Press "Enter" to skip to content

WikiLeaks’ Quest of Random Clues FULL UPDATE

Part One:  WikiLeaks’ Quest of Random Clues

Part Two: WikiLeaks’ Quest of Random Clues Days 3-4 

(Scroll down to “CLUE FIVE” for latest updates)

CLUE ONE
October 4, 2018

Drawing of a mole that dates back to WikiLeaks’ beginnings. Code included in tweet breaks down to lat and long points in both Tokyo and the Gulf of Guinea.

HINT ONE:  Picture of buoy located in the Gulf of Guinea (Null Island 0,0)

HINT TWO:  Photo of the Canon West Tokyo Data Center building located in Tokyo.

 

 

CLUE TWO
October 5, 2018

The picture in the link is Shannon Airport (Ireland) where the U.S. uses rendition planes.

HINT ONE:  Aerial view of the Hibernia Atlantic Dublin International Exchange Center at the Clonshaugh Industrial Estate in Dublin.

 

 

CLUE THREE
October 5, 2018

Picture of colored shapes. Hex colors used in photo led to United Layer data center in San Francisco.

HINT 1:  An aerial photo of data center United Layer.

 

CLUE FOUR
October 6, 2018

The four lines in the clue appear in four different WikiLeaks documents.  For those documents go here.

HINT:  Did we ever get one??

 

 

CLUE FIVE
October 7, 2018

The tweet contains words from a PGP word list which converts to hex number 5D A4 C6 C9 F2 E6 OC 6B F2 24 CF A5 7B 22 33 79 E1 65 7D 4D.

HINT ONE:  WikiLeaks asks, “Where is #VandalayIndustries?”

@k3n31p4nic determined that the above hex number was a fingerprint for a PGP key which, after using it to decode a PGP message revealed the address 9651 Hornbaker Rd., Manassas, Virgina.  The building is owned by Capgemini (“Capricorn” used in WikiLeaks’ Clue Five) and appears to house one of EvoSwitch’s data centers (courtesy @SenseOf_Outrage).  According to EvoSwitch’s website, they are a “LEED Gold certified, DOD- and DCID compliant facility” and is “home to a thriving ecosystem of connectivity and cloud service providers and enterprises, with direct connection to LINX NoVA…”

So what’s LINX NoVA?  For starters, it’s an “open peering exchange” located in northern Virginia (naturally) and has three data centers:  CoreSite Reston, DuPont Fabros ACC5, and EvoSwitch.  Digital Realty in Ashburn, VA also appears to be part of the NoVA network and it works with cloud providers such as Amazon, Microsoft, Oracle, and IBM.

And notice how data in the cloud is invisible but not invisible?  Just pointing out something else that goes along with what I see as a theme in WikiLeaks’ clues.

SIDE NOTE: The website datacentermap.com might be a website worth bookmarking for the future because it has the mother load of data center indexed including centers from around the world like the United States, Germany, Australia, New Zealand, Canada, the United Kingdom, and China.  So who has the most according to datacentermap.com?  The United States comes in at a whopping 1754 data centers with the United Kingdom (252), Germany (190), and Canada (168) trailing behind.  And while here in the United States one might suspect that Virginia or even D.C. has the highest number of centers, according to the website Virginia has a total of 76 known sites (D.C. has 9), where as California boasts a total of 232 known data centers.

However, as you can see from the map below, data centers heavily populate the north-eastern portion of the United States.

So getting back to LINX NoVA, it’s a project of the London Internet Exchange (LINX) which operates all over the world and whose members include Akamai Technologies, Alibaba Group, Amazon, Apple Europe, ATT, BBC, British Telecommunications, Cisco, COLT, Dropbox Ireland, eBay, Equinix, Facebook UK, Google, Hurricane Electric, IX Reach, Microsoft, Opal Telecom, SoftLayer Technologies UK, and Vodafone UK.

According to LINX, the LINX NoVA exchange “echoes the aims of the North American community as represent by the Open-IX initiative,” which, if you’ve never heard of it is a “self-regulated community” that was created to “foster the development of critical Data Center and IXP technical and operating standards in a framework that works for everyone” whatever that means exactly.  The director of Open-IX’s global network strategy is Frank Rey who is also responsible for Microsoft’s global network strategy.  Interestingly, Rey used to work for Hibernia (Clue Two) and from 1999 – 2011, he lived and worked in Frankfurt, Germany (.

 

 

CLUE SIX
October 8, 2018

Okay, so first we have WikiLeaks’ quote “Supporting technical consultation at the Consulate” which comes their Vault 7 publication.   What this quote is about is the cover story that intelligence agents (both overt and covert) used when heading to the U.S. Consulate in Frankfurt, Germany.

The second screenshot comes from the Hive Engineering Development Guide also published in Vault 7.  As you might remember Hive is used by the CIA in order to gather intelligence while impersonating “other entities in order to mask its presence.”

