War is H3LL; the hacking software fallout from the NSA hack.

Jay Leiderman
By: Jay Leiderman
September 23 2016

What Hacking Software Out There as a result of the NSA Hack

According to NSA whistleblower Edward Snowden, a recent leak of supposedly secret NSA hacking tools reflects an escalation of tensions between Russia and the United States. For others, however, he points to concerns about what, if any, privacy is still available to the general public.

Snowden, just as the movie bearing his name was released, sent Twitter alight on Tuesday with suggestions of “Russian responsibility” in the recent release of the NSA hacking instruments, noting as well that “Russia did it” would likely be the response to the accusations of the Hillary Clinton campaign, as conventional wisdom and the best investigation results also suggest Russian hackers leaked internal Democratic National Convention emails that damaged Clinton and DNC chair Debbie Wasserman-Schultz and cast a dark cloud over the convention.

A series of tweets sent by Snowden on August 16th should get the discussion started:

Edward Snowden
Edward Snowden has done more to protect constitutional rights that anyone in recent memory. He has exposed the fact that the government has been intruding on our privacy in a shocking and despicable manner.

The hack of an NSA malware staging server is not unprecedented, but the publication of the take is. Here’s what you need to know: (1/x)

  1. NSA traces and targets malware C2 servers in a practice called Counter Computer Network Exploitation, or CCNE. So do our rivals.
  2. NSA is often lurking undetected for years on the C2 and ORBs (proxy hops) of state hackers. This is how we follow their operations.
  3. This is how we steal their rivals’ hacking tools and reverse-engineer them to create “fingerprints” to help us detect them in the future.
  4. Here’s where it gets interesting: the NSA is not made of magic. Our rivals do the same thing to us — and occasionally succeed.
  5. Knowing this, NSA’s hackers (TAO) are told not to leave their hack tools (“binaries”) on the server after an op. But people get lazy.
  6. What’s new? NSA malware staging servers getting hacked by a rival is not new. A rival publicly demonstrating they have done so is.
  7. Why did they do it? No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack.
  8. Circumstantial evidence and conventional wisdom indicates Russian responsibility. Here’s why that is significant:
  9. This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server.
  10. That could have significant foreign policy consequences. Particularly if any of those operations targeted US allies.
  11. Particularly if any of those operations targeted elections.
  12. Accordingly, this may be an effort to influence the calculus of decision-makers wondering how sharply to respond to the DNC hacks.
  13. TL;DR: This leak looks like a somebody sending a message that an escalation in the attribution game could get messy fast.

Bonus: When I came forward, NSA would have migrated offensive operations to new servers as a precaution – it’s cheap and easy. So? So…

The undetected hacker squatting on this NSA server lost access in June 2013. Rare public data point on the positive results of the leak.

You’re welcome, @NSAGov. Lots of love. (emphasis added, just for funziez)

1st Reply: Nimjeh / NoName 2016 ‏@MyTinehNimjeh  Aug 16: “Thanks for the insight, helpdesk Snowden. @Snowden @NSAGov”

TL;DR: This leak looks like a somebody sending a message that an escalation in the attribution game could get messy fast.

Thanks indeed.  Let’s move on to some further analysis.

The origin of the source code has been a matter of heated debate for weeks (notwithstanding Snowden’s tweets) and has been scrutinized at length by cyber security experts. Although it is unclear how the software was leaked, again, notwithstanding Snowden’s tweets, one thing is beyond speculation: the malware is covered from top to bottom with virtual fingerprints of the NSA and it is clearly from the agency. The hacking tools are in the possession of a group that calls themselves the Shadow Brokers.  They have put a good deal of the leaked data on the open net for public inspection.  Proof that ties the Shadow Brokers dump the NSA comes in an NSA agency manual for implanting malware that was classified as top secret.  IT was also provided by Snowden in the treasure trove of leaked material that he possessed, but, like so much of the Snowden data, it was not previously available to the public. The draft manual instructs NSA operators to monitor their use of a malware program using a specific 16-string sequence: “ace02468bdf13579.” That exact same sequence appears throughout the Shadow Brokers data and in the code associated with the same program Snowden possessed called SECONDDATE.

