exploits on commercial routers. NSA insiders confirm likely legitimacy. The archive dates to mid-2013, shortly after the Snowden revelations, leading him and others to ponder whether the resulting cleanup operation shut out the hackers. Schneier guesses the timing was meant to signal the Obama administration against sanctions for the DNC hack.
posted by p3on (50 comments total) 36 users marked this as a favorite
 
bonus for those who like the juicy bits: Equation Group Firewall Operations Catalogue
posted by p3on at 8:41 PM on August 17, 2016 [2 favorites]


This is a jaw-droppingly good demonstration of why it is a bad idea to force Apple et al. to help the FBI and other arms of law enforcement with making tools to break into mobile devices. If the NSA can't protect their secrets from figures associated with Russian organized crime, then the FBI certainly won't be able to do any better.
posted by a lungful of dragon at 8:49 PM on August 17, 2016 [41 favorites]


If you're under 50, you were never promised flying cars.

You were promised an oppressive cyberpunk dystopia.

Enjoy.

(I'm plagiarizing a tweet from somewhere)
posted by ocschwar at 8:57 PM on August 17, 2016 [21 favorites]


(I'm plagiarizing a tweet from somewhere)

Probably Twitter, if I was to hazard a guess.
posted by Greg_Ace at 10:04 PM on August 17, 2016 [31 favorites]


Snowden's comments.
posted by Termite at 10:07 PM on August 17, 2016 [8 favorites]


Has anyone in any of the links tried to estimate the market value of the released zero-days and other stuff? It would be interesting to know how effectively expensive sending this message was, whatever the message is.
posted by XMLicious at 11:05 PM on August 17, 2016


Do other countries get their stuff released like this? I feel like I only see news of our stuff getting released like this. Is the NSA hacking and releasing Russian info?
posted by gucci mane at 11:14 PM on August 17, 2016


Yeah, wikileaks used to leak non-US stuff. Was applauded by the State Dept too.

I don't think anyone has gone through it in detail yet to determine market value. Similar to the HT dump, the analysis is expensive and time consuming, and most people with the technical expertise to do it don't have any motivation to publish. Additionally, leaking the implants probably has a higher cost than the exploits, especially with these targets.
posted by yeahwhatever at 11:48 PM on August 17, 2016


No, Gucci, because then Polonium.
posted by effugas at 11:49 PM on August 17, 2016 [1 favorite]


"Do other countries get their stuff released like this? I feel like I only see news of our stuff getting released like this. Is the NSA hacking and releasing Russian info?"

I think it's a language issue. Most people speak English as either a primary language or as a secondary language so if a leak is in English then it gets a lot more eyeballs than if it was in a different language.

Here's a list of other sites like Wikileaks:

http://memeburn.com/2011/06/8-whistle-blowing-sites-you-probably-didn%E2%80%99t-know-about/

That list's from 2011 so I don't know how active or existant the individual sites are.
posted by I-baLL at 12:09 AM on August 18, 2016


> You were promised an oppressive cyberpunk dystopia.

I'm a very technical boy, and I demand my shotgun.
posted by Leon at 2:47 AM on August 18, 2016 [6 favorites]


A curious technical analysis of a couple of tools reached me via twitter. Spoiler: poor code. (I couldn't read it in Firefox+Linux, except by Alt key, View -> Page Style -> No Style).
posted by sourcejedi at 3:56 AM on August 18, 2016 [2 favorites]




The the idea it's more of a subversive PR threat stunt from a Russian group seems to make more sense that a legitimate auction. Half a billion dollars seems out of range for shady subversive transactions, certainly a public offer with no arrangement for some kind of blackmarket escrow.

I can even see it as a reverse subversive stunt to encourage/scare folks to get their system patches up to date. Three year old exploits should all be fixed by now.
posted by sammyo at 4:47 AM on August 18, 2016


Has anyone in any of the links tried to estimate the market value of the released zero-days and other stuff? It would be interesting to know how effectively expensive sending this message was, whatever the message is.
Since it's all from 2013, probably not that much.
posted by edheil at 5:51 AM on August 18, 2016


You were promised an oppressive cyberpunk dystopia.

I'm pretty sure Blade Runner had both.
posted by CheeseDigestsAll at 6:39 AM on August 18, 2016 [16 favorites]


@edheil age doesn't necessarily lessen value for an exploit—the only question is if they are currently unpatched or not.

As the "zero-day exploits" link above points out, at least one of these exploits was a zero-day, i.e. unpatched at the time the Shadow Brokers disclosed it. And in Cisco security hardware, which is a pretty high-profile/juicy target.

I'm not conversant enough in that world of security to actually estimate a price, but I think it could be high.
posted by MetropolisOfMentalLife at 6:44 AM on August 18, 2016 [1 favorite]


Here's the Cisco security advisory regarding one of the exploits yesterday, crediting the Shadow Brokers release as the source. [Hacker News discussion]

What's the shelf life for 0-days in general? One study that retroactively looked for exploitation of vulnerabilities found that "attacks lasted anywhere from 19 days to 30 months, with an average lifetime of 312 days before public disclosure of the vulnerability." So in general we would expect that scripts from 2013 would mostly no longer work.

But these are exploits that NSA has chosen not to patch, which makes them unusual. In general, the agency claims that it "discloses 91 percent of security flaws it uncovers to U.S. technology firms," and part of the decision about whether to disclose is how likely anyone else is to find the vulnerability. So we might expect flaws that they do hang onto to last longer.
posted by john hadron collider at 6:55 AM on August 18, 2016 [2 favorites]


... for example, from the HN discussion, it sounds like the Cisco exploit requires you to start with a "community" password, which gets sent over the internet in plaintext in some setups. So the Cisco exploit would be more appealing to look for, and more valuable to find, if you happened to be monitoring a lot of internet traffic and have a bunch of community passwords anyway. That might explain why NSA chose to hang onto it and why no one else found and reported it.
posted by john hadron collider at 7:15 AM on August 18, 2016 [2 favorites]


Back to the Future Part II came out in 1989, was not a cyberpunk dystopia, and it had a lot of flying cars, and it took place in 2015. I am 35 and I was promised flying cars.

I was also promised a cyberpunk dystopia, but don't say I'm not allowed to complain about the lack of flying cars now that we've got the dystopia.
posted by The Man from Lardfork at 7:18 AM on August 18, 2016 [10 favorites]


Zero Days: Security Leaks For Sale.

Good documentary piece on what Zero Days are, and how the completely unregulated global market in them functions.

It's not generally illegal to search for & sell details in online security flaws. Whom they get sold to? That's up to the ethics of the seller.
posted by Pirate-Bartender-Zombie-Monkey at 7:28 AM on August 18, 2016 [1 favorite]


Patrick Gray's infused podcast Risky Business (risky.biz, I believe) talks about this in the episode that he just dropped. Worth a listen for his take on the context and the USA/Russia angle, including the line "smells like vodka."
posted by wenestvedt at 7:37 AM on August 18, 2016


If you're under 50, you were never promised flying cars.

You were promised an oppressive cyberpunk dystopia.


Can I at least have some working cyborg eyes? Mine are really having issues and I would like them.
posted by mephron at 7:53 AM on August 18, 2016 [4 favorites]


i take solace in the fact that as bad as things are, at least we don't have flying cars.
posted by entropicamericana at 7:59 AM on August 18, 2016 [11 favorites]


The Snowden commentary Termite linked upthread has the best take:

"Why did they do it? No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack. [...] This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server. [...] Accordingly, this may be an effort to influence the calculus of decision-makers wondering how sharply to respond to the DNC hacks."
posted by stinkfoot at 8:18 AM on August 18, 2016 [3 favorites]


The Shadow Brokers? I want to think that's a Mass Effect reference but is it actually referencing something else or did they just come up with that?
posted by picklenickle at 9:21 AM on August 18, 2016 [2 favorites]


we have self-driving cars that will steer you into a wall and kill you if the pedestrians you're about to plow through contain more doctors than criminals so there's that at least
posted by prize bull octorok at 9:28 AM on August 18, 2016 [1 favorite]


Pretty sure it's a Mass Effect reference as the Shadow Broker in Mass Effect sells information and his identity is unknown.
posted by I-baLL at 9:41 AM on August 18, 2016 [4 favorites]


The chilling part of all this for me is this final quote from the NYT
“The real problem for us is that the Russians seem to have taken the gloves off in the cyberdomain,” said Mr. Lewis, of the Center for Strategic and International Studies, “and we don’t know how to respond.”
A similar scary event happened last year, when China DDOSed GitHub. And by the way, signalled a blunt capability to take down the whole Internet any time they felt like it.

There's a new arena for nations to mess with each other, and its consequences will be somewhere between gentlemanly espionage and murderous warfare. And no one has any idea how to approach it.
posted by Nelson at 10:06 AM on August 18, 2016 [3 favorites]


"Equation Group Firewall Operations Catalogue", or list of suggested MeFi usernames?
posted by uosuaq at 10:09 AM on August 18, 2016 [1 favorite]


Can I at least have some working cyborg eyes? Mine are really having issues and I would like them.