HINT ONE:  Image shows two clocks and the CIA’s Information Operations Center logo.

HINT TWO:  Screenshot taken from Vault 7’s Hive publication, “the system clock gets set back from the time of original execution…the system clock gets set forward by more than the delete delay.”

HINT THREE: That same buoy we came across in the first clue.  Is this picture a hint to use coordinates in the your clues, WikiLeaks?

HINT FOUR:  An aerial photo of the U.S. Consulate in Frankfurt, Germany.

Okay, so what I do know is that besides the U.S. Consulate, Germany’s federal police are housed in the surrounding buildings and we also know that the U.S. has been spying from there because of WikiLeaks’ publications (and recent tweets).  Don’t forget that Der Spiegel reported on Snowden documents that revealed the Special Collection Service (SCS), a U.S. intelligence unit working for both the NSA and CIA, was spying on the German government and Angela Merkel from the U.S. Embassy in Berlin.  According to Der Speigel, the SCS has two bases (Berlin and Frankfurt), and one of the antenna systems used by them is known by the code name, “Einstein.”  According to WikiLeaks, the unit is a covert signals intelligence (SIGINT) collection programme.

In 2015, WikiLeaks published their “Euro Intercepts” series which showed that US had been “demonstrating economic and political espionage against Germany for almost two decades.”  They intercepted calls between Chancellor Angela Merkel, her personal assistant and  French president Nikolas Sarkozy as well as German Foreign Minister Frank-Walter Steinmeier’s phone calls.

HINT FIVE:  Aerial photo of InterXion which “connects to more than 400 individual carriers and ISPs as well as 18 European Internet exchanges.”  Located in Frankfurt, Germany.  On datacentermap.com it states, “For security reasons this is not the exact location of the data center.  However, it is located within the Frankfurt metro area, close to public transport and just 20 km from the airport.”  Ugh, whatever, here’s some of InterXion’s addresses in Frankfurt if you need them.  And Twitter user @AlmeidaWagner figured out the answer to this clue by “subtracting the first clock’s time seen in the clue and then adding the second clock’s time to the U.S. Consulate in Frankfurt’s coordinates leading to InterXion.

So, it seems to me that WikiLeaks is trying to point out that the U.S., more specifically the CIA, has a spying post in Frankfurt and whatever systems they infiltrated and extracted information from in god only knows how many countries, they likely used Hive to do it in order to mask their footprints.  Additionally, they probably made it look like another country was doing the hacking.  Ohai, Russia and China.  The question is is if this is the information that WikiLeaks might be publishing sooner rather than later?  Lastly, I’m not sure how the whole extraction process works so is it possible that data centers like InterXion and others mentioned so far worked with the CIA and other niche intelligence units to gather, store, or send data acquired by implanted CIA malware?  Maybe.

 

CLUE SEVEN
October 8, 2018

The first part of the solution for this clue went down like this:  By taking the dots and x’s and using them as binary numbers (0s and 1s), it led to two onion urls.  The first one was a photo of a rendition plane which is listed on both the ShannonWatch.org website I mentioned previously and TheRenditionProject.org.uk.  The second url, however, was corrupted.  Then we got this:

HINT ONE:  A message in German from WikiLeaks that said, “to find you in the infinite, have to distinguish and then connect.”  Wut?  Is this a computer thing with the “connect” part?  And no, I have no idea if this was solved.

HINT TWO:  See link for image.  This hint was step 2 for Clue Seven.  Apparently it’s a hint to XOR the photo of the rendition plane with the corrupted url.  Yeah, no idea what this is about but it got us to…

HINT THREE:  This was another hint about step 2.  This led to morse code found in the file after XOR’ing the two urls (the rendition plane + the corrupted file).

After decoding the morse code, it led to a website with the address 12900 Worldgate Drive, Herndon, Virginia, home of Amazon Web Services (AWS), a subsidiary of Amazon.  Vadata, Inc., another subsidiary of Amazon, also a license there.

SIDE NOTE:  That website I mentioned earlier, datacentermap.com, has a search engine where you can look up data centers by their name, street, city, state, country or profile text.  They even have an advanced search.  Seriously.  It’s pretty awesome.  Anyways…

So here’s the dealio:  Apparently, in order for AWS to provide all the cloud, database storage, and other services that they do, they rely on “a vast network of servers managed by Vadata.”  If you want to hit WikiLeaks, there’s over 1300 results for “AWS” and 461 for “Amazon Web Services.”

You can also check out The Atlantic’s, “Why Amazon’s Data Centers Are Hidden in Spy Country,” zdnet.com’s 2015 article, “Vadata Plans US DoD Data Center in Virginia, or datacenterfrontier.com’s two part series on Amazon and their cloud computing infrastructure here and here.  Don’t forget that we already stumbled across AWS in the second clue.