“SECONDDATE plays a specialized role inside a complex global system built by the U.S. government to infect and monitor what one document estimated to be millions of computers around the world. Its release by ShadowBrokers, alongside dozens of other malicious tools, marks the first time any full copies of the NSA’s offensive software have been available to the public, providing a glimpse at how an elaborate system outlined in the Snowden documents looks when deployed in the real world, as well as concrete evidence that NSA hackers don’t always have the last word when it comes to computer exploitation.”  See The Intercept: THE NSA LEAK IS REAL, SNOWDEN DOCUMENTS CONFIRM Sam Biddle; Aug. 19 2016 https://theintercept.com/2016/08/19/the-nsa-was-hacked-snowden-documents-confirm/

The tin foil age – you are no longer crazy if you think that the government is spying on you. Tin foil hats are needed more now than ever before 😉

A cache of hacking tools with code names like Epicbanana, BuzzDirection, and Egregiousblunder mysteriously appeared online in mid-August, putting the computer security world is a position where they were racing against each other attempting to ascertain both the origin and authenticity of a treasure trove, the likes of which never have been seen, all the while buzzing with speculation about whether the NSA was truly involved and what the fallout would be. The files, of course, turned out to be real.  Indeed, no doubt could be reasonable after former NSA personnel that worked in the hacking division of the agency, known as “Tailored Access Operations (TAO)” confirmed that the hacking tools were indeed authentic and had an unmistakable NSA fingerprint. “Without a doubt, they are the keys to the kingdom,” said a former TAO employee, who spoke on condition of anonymity in order to discuss sensitive internal operations. “The stuff you’re talking about would undermine the security of many large government and business networks, both here and abroad.”  Moreover; “Faking this information would be monumentally difficult, there is just such a sheer volume of meaningful stuff,”  Nicholas Weaver, a computer security researcher at the University of California at Berkeley, said in an interview. “Much of this code should never leave the NSA.”

Said a second former TAO hacker who saw the file: “From what I saw, there was no doubt in my mind that it was legitimate.”

The file contained 300 megabytes of information, including several “exploits,” or tools for taking control of firewalls in order to control a network, and a number of implants that might, for instance, exfiltrate or modify information.

The exploits are not run-of-the-mill tools to target everyday individuals. They are expensive software used to take over firewalls, such as Cisco and Fortinet, that are used “in the largest and most critical commercial, educational and government agencies around the world,” said Blake Darche, another former TAO operator and now head of security research at Area 1 Security.

In politics, as in love and war, all is fair.  War is hell.  Cyber war too is H377

The software apparently dates back to 2013 and appears to have been taken then, experts said, citing file creation dates, among other things.

“What’s clear is that these are highly sophisticated and authentic hacking tools,” said Oren Falkowitz, chief executive of Area 1 Security and another former TAO employee.

Some of the exploits were pieces of computer code that make use of “zero-day” or previously unknown errors or vulnerabilities in firewalls, which do not seem to be committed to this day took, said one of the former hackers. The disclosure of the documents means that at least one other party – possibly another country spy agency – access to the same hacking tools used had the NSA and could turn them against organizations that use vulnerable routers and firewalls. It can also see what the NSA is directed and spying. Now that the tools are public, as long as the flaws remain unpatched, other hackers can take advantage of them, too.

In a typical chickenshit government move, the NSA did not respond to requests for comment.  Why bother letting the citizens of the very nation they are … um … trying to protect(?) know what they have unleashed upon them.

