1 June 2017

Who Are The Shadow Brokers?: Noted Cyber Security Guru, Bruce Schneier Thinks He Knows; But, In His Article, He Does Overlook Another Reasonable Possibility — I Believe


Noted cyber security researcher, guru, and author, Bruce Schneier posted an article on the May 23, 2017 edition of the online defense and national security website…DefenseOne.com, providing his thoughts about who the secretive ‘Shadow Brokers’ group behind the publishing and online selling of stolen NSA hacking tools.

Mr. Schneier begins his article by asking the question: “What is — and isn’t known about the mysterious hackers leaking [and attempting to profit from stolen] leaking NSA secrets [hacking tools]?”

“In 2013, a mysterious group of hackers, calling itself ‘the Shadow Brokers,’ stole a few disks of National Security Agency (NSA) secrets,” Mr. Schneier wrote. “Since last summer (2016), they’ve [the Shadow Brokers] they’ve been dumping these secrets on the Internet,” he adds. “They [the Shadow Brokers] have publicly embarrassed the NSA, and damaged its intelligence gathering capabilities, while at the same time, they have put sophisticated cyber weapons in the hands of anyone who wants them. They [the Shadow Brokers] have exposed major vulnerabilities in Cisco routers, Microsoft Windows, and Linux mail servers, forcing those companies and their customers to scramble. And, they gave the authors of the WannaCry ransomware the exploit they needed to infect hundreds of computers [devices, and networks] worldwide this month.”

“Who Are These Guys, And How Did They Steal This Information?” 

That’s the question Mr. Schneier asks. “The answer,” he writes, is “We don’t know. But, we can make some educated guesses, based on the material they [the Shadow Brokers] published.”

“The Shadow Brokers suddenly appeared last August, when they published a series of hacking tools and computer exploits — vulnerabilities in common software — from the NSA,” Mr. Schneier wrote. “The material was from the Autumn of 2013; and, seems to have been collected from an external NSA staging server, a machine that is owned, or leased, or otherwise controlled by the U.S.; but with no connection [plausible deniability?] to NSA. NSA hackers find obscure corners of the Internet, to hide the tools they need as they go about their work; and, it seems the Shadow Brokers successfully hacked one of those servers.”

“In total, the group has published four sets of NSA material,” Mr. Schneier wrote. “A set of exploits and hacking tools against routers, the devices that direct data throughout computer networks; a similar connection against mail servers; another connection against Microsoft Windows; and a working directory of an NSA analyst breaking into the SWIFT banking network. Looking at the time stamps on the files and other material, they all come from around 2013. The Windows attack tools, published last month [April], might be a year or so older, based on which versions of Windows the tools support.”

“The releases are so different that they’re almost certainly from multiple sources at the NSA. The SWIFT files seems to come from an internal NSA computer, albeit one connected to the Internet,” Mr. Schneier contends. “The Microsoft files seem different, too; they don’t have the same identifying information that the router and mail server files do. The Shadow Brokers have released all their material, unredacted, — without ‘the care’ journalists took with the Snowden documents [that’s Mr. Schneier’s opinion on how the Snowden’s document’s were handled, I do not happen to agree with him]; or even the ‘care’ Wikileaks is taking in publishing CIA secrets.” Mr. Schneier is a renowned cyber security expert and he has forgotten more about the cyber threat than I probably ever learn. But, I served thirty-three years as an Intelligence Community professional; and, I take great exception to his assertion that this leaked intelligence was handled carefully. 

Mr. Schneier goes on to write that he “doesn’t think the agent [leaker] is a whistleblower,” nor, does he think that “random hackers” are the culprits; and, I refer you to DefenseOne.com as to his reasoning. Thus he writes, “that leaves a nation-state,” as a likely suspect for these leaks. “Whoever got this information years before and is now leaking this information and is leaking it now,” he writes, “has to be both capable of hacking the NSA; and, willing to publish it all. Countries like France and Israel are capable; but, [neither] would publish, because neither would want incur the wrath of the U.S.,” if it was discovered that they were behind the leaks. Countries like Iran and North Korea probably aren’t capable,” he contends. “The obvious list of countries who fit my criteria [Mr. Schneier’s] is small. Russia and China, and — I am out of ideas. And, China is currently trying to make nice with the U.S.,” he writes. 

Mr. Schneier goes on to give his reasoning why he doesn’t think Russia is behind these leaks; and, that if this was a mole, he speculates that they were likely arrested before the Shadow Brokers released anything. “That points to two possibilities,” Mr. Schneier argues. “The first, is the files came from Hal Martin, the NSA contractor who was arrested in August [2016] for hoarding NSA secrets in his [suburban Maryland] house,” over a two-year period. But, “he [Mr. Martin] cannot be the publisher because the Shadow Brokers are in business, even though he is in prison. But, maybe the leakers got the documents from his stash, either because Martin gave the documents to them, or he himself got hacked. The dates line up, so it’s theoretically possible,” Mr. Schneier writes. “There’s nothing in the public indictment against Martin that speaks to his selling secrets to a foreign power; but, that’s just the sort of thing that would be left out, it’s not needed for a conviction.”

“If the source of the documents is Hal Martin, then we can speculate that a random did in fact stumble on to it — no need for nation-state cyber attack skills,” Mr. Schneier wrote.

“The other option,” Mr. Schneier observes, “is as mysterious, second, NSA leaker,of cyber attack tools. Could this person who stole the NSA documents and passed them on to someone else? The only time I ever heard about this,” he notes, “was from a Washington Post story about Martin,” where the paper reports that “there was a second, previously undisclosed breach of cyber tools, discovered in the summer of 2015, which was also carried out by a [NSA] Tailored Access Operations (TAO), one official said. That individual has also been arrested; but, this case has not been made public. The individual is thought not to have shared the material with another country,” the official said.

There Is Another Potential Source Of These Damaging NSA Leaks

Perhaps if Mr. Schneier reads what I am about to suggest as another potential source of these leaks, will either put me in my place; or, maybe agree.– and, that is a cyber ‘patriot,’ or cyber ‘militia,’ entity, We already have the cyber group ‘Anonymous,’ among other loose digital confederations of both white, and black digital hats. One, or both these kinds of cyber vigilantes easily possess the kind of cyber hacking talent to pull off such a digital heist. A white hat cyber ‘patriot’ group could well have reasoned, in their minds, that Snowden’s misguided campaign needed to continue, and took it upon themselves to carry Snowden’s mantle forward. The offer to sell these hacking tools could well be an attempt by these ‘cyber patriots,’ to make it look as though whoever is the source of these leaks is not doing this to continue Snowden’s crusade; but, someone or group seeking to profit from these hacks. A second option, is a black hat cyber group or ‘cyber militia,’ may be the culprit, who are seeking revenge against the NSA for what they deem is an unforgivable and unjustified NSA data gathering and digital surveillance campaign. This group would quite likely have the necessary hacking skills to carry out this kind of digital hacking operation. Unless one of you cyber hacking sleuths who read this article, and/or Mr. Schneier disagrees, it is a potential possibility that should not be overlooked/dismissed. V/R, RCP 

No comments: