@AnonScan’s Lizard People: Cyberterrorism

On October 4, 2018, WikiLeaks started dropping clues about their upcoming publication, “Amazon