The Great Cyber Game: Commentary (3)

The third instalment of a two part series on cyber

In the first part of this commentary I looked at what and why the cyber full court press is happening. The second part was a textual analysis of the Shadow Brokers drop (matryoshka messaging.) This third part will explore how we know that this was such an expensive message.

This post will address two questions: was it really the shadow brokers, and are they really NSA tools from the high side?

Authentic ShadowBrokers?

This is an easy one. The first clue that this is the ShadowBrokers is the terrible wandering accent they affect. But the proof that it is really them is that the PGP signatures are correct. Full stop.

High Side, High Cost

The major cost of this ShadowBrokers message was the information exposed by the drop. It reveals what the ShadowBrokers knew, which is precious information to an intelligence service. This particular dump reveals a lot, the most important of which is that ShadowBrokers had access to tools, implants and exploits that would only exist on the high side (inside the NSA’s classified networks.)

Why High Side?

The easiest way to tell this is high side gear, not a back hack from an ops box is that there is simply too much here. Its hard for me to explain because it requires a level of information security knowledge combined with understanding how cyber operations are conducted (which is different from pen tests or red teaming.)

The TAO of Cyber

Cyber operations are basically designed with operational security in mind. The operators create a minimal package of tooling needed for conducting exactly, only and specifically the operation they are doing. This means, for example, if they are hitting a telco Call Data Records (CDR) box, they will plan for what they are going to do on that specific computer and prepare the tools for only that plan and that computer. If those tools are captured, or there is a back hack up to their staging point, the loss is compartmented. The operator will (should*) ensure that there are no codenames exposed, that everything is encrypted, and that there is as little evidence as possible for the opposition.

With that in mind, have a look at the summary of what is being offered for sale.

It contains code names, obvious hacking tools (forkpty), numerous exploits and implants, and at least one duplicate from the original ShadowBrokers release in August (nopen). The details inside the zip file are even more revealing. There is simply too much for any single failure / mistake (such as the first drop) to explain it.

Whadda we got?

This dump has a bit of everything. In fact, it has too much of everything. The first drop was a firewall ops kit. It had everything that was supposed to be used against firewalls. This dump, on the other hand, has too much diversity and each tool is comprehensive.

The depth and breadth of the tooling they reveal can only possibly be explained by:

  1. an improbable sequence of hack backs which got, in sequence, massive depth of codenamed implants, exploits, manuals,
  2. access to high side data

To show the sort of breadth, here is the internal user control script (with the original naming) for a telco CDR data extraction tool:

And here is a set of hundreds of precompiled implants, in incrementing version numbers, for a set of target boxes. This is a comprehensive set, no other way of viewing it:

And they include the usage manual.

It is obvious that this data would never leave NSA classified networks except by some serious operator error (as I believe was the case with the first ShadowBrokers leak.) For this dump though, it is simply not plausible. There is no way that such diverse and comprehensive ops tooling was accidentally exposed. It beggars belief to think that any operator could be so careless that they’d expose this much tooling, on multiple diverse operations.

There are, based on my count, twenty one (21) scripts/manuals for operations contained in this dump. They cover too many operations for a mistake, and they are too comprehensive for a mistake.

Is it worth it?

If the sale was real and you bought the tools individually, you’d be paying about 1400 BTC (a bit under USD$ 1.1 million, at this hour’s exchange rate.) The entire dump for just 1000 BTC is a real bargain (only USD$780k), it pays to buy warez in bulk!

How bad is it?

For the NSA this is definitely a gut punch. There is a lot of operational detail and lessons that are exposed in this (and the earlier Shadow Brokers dump). The upshot is that a lot of it looks pretty old. So this might be “of historic interest only.” I would expect that a lot of the tools and exploits here are no longer the state of the art for NSA, and so their ability to do their mission will not be negatively impacted by this release. Still, damn, that’s gotta hurt.

Earlier in this series: Part One. Part Two.