Edward Snowden has been the voice guiding the masses through the often confusing world of cyber espionage

The instruments were released by the aforementioned group the Shadow Brokers using both websites such as text sharing site Pastebin and file sharing programs such as BitTorrent and DropBox. As usual in such cases, the true identity of the person who put the tools out in the public domain remains hidden. Attached to the cache was an “auction” note that purported to be selling the second set of tools to the highest bidder: “Attention!!! Government sponsors of cyber-warfare and those who benefit from it!!! How much would you pay for enemies’ cyber weapons?”

The group also said that if the auction increased all the way to 1 million Bitcoins – equal to about $500 million U.S. Dollars – it would release the second file for free to the whole world. The auction “is a joke,” says Weaver. “It’s designed to distract. It’s total nonsense.” He said that “Bitcoin is traceable so that a doctor Evil scheme of laundering $ 1 million, let alone $ 500 million, is nothing short of madness.”

One of the former TAO operators said he suspected that whoever found the tools doesn’t have everything. “The stuff they have there is super-duper interesting, but it is by far not the most interesting stuff in the tool set,” he said. “If you had the rest of it, you’d be leading off with that, because you’d be commanding a much higher rate.”

TAO, a secret unit that helped craft the digital weapon known as Stuxnet, has grown in the past decade or so from several hundred to more than 2,000 employees in the NSA’s Fort Meade, Md., Headquarters. The group dates back to early 1990. The nickname, Tailored Access Organization, suggests a precision technique that some officials compared to brain surgery.  The name also reflects how encryption whizzes make beautiful and dangerous instruments from scratch, the same way a fine tailor takes a spool of wool and fashions a custom-made suit – just computer geeks work more often in jeans and T-shirts. “We break out the Nerf guns and have epic Nerf gun fights,” said one of the former hackers.

Some former agency employees suspected that the leak was due to a mistake by an NSA operator, instead of a successful hack by a foreign government’s so-called “state sponsored hacking” agency. When NSA staff hack foreign computers, they do not move directly from their own intelligence systems to the targets’, fearing that the attack would be too easy to trace. They use a form of proxy server a “redirector” that masks the origin of hackers. They use to disallow one or more of such servers trace a trick.  One wonders if they use TOR and a commercial VPN service as well.

Looking back at Edward Snowden’s tweets at the top of this article, it is clear that the US is engaging in state-sponsored espionage.  At the same time, other state run spy services, such as Russia, are doing the same to the United States. It is not unprecedented for a TAO operator to accidentally upload a large file of out “sacred” resources to a redirector, said one of the former employees. “What is unprecedented not to realize that you made a mistake,” he said. “You would know,” Oops, I uploaded that set ‘and remove it. ”

it is clear that the US is engaging in state-sponsored espionage

Critics of the NSA have suspected that the agency, when it discovered a software vulnerability, would never disclose the issue, thereby compromising the cyber security of everyone that it is supposed to protect. This new file disclosure shows why it’s important to tell software makers when errors are detected, instead of making a secret of them, said one of the former agency employees, because now that the information is publicly available for anyone to use too many hacks using simple internet infrastructure will be testing the limits of new toys.

Snowden, Weaver and some of the former NSA hackers say they suspect Russian involvement in the release of the cache, although no one has offered hard evidence. They say the timing – in the wake of high-profile revelations from the Russian government’s state-sponsored hacking of the Democratic National Committee and other party organizations – is remarkable.

Snowden is fast becoming the go-to resource for simple answers to the complex world of cyber espionage.  HE tweeted:  It seems that “someone sending a message that” retaliation against Russia “could get messy quickly.” Hacks are always political in one way or another.  Whether you’re hacking your ex-girlfriend’s Facebook account or trying to change your grades in the school’s computer.  There is a point that you are trying to make beyond the physical act of hacking.  “I can get you.”  “I own you.”  “I win.”  In politics, as in love and war, all is fair.  War is hell.  Cyber war too is H377.

One thought on “War is H3LL; the hacking software fallout from the NSA hack.

Leave a Reply

Your email address will not be published. Required fields are marked *