Between Lies and Bad Analysis
A well respected author with a lot of knowledge of the NSA has written an article for Reuters speculating that the ShadowBrokers “leak” was from “another Snowden.” It was not. Although I respect the work that Mr Bamford has done in the past in analysing the NSA, his Reuter’s article is littered with half truths, omissions and faulty analysis.[Ed: I wanted to do a line by line annotation using Genius, but was unable to get it to work. Unfortunate, since that seems more appropriate given the number of problems with the article.]
The Analysis Bit
Every quote is from the original article. I’ve added emphasis to the parts I will discuss.
Where the Watergate burglars came away empty-handed and in handcuffs, the modern- day cyber thieves walked away with tens of thousands of sensitive political documents and are still unidentified.
- This statement is, at best, a lie by omission. The threat actors behind the DNC compromise have been positively identified by CrowdStrike. The disinformation campaign (aka Guccifer 2.0) has been thoroughly debunked in some excellent reporting by Vice, as well as a number of a independent threat intelligence companies.
- Bamford fails to mention that many sources, including the US intelligence community, believe it was Russia, even if only as an aside, “although numerous credible sources have alleged it was Russia…” For some examples see: here here here here here here … etc.
Now, in the latest twist, hacking tools themselves, likely stolen from the National Security Agency, are on the digital auction block. Once again, the usual suspects start with Russia — though there seems little evidence backing up the accusation.
The Auction Fallacy
- This assumes that the auction is real. There is no reason to believe that. The preparation for the distribution of the files — packaging, account creation, uploading, and announcing — spans weeks. From the way it was done we can conclude that the perpetrators were: careful (everything has been scrubbed, they used encrypted anonymous webmail); cautious (multiple locations guaranteeing wide dispersal and difficult removal); skilled (good crypto practices), and persistent (i.e. driven by purpose.) This is a lot of work for what is bound to be very little money (just over USD$1000, at this time.)
- Anyone who is skilled enough to setup this operation should be knowledgeable enough to know that selling the tools to non-FVEY nation states would be more profitable. They could literally do the exact same thing (minus the public announcement) and contact individual embassies from Europe, Asia, Africa, etc. They would get more money and run less risk. Hell, even just giving the bugs to ZDI would generate a bigger payout!
- Bitcoin is a terrible protocol to use when running an auction against the NSA. Determining where BTC are cashed out is simply a little bit of graph analysis. Know what the NSA is excellent at? Graph analysis. A Bitcoin based auction is not the way to monetise an NSA ops toolkit (and remain free.)
- To quote daveaitel: No team of “hackers” would want to piss off Equation Group this much. That’s the kind of cojones that only come from having a nation state protecting you. — Source
- If the auction was legitimate, there is no reason that 60% of the auction data would be “free” as proof. The screen shots and one or two tools/exploits (e.g. ones for old bugs) would be sufficient to pique the interest of potential bidders. Instead the “proof” file is, essentially, the entire kit and caboodle (pun absolutely intended.)
Absence of Evidence is Evidence of Absence
- The idea that there would be a solid, publicly available, trail of evidence linking the ShadowBrokers to any particular threat actor is naive. This is not 1972. There are no propped open fire exits and dudes in ski masks rifling office cabinets. The only option is to use rigorous analytic techniques and methologies on the available evidence.
- I will point to daveaitel’s piece as to why it was (probably) Russia. There is non-public evidence that is a solid link, but…it is not public. Read Dave’s analysis here: cybersec politics.
- There are a number of operators that could have captured this kit. Almost any sizeable AV or Threat Intel company, or any intelligence service with a competent cyber espionage capability. No public company would risk releasing the tools like this (they would go from a marketing driven approach), and the number of competent cyber espionage services is fairly small. Hint: it wasn’t Angola.
Cyber Kremlinology Failure
In addition, if Russia had stolen the hacking tools, it would be senseless to publicize the theft, let alone put them up for sale. It would be like a safecracker stealing the combination to a bank vault and putting it on Facebook. Once revealed, companies and governments would patch their firewalls, just as the bank would change its combination.
Senseless To Who?
- If Russia acquired the hacking tools (they did), they did so (probably) in late 2013. That is, three years ago. They would have had three years to pick the Firewall Ops kit clean. That is a nice run to extract value from the opposition’s toolkit. You can impersonate them, know what to look for, know what to patch, set up deliberate honeypots, etc. etc.
- The reason to publicise the theft, after exploiting the ops toolkit for three years, may have everything to do with current geopolitics and nothing to do with trying to raise money.
- There is a spat going on over the DNC leaks (a very one sided spat, to be sure.) Using a tool release as signalling that escalation will be painful and messy, as @Snowden said in “his” tweet storm, is a perfectly sensible reason to drop a three year old toolkit.
- Alternatively, the dumping of the ops toolkit might be a way to distract the NSA at a time when they should be focussed on other things. Instead of looking into the DNC leaks situation with full focus, they are burning the midnight oil scrambling to replace NOPEN on 100,000 routers around the world.
They Are Not Up For Sale
- See above. The auction is an obvious fake.