Then there’s techcrunch’s article “One Month After Denying It Will Exit China, AWS Opens Its Second Region There,” published in December, 2017.  And while we’re on the topic of China, if you missed the news, try Bloomberg’s recent, “The Big Hack:  How China Used a Tiny Chip to Infiltrate U.S. Companies.”  Last but certainly not least is the 2014 Atlantic article, “The Details About the CIA’s Deal With Amazon,” in which CIA Chief Information Officer Douglas Wolfe was quoted as saying that the cloud contract with Amazon was “one of the most important technology procurement in recent history.”  And while you’re at it, check out Cloudera, a data platform that the CIA is using in conjunction with AWS.

Cloudera’s cloud partners include companies like Accenture and if that name sounds familiar it might be because you remember me noting in my post, “Under Attack Part Seven:  The U.S. Intelligence Network,” that Team8, an Israeli “cybersecurity think tank,” run by former members of Israel’s Defense Force intelligence unit, 8200, partners with Accenture.

And when I read this kind of shiz with the CIA, AWS, and Cloudera, I think, “Oh…so this is what the CIA started doing after Snowden outed them.”  If you’re wondering what the cloud has to do with surveillance take a look at this article, “Cloud Data Makes Life Easier for Government Spooks – and The Law Gives Them a Free Pass.”

“With the growth of internet-based cloud services, storage, social media and mobile devices, our activities increasingly leave digital shadows in our wake – social media activity, website visits, mobile phone records – that are hard to escape from.

There have never been so many opportunities for the governments around the world to snoop on citizens as there are today…In the US, the PRISM surveillance program provides an even easier means to access personal information held in the cloud – and this has been used on nine of the largest internet companies, including Microsoft, Google, Yahoo, Facebook and Apple.”

Obviously this doesn’t just include ordinary citizens like us. This can be applied to government officials and leaders, politicians and party members, oppositional leaders, activists, the whole nine yards.

 

 

CLUE EIGHT
October 9, 2018

HINT ONE:  All WikiLeaks wrote was “…=0” (with the hashtags #QuestOfRandomClues and #RandomClue)

HINT TWO:  Aerial photo of Editus Luxembourg SA.

Alright, so I swear to god these people on Twitter are solving these puzzles in like minutes and I’m seriously blown away.  So the bird seen in the picture above is apparently a goldcrest which leads us to #ProjectGoldcrest, an “elaborate avoidance scheme used by @Amazon in #Luxembourg.”  And then it was the second hint that led an online sleuth to Editus Luxembourg SA.

According to Bloomberg, Editus Luxembourg is a publisher of reference database in Luxembourg and the surrounding region.  They edit the Yellow and White pages as well as the business directories.  Regardless of whether or not you’re a private or professional individuals, this particular company apparently holds “all contacts, addresses, phone numbers, fax numbers, and mobile phone numbers” in the Luxembourg region.  That includes directories for the government and European institutions.  Gee, I wonder where this is going.  Not that any of us here in the United States should be surprised seeing that President Trump just essentially texted everyone the other day.

 

 

CLUE NINE

 

HINT ONE:  Arial photo of the Fujitsu Data Center in Australia which is apparently connected to AWS. @RickNicholsLOL pretty much solved this before WikiLeaks even posted it.

HINT TWO:  WikiLeaks’ tweet states, “λέξον δή μοι, τί παθοῦσαι, εἴπερ νεφέλαι γ᾽ εἰσὶν ἀληθῶς, θνηταῖς εἴξασι γυναιξίν; οὐ γὰρ ἐκεῖναί γ᾽ εἰσὶ τοιαῦται.”

According to Bing Microsoft translator the above translates to “Lexon pathousai, Socrates Nefelai G’ elsin risen, thnitais Elxasi gynaixin?  Ekeinai G’ elsi toiautai.”  Wow, not helpful.  According to Google translate, “You say, what are you doing, more clouds, really true, mortal women?” Which are the same.”  Not that helpful either, really.  But a quick Google search will bring you to Aristophanes’ play, “The Clouds,”

“Tell me, if they’re really clouds,
What’s the reason why they look so
much like mortal women do?
Sky-clouds don’t resemble these clouds.”

So you may have noticed in my second post that I pointed out the data centers used in hints or clues had cloud services.

This is because, like I pointed out above how the cloud is invisible but not invisible (because it has data in it), this is likely what WikiLeaks’ next publication is about.  No quotes there though, it’s not like I’m doubling-down on the theory, it just seems to be where we’re headed.  And again, the question is what kind of data will WikiLeaks release?  Maybe we can start with Datto’s cloud and Hillary Clinton’s emails.  Just saying based on entertainment value.  Anyways…

Stay tuned.  And kudos to everyone out there who have been banging out the solutions to these clues and a special thanks to @chateauruby who helped me get the hints and answers straight for clues six and seven. If you see any mistakes please let me know so I can correct them.

Liked it? Take a second to support Llama on Patreon!
Please wait...

Subscribe now!

Want to be notified when my next post is published? Enter your email address and name below to be the first to know.