The Great Cyber Game: Commentary (3)

The third instalment of a two part series on cyber

In the first part of this commentary I looked at what and why the cyber full court press is happening. The second part was a textual analysis of the Shadow Brokers drop (matryoshka messaging.) This third part will explore how we know that this was such an expensive message.

This post will address two questions: was it really the shadow brokers, and are they really NSA tools from the high side?

Authentic ShadowBrokers?

High Side, High Cost

Why High Side?

The TAO of Cyber

With that in mind, have a look at the summary of what is being offered for sale.

It contains code names, obvious hacking tools (forkpty), numerous exploits and implants, and at least one duplicate from the original ShadowBrokers release in August (nopen). The details inside the zip file are even more revealing. There is simply too much for any single failure / mistake (such as the first drop) to explain it.

Whadda we got?

The depth and breadth of the tooling they reveal can only possibly be explained by:

  1. an improbable sequence of hack backs which got, in sequence, massive depth of codenamed implants, exploits, manuals,
  2. access to high side data

To show the sort of breadth, here is the internal user control script (with the original naming) for a telco CDR data extraction tool:

And here is a set of hundreds of precompiled implants, in incrementing version numbers, for a set of target boxes. This is a comprehensive set, no other way of viewing it:

And they include the usage manual.

It is obvious that this data would never leave NSA classified networks except by some serious operator error (as I believe was the case with the first ShadowBrokers leak.) For this dump though, it is simply not plausible. There is no way that such diverse and comprehensive ops tooling was accidentally exposed. It beggars belief to think that any operator could be so careless that they’d expose this much tooling, on multiple diverse operations.

There are, based on my count, twenty one (21) scripts/manuals for operations contained in this dump. They cover too many operations for a mistake, and they are too comprehensive for a mistake.

Is it worth it?

How bad is it?

Earlier in this series: Part One. Part Two.

Information Security Researcher :: :: ::