They will come with built in advertising though.
posted by srboisvert at 10:56 AM on August 18, 2016 [2 favorites]


And by the way, signalled a blunt capability to take down the whole Internet any time they felt like it.

Burns verkauft das Kraftwerk.
Ooohh, The Germans
posted by lazycomputerkids at 11:51 AM on August 18, 2016


If you're under 50, you were never promised flying cars.
You were promised an oppressive cyberpunk dystopia.


It always appeared to me that flying cars = dystopia. Even for the happy 100-years-in-the-future Jetsons, the flying cars were necessary transportation between buildings constructed on tall poles high above the ground, suggesting it wasn't safe to live down there! And if the problems with self-driving cars are any indication, a sky full of flying cars would have vehicles falling from the sky almost constantly (maybe that's why it's not safe down here).

As far as "oppressive cyberpunk", it is (so far) thankfully less oppressive (but subtly so) and sadly less cyberpunk than predicted. What we have is more of a replay of the 1990s, which is nightmarish enough.
posted by oneswellfoop at 12:02 PM on August 18, 2016 [3 favorites]


"There's a new arena for nations to mess with each other, and its consequences will be somewhere between gentlemanly espionage and murderous warfare. And no one has any idea how to approach it."

Eh, it's not new at all.

stuxnet, flame, duqu, gauss, Shadow Network, Project Sauron

and those are just the links that I spent the past few minutes compiling. And that's from the attacks we found out about. Who knows how many attacks go unnoticed?
posted by I-baLL at 12:27 PM on August 18, 2016 [2 favorites]


Congratulations, you've named six cyberwarfare examples from the last few years. I could list 20+ more of similar vintage. It's still a "new area", in the historical context of warfare and diplomacy. There are no established precedents for attribution and escalation. There is no antecedent action from, say, World War 2 or the Cold War that directly applies.
posted by Nelson at 1:44 PM on August 18, 2016 [2 favorites]


Well, there kind of sort of is.

During the Israeli war of Independence in 1948, one of the most sought after prizes in Jerusalem was the telephone exchange. The Lebanese woman charged with guarding it, Nimra Tannous, not only guarded it with a pistol, she also had to monitor it to detect attempts at phone-phreaker activity from the Jewish side.
posted by ocschwar at 6:21 PM on August 18, 2016 [2 favorites]


Oschwar - that sounds fun, where can I read about it?
posted by Joe in Australia at 6:26 PM on August 18, 2016 [1 favorite]




In the context of warfare and diplomacy, is this really all that different from non-cyber-warfare sabotage, espionage, and propaganda?

There are certainly mundane differences of scale versus cost, and the technical nature of evidence, and I'd expect any party accused or suspected to throw up "it's an unexplored novel phenomenon, a new frontier! I mean should this even count as state aggression, when kids do it for fun?" chaff the way that "online, copyright law is a total grey area!" was milked for PR purposes for decades, but in reality this release under discussion in the OP doesn't seem materially different than something like the Bolshevik publication of the Sykes-Picot Agreement a hundred years ago.

Or for example there isn't any practical reason that the fallout from stuxnet should be any different from saboteurs destroying the same sort of military equipment with explosives or abrasives mixed in with bearings or something like that.
posted by XMLicious at 6:56 PM on August 18, 2016 [1 favorite]


During the Israeli war of Independence in 1948, one of the most sought after prizes in Jerusalem was the telephone exchange. The Lebanese woman charged with guarding it, Nimra Tannous, not only guarded it with a pistol, she also had to monitor it to detect attempts at phone-phreaker activity from the Jewish side.

More plz
posted by iffthen at 8:10 PM on August 18, 2016


No, Gucci, because then Polonium.

Yeah, and I kinda wish Putin would knock it off, he's shaping up to be a villain in Biblical prophecy, which isn't a fate I'd wish on the most brutal dictator.

(The targeted assassinations seem to be directed more at Russian defectors than loyal Western agents, no?)
posted by iffthen at 8:13 PM on August 18, 2016


O Jerusalem, by Collins, mentioned Tannous noticing attempts to tap conversations and mess with her switchboard.

I'd have to dig up a physical copy, because nothing online discusses that.
posted by ocschwar at 8:44 PM on August 18, 2016 [1 favorite]


Thanks ocschwar! I'll have to look for that.

Back on topic (I say this often), I agree with legit tools, state-sponsored, likely Russia. But I noticed something in the Schneier article:

But the big picture is a far scarier one. Somebody managed to steal 301 MB of data from a TS//SCI system at some point between 2013 and today. Possibly, even probably, it occurred in 2013. But the theft also could have occurred yesterday with a simple utility run to scrub all newer documents. Relying on the file timestamps­ -- which are easy to modify­ -- the most likely date of acquisition was June 11, 2013. That is two weeks after Snowden fled to Hong Kong and six days after the first Guardian publication. That would make sense, since in the immediate response to the leaks as the NSA furiously ran down possibly sources, it may have accidentally or deliberately eliminated this adversary's access.

Emphasis mine. Err, I think that's overstated. Timestamps are trivial to modify in a technical, fiddle-with-these-bytes sense, but not in a does-this-look-legitimate sense. There are interrelationships among the timestamps of files, and timestamps of archives of files, that you either would or wouldn't expect to see in the real world. For instance: there's a set of six C++ source files and a Makefile. The Makefile is used to compile the other six files into a working program. Now, assume you have a look and see they all have the same modification time (day, to simplify). I would call bullshit. Unless the program is trivial (which it probably is not, if you have six source files), you're likely to have a newer modification time on at least one of the files than you do on the Makefile, for the reason that you continue fixing bugs and recompiling for a while after you have your build process set up.

So what I'm saying is - I have no opinion on when the stuff was taken, since I haven't looked at the archive. But Schneier's logic is a bit funny.

If related-timestamps is a productive course of inquiry, you'd probably need TAO people to actually look at it. So that's where my spitballing ends :P (effugas, any idea if 0xcharlie is on Metafilter? ;)
posted by iffthen at 12:49 AM on August 19, 2016 [1 favorite]


"Timestamps are trivial to modify in a technical, fiddle-with-these-bytes sense, "

Even easier than that.

Let's say I have a file called "whatever" and I want it to look like it was created on January 2nd of 2020. All I do is run the command:

touch -m -a -t 202001021234 ./whatever

which makes the file look like it was modified at 12:34pm on Jan 2nd, 2020.

So, there's no need for anything technical "fiddle-with-bytes" since it's just a simple command.

And I don't think Schneier's logic is funny. Right before the bolded part, he says:
"Somebody managed to steal 301 MB of data from a TS//SCI system at some point between 2013 and today. Possibly, even probably, it occurred in 2013" (emphasis mine)
So he's saying that the timestamps are probably real but, at the same time, we can't fully trust them since they're extremely easy to modify. Seems pretty sound logic to me unless I'm misunderstanding you.
posted by I-baLL at 5:32 AM on August 19, 2016


> you're likely to have a newer modification time on at least one of the files than you do on the Makefile

Unless you copied the directory at some point via a process that destroys timestamps (eg rsync without --times).
posted by Leon at 7:21 AM on August 19, 2016


The government non-concern for privacy that was in the spotlight with the FBI iPhone spectacle is worrisome, for sure, especially if the next administration doesn't get concerned enough and tech-savvy enough to stop the law and order wing from running roughshod over what slivers of privacy remain.

(There are even scarier/more tonedeaf statements from the Trump "campaign", but I don't think they're worth wasting time on since, like, not gonna happen.)
posted by rokusan at 3:14 PM on August 19, 2016 [1 favorite]


the most likely date of acquisition was June 11, 2013. That is two weeks after Snowden fled to Hong Kong and six days after the first Guardian publication.

Another reasonable explanation is that Snowden was targeted for surveillance immediately he went public, and something he did (despite what appear to have been his best efforts, in good faith) revealed a weakness in NSA security, which was then exploited.
posted by Joe in Australia at 2:07 AM on August 20, 2016


ShadowBrokers Bitcoin Transactions: Now There’s Some Taint For You!. Someone traced Bitcoin being paid into the ShadowBroker's account. Some of the payments are coming from coins seized by the US government when they took down the Silk Road. Only a tiny amount of money, a reasonable guess is some clever US agent is trying to track ShadowBrokers people if they are dumb enough to re-spend the tainted money.

(For context: Bitcoin transactions are traceable, it's a core part of the design.)
posted by Nelson at 8:05 AM on August 20, 2016


The NSA leak is real, Snowden documents confirm. Some fingerprints from the malware release from ShadowBrokers turns out to also be in the documents Snowden released a few years ago.
posted by Nelson at 8:06 AM on August 20, 2016




« Older Story of Your Life   |   The Grey Lady's Big Plans Newer »


This thread has been archived and is closed to new comments