WTF is going on?
Cyber is receiving a lot of attention these days, and I’m not sure quite know how to feel about it. Fortunately, very few people are capable of the deep analysis that these events require. This is my contribution to one of those camps, the deep analysis one I hope…
Major take away: FSB had access to NSA tools that could only come from inside NSA’s classified network. (See part two for details.)
That is explosive. A serious gut punch to the NSA that must have them scrambling to figure out what is going on. Timing is important here, the announcement was made just before President Obama’s last presser and in the middle of a huge flap about how the Americans handled Russia hacking their election (hint: very poorly.)
Explosive Junk Punch
First of all, let me get this out of the way. This drop is huge in term of value and messaging. The Shadow Brokers are revealing that they have access to tooling and exploits that only exist inside the classified networks of the NSA. They literally just dropped “we had (have?) access to the High Side of NSA networks and we don’t care that you know.” Not a cheap piece of information to reveal.
That is massive. No intelligence agency drops that sort of information unless they are buying something more valuable with it. It was poorly picked up by the press partially because it wasn’t pushed hard, but also because it is hard to understand the significance of this signal unless you have “inside cyber” knowledge.
December 14, 2016: Cleetus Twitter account registered.
December 14, 2016: Medium post about SB tool sale published
December 16, 2016 (approx. 5am EST): Second medium post suggesting: (a) Russia never hacked anyone, (b) the election hacking story is a coverup for a CIA vs NSA shadow war.
December 16, 2016 (approx. 6am EST): The Cleetus Twitter account starts hammering news sites with the second post
December 16, 2016 (approx. 7am EST): Fancy Bears Hack Team (another Russian attribution front) increases their tempo of soliciting news coverage
First signs of something happening from the F****** Bears was from TFB’s Twitter:
Had a very brief chat with the Fancy Bears hack team in which they refused to answer questions unless I published a report about their leaks
— Thomas Brewster (@iblametom) December 16, 2016
And they also hit up Ars Technica: ”Hello, we are Fancy Bears’ Hack Team. Are you interested in WADA and USADA confidential documents?”
Update: I’ve been informed that a major UK publisher was also contacted for an exclusive WADA document dump.
Russian doctrine is generally about overwhelming the opposition. In Soviet Cold War intelligence games times this included things like sending multiple “dangles” at the same time in the hopes that some would get through (when instead the flood was a red flag.) Looking at the timeline I see an overwhelming attempt to get additional narratives into the news cycle (these all hit in the early morning in the US East coast) intended to bleed attention away from the current fixation on Russia’s cyber meddling with US elections.
There is no IC shadow war
Let me drop some knowledge on you guys: CIA and NSA don’t hate each other. They aren’t at war. CIA thinks the NSA is full of introverted autistic nerds. NSA thinks CIA is gung ho cowboys (covert ops) and pencil pushers (intelligence analysis). The both think the FBI is full of morons. The intelligence community (IC — all of the above agencies, and more) hate the State Department. But, again, they generally have this deeply patriotic streak that keeps them all on the same side when they face off against, say, Russia.