The Great Cyber Game: Commentary (2)
Analysis of a message of messages containing messages
In the first part of this commentary I explained how this operation (Shadow Brokers dropping info), and the parallel operations (Fancy Bears hack team chasing media; the Cleetus account chasing media) are probably coordinated information operations to attempt to shift attention away from Russia’s election meddling.
This second part will look at the dense message that was sent to the NSA on December 14th by the Shadow Brokers. In retrospect, it is now clear that this unusually expensive message was actually laying the groundwork for the December 16th media press to shift the narrative. Very clever information operations work, but I expect nothing less from the Russians. They are grand masters at this game.
The game play so far started with an expensive signal to the NSA. Then a pivot to subverting the narrative and attempting to draw attention away from important issues (Russia meddling in the US elections) to trivial things (hacking news about doping in sports!) and conspiracy theories (is there a shadow war in the IC? No.)
The first move in this play was a very expensive message to NSA which revealed that FSB had (have?) access to “high side” (NSA’s classified networks) exclusive tools. This move established the credibility of the new cut out — Cleetus — what intelligence officials would call “establishing his bonafides”. It also contains a number of extremely densely packed messages targeting a wide range of audiences:
- the neo nazi so-called “alt-right” movement: (American flag with swastikas for stars; “If the choice is between socialist or fascist, I choose fascist!”; “Fascist States of America”)
- the population of deep red states, or at least those inclined to believe InfoWars and Breitbart are more credible than Fox News.
- and at least one that could be a joke which only the infosec community would get (which includes some of the NSA)
Here is the Medium post:
Yet Another Fake Auction As Data Drop (YAFAADD)
The ShadowBrokers drop used a freshly created cut out account, registered in December. There is a huge amount of clever references hidden in here, so we’ll unpack them all (I might miss some, this is quite dense.)
These guys are hilarious, but they also operate like an intelligence agency. They do deep research and build a deliverable information product that they believe will resonate with their target audience. Analyzing it is like semiotics and lit crit on steroids, with a deep background in cyber, geopolitics and you still have to spend a lot of time in Google.
Lets dive in and see what we find.
Matryoshka Doll Messaging
The name of the account that dropped the docs is a probably reference to Hank Williams Jr who’s nickname was Bocephus: “His father nicknamed him Bocephus (after Grand Ole Opry comedian Rod Brasfield’s ventriloquist dummy).” So, that is one “deep red country” reference.
Cleetus (or, Deputy Cletus Hogg??)
This one is a bit more of a stretch, but I think it fits. One of the Deputies always chasing the Dukes around in the TV show “The Dukes of Hazzard” is Deputy Cletus Hogg. Cletus is one of the villains always charging the Dukes with trumped up charges and making their lives difficult. So, again, a “deep red country” reference.
Now here’s the punch line:
The Dukes: 7 Years Of Russian Cyber-Espionage
Today we release a new whitepaper on an APT group commonly referred to as “the Dukes”. We believe that the Dukes are a…
F-Secure named the Russian malware strains used by the Russian APT groups “the Dukes.”
That gets us past the name of the Twitter account. Now, their first post, which was a bit of a media flop. In retrospect, it is obvious that it was never pushed hard because the message was primarily targeted at NSA, and its secondary purpose is to provide credibility to the followup conspiracy theory message they are pushing hard.
On to unraveling the message.
Rage Against The Machine
“…this is for the people of the sun!” — Source
The opening line is a lyric from the RATM album “Evil Empire” and is from a song about Mexicans fighting back against the colonial oppressors.
That is some pretty clever messaging. There is “Evil Empire,” “Rage Against The Machine” and a theme of armed insurrection against oppressors. At the same time, it insinuates that there is an violent Mexican immigrant insurrection ready to happen at anytime inside the United States. Thats really a lot of messaging to put into just one line. It might not be the punchiest lede ever, but it could be a contender for “most compressed message.”
Aw Shucks, I am just, how you say, American country bumpkin, da?
Well howdy partners! I don’t wanna be getting arrested for passing on fake news and all. I rekon I ain’t no security professional but I am whutcha might call a ZeroNet enthusiast. I figured y’all might enjoy something I found on the ole Zero Nets. Those dastardly ole shadow brokers have themselves a zite on ZeroNet. Yep and fars as I can tell they appears to be sellin NSA tools individually now. — Source
The over the top aping of the style of talking used in the Dukes of Hazzard is particularly why the Cletus reference seems to fit well. It is a nod and a wink that can be interpreted as appropriate by whichever audience is reading it. At the same time, it provides a great mask for any linguistic analysis because it is so clearly consciously created.
These guys have a great sense of humour.
Is Cleetus the Shadow Brokers?
For all intents and purposes, yes. This was the only account that published this data, and the “following” list is clearly intended as its own set of signals.
Incidentally, I suspect @musalbus is in there because he tweeted that NSA tools were being sold individually on the darknet. I don’t believe that was true at the time, and I suspect that he is included simply to add credibility from a third party about the dark web sale of individual NSA tools.
These guys do their research!
They have also quote his tweets in the past (when he did a load of research on the first Shadow Brokers drop in August.)
The New American Empire
The bottom of the post asks people to donate to “The New American Empire” and includes a bitcoin wallet.
At least one person has done that, sending about $50 to the address, which was then promptly moved out a couple hours later. This is particularly curious as the transaction happened on November 23rd, at least two weeks before the Cleetus account was created and about three weeks before the post was made.
There are no other references to this wallet address except on blockchain.info, and in the Medium post.
Someone else who knows more about Bitcoin might want to follow that up, but I’m willing to speculate this is not a sincere plea for donations.
Not About The Benjamins
If we rule out soliciting money as the reason for the link, then the most logical conclusion is the reference to “The New American Empire,” summarised by Wikipedia as:
The New American Empire is divided into four parts, analyzing the strategic causes behind the 2003 Iraq War and its consequences: first, the role played by politics and religion; second, the role played by oil and military strategy; third, how the Bush Doctrine as a blueprint for U. S. world hegemony conflicts with international law; and, how the very long cycle of empires may be getting close to the end for the Western world.
I will admit to ignorance of this book before writing this post, but its inclusion certainly seems to be a message directed at an audience.
I’m deeply indebted to analysis and suggestions provided by [redacted], [redacted], [redacted] and everyone else who helped. (Let me know if you’d like me to unredact your name.)
Next Up: High Side, High Cost
How expensive was this message of messages? I’ll examine the contents of the zip and post in part three.