See, It Is Not Senseless
- Although earlier having no plausible reason why the Russians would want to dump the NSA’s firewall ops toolkit, Bamford gives a perfectly good reason right here. Patching the vulnerabilities in this dump harms the NSA’s ability to compromise firewalls (and routers.) Hindering the ability of the opposition to operate freely and easily, increasing their costs and slowing them down, is a perfectly valid reason to burn their toolkit.
Assumption Chain and Misunderstanding Trifecta
A more logical explanation could also be insider theft. If that’s the case, it’s one more reason to question the usefulness of an agency that secretly collects private information on millions of Americans but can’t keep its most valuable data from being stolen, or as it appears in this case, being used against us.
Thats A Lot of Asses Out Of U and Me
- Insider theft is not a more logical assumption. I have done an analysis on that here: ShadowBroker Breakdown.
- These “ifs” and “coulds” are chained together to assert that NSA is not a useful agency. I will not bother addressing that claim, but I will say that “if…could” is not the foundation on which to build that statement.
Ops Kits Are Not Particularly Valuable
- A firewall ops kit is designed and developed to be used on non-classified systems, what the NSA calls “the low side” (thats a nice way of saying, “other people’s computers.”) These are not the crown jewels of NSA data. Not by a long shot. The assumption is that they will be compromised at some point. This is why the operator is supposed to minimise the kit to just the required tools. That did not happen.
- If, as the preceding waffling sentence suggests, Bamford believes that people are walking out of NSA with USB drives full of TAO operational tooling, then the sky is falling. Post Snowden, USB drives inside NSA environments (particularly the Remote Operations Center [ROC]) are a great way to lose your job, your clearance and possibly your liberty.
NSA Needs To Stop Writing Cisco’s Buggy Code
- Althought I am unsure who, exactly, is using this toolkit against “us,” presumably the patching that Bamford warned about earlier isn’t happening? Or, if, like me, you are a non-US person and not based in the US, this toolkit was already being used against “us.” So… This just confuses me.
- The remote access trojans [RAT] such as NOPEN are not very useful operational tools to anyone except the NSA. They are useful to non FVEY intelligence service (and companies, etc) who now know what sort of traffic and tools to look for on their firewalls. For defenders, this is a win. For NSA, this is a huge PITA.
- Blaming the NSA for the incredibly poor quality of Cisco code is hardly fair. Cisco failed to implement stack cookies, ASLR, code review, or basically any sort of security protections on their firewalls! The bugs were there for the taking, and easily exploitable too. Lets lay blame where it belongs here — with Cisco’s shoddy code.
2/3 by my count, so far
— Brendan Dolan-Gavitt (@moyix) August 19, 2016
Thats Not What How Hacktivists Operate
While the “auction” seemed tongue in cheek, more like hacktivists than Russian high command, the sample documents were almost certainly real.
- Bamford admits the auction is fake, and yet only a few paragraphs ago he was going on about how the tools are up for sale. Actual analysis involves weighing the evidence using various analytic techniques and then choosing the “best fit” explanation. This piece fails at that because it gives full weight to “the auction” and uses that to invalidate the “it was Russia” hypothesis. Now, it is uses the opposite argument (“the auction is tongue in cheek”) to reach the same conclusion — invalidate the “it was Russia” hypothesis. You cannot have it both ways.
- Hacktivists have an agenda (the hint is in the name: hacker + activist.) A hacktivist that got their hands on a firewall ops kit (which would be an impressive feat, since that requires a lot of tracing and hacking back from a detected NSA breach), and who decided to release it (releasing US data is generally a bad idea for a hacktivist, ask Jeremy Hammond), would link the release to their agenda. That is the very reason they are “hacktivists” — to advance their agenda.
- Bamford is absolutely right here, Russia has never been known for disinformation or misdirection. They are an open book. 🙄
The most valuable are “zero day” exploits, meaning there have been zero days since Windows has discovered the “crack” in their programs.
- The Firewall ops kit included a number of dead bugs (even at the time of the capture.) The most valuable exploit for an operator is the one that works. Whether the vendor is aware of it or not is irrelevant.
- There were no Windows exploits in the Firewall ops kit because no one sane uses Windows as their core router / firewall. Although this sentence demonstrates a fundamental ignorance of cyber security, I’ll grant Bamford the benefit of the doubt and chalk it up to misunderstanding the technical jargon and attempting to explain it to a non technical audience.
Failure To Cyber Kremlinology
The reasons given for laying the blame on Russia appear less convincing, however. “This is probably some Russian mind game, down to the bogus accent,” James A. Lewis, a computer expert at the Center for Strategic and International Studies, a Washington think tank, told the New York Times. Why the Russians would engage in such a mind game, he never explained.
- A number of credible sources have made statements providing convincing reasons for laying the blame on Russia. Including people such as ex TAO operator daveaitel, and current FSB asset Snowden, among others.
- If, in the middle of the DNC leaks spat, it needs to be explained why Russia would engage in this sort of “mind game” then I point at Snowden’s tweet storm. Signalling from one service to another that escalation will be messy. There are other plausible reasons as well (some mentioned above), but this should be sufficient.
Speaking of Never Explaining
Rather than the NSA hacking tools being snatched as a result of a sophisticated cyber operation by Russia or some other nation, it seems more likely that an employee stole them. Experts who have analyzed the files suspect that they date to October 2013, five months after Edward Snowden left his contractor position with the NSA and fled to Hong Kong carrying flash drives containing hundreds of thousands of pages of NSA documents.
Sophisticate Cyber Operations Are What Russia Does
- A sophisticated cyber operation by Russia is, in fact, a perfectly plausible explanation for how NSA operational toolkits where found. Why this is less likely than an employee stealing them, “he never explain[s].”
Good Luck Smuggling A USB Out Post-Snowden
- Five months after Snowden walked out the door with a USB drive loaded with TS//SCI data, the NSA was in lockdown. There was a witch hunt and super paranoia about people with USB drives. It was a very very bad time to be trying to steal anything from the ROC, such as a TS//SCI operational toolkit on a USB!
- If, for the sake of argument, we assume that a TAO operator loaded the full kit on a non classified system for the purpose of stealing it, then we can assume that it is equally plausible someone else stole it as well. This avoids the USB drive problem, but it opens up “it could be anyone” again. So this explanation does not provide a falsification for any hypothesis.
Consisting of about 300 megabytes of code, the tools could easily and quickly be transferred to a flash drive. But unlike the catalog, the tools themselves — thousands of ones and zeros — would have been useless if leaked to a publication. This could be one reason why they have not emerged until now.
- In October 2013, bringing a USB flash drive into an NSA office was, for all intents and purposes, impossible. Seriously, USB flash drives going in and out of NSA is not a thing (Snowden had special dispensation because, as a system administrator, he needed to have access to Windows drivers, etc.) Further, if anyone was found with such a prohibited item (pretty much everything electronic, including mobile phones, USB drives, laptops, etc is verboten) they would find themselves out of a job and, quite possibly, in jail. Stealing TS//SCI data is a 30 year federal sentence, and the Americans don’t mess around with people who violate espionage laws.
- This sentence is simply wrong. Publishing the tools is incredibly newsworthy. If this leak was given to any journalist in the world, they would publish. If the ops kit was given to a journalist covering the cyber security beat, the vulnerabilities would have been disclosed to the vendors before the public release. There is no part of leaking the ops kit to a news organisation that is “useless.”
- Bamford uses the claim that releasing the toolkit earlier would have been “useless” then says that this is why they were not released “until now.” But why they were released now, “he never explain[s].”
The Tangent To Nowhere
There follows a long section where Bamford establishes that Assange was used as a cut out to launder the DNC emails hacked by the Russians. We get it mate, we know that Wikileaks is used as a cut out to launder hacked content, that is literally the reason it exists. This section includes a long bit about the ANT catalog and why Bamford believes it came from Wikileaks. How establishing that Assange was used as a Russian cut out makes it less likely that Russia stole the ops kit (which wasn’t even leaked by Wikileaks), “he never explain[s].” I am honestly baffled.
Bamford then links Assange to Appelbaum, and pivots into bizarre conspiracy land (minus any actual conspiracy.)
In addition to WikiLeaks, for years Appelbaum worked for Tor, an organization focused on providing its customers anonymity on the Internet. But last May, he stepped down as a result of “serious, public allegations of sexual mistreatment” made by unnamed victims, according to a statement put out by Tor. Appelbaum has denied the charges.
- The Tor project does not have “customers,” it has users. Everything is free and open source. This sentence, and others (see above), suggests Bamford has limited understanding of cyber security issues.
- The victims are not “unnamed.” A number have come forward and publicly presented their stories. Just as one example, Leigh Honeywell.
- Last month, the New York Times published an article regarding the findings of the Tor project’s investigation (conducted by an independent investigator)— “a seven-week investigation into the allegations involving Mr. Appelbaum determined they were accurate.”
- At the same time the Tor project also published a statement saying that the allegations were accurate. I am unsure why Bamford cited the earlier statement, but not the more recent one that confirmed the allegations.
- There doesn’t seem to be more to say here. Some of the victims came forward publicly and stated their case. The independent investigation found that the allegations were true. Everything that Bamford says here is a lie by omission or just plain false. And what it has to do with the origin of the firewall ops kit, “he never explain[s].”
At about the halfway mark I can no longer stand the level of BS in the article. It has simply overwhelmed my capacity to handle “wrong!” The only thing I’ll note is that the quality of the analysis, and rhetoric, does not improve in the rest of the piece.
If there is an argument to be made that the ShadowBroker’s files were sourced from HUMINT, this article is not it.
Reuters should retract the article.
See also: ShadowBroker Breakdown, my analysis of the currently available data on the source of the firewall ops kit.
Update: Bamford has responded with a rebuttal.
Grugq's "analysis" the dumbest ever, and Snowden is not a Russian agent as he claims: "current FSB asset Snowden"
— James Bamford (@WashAuthor) October 7, 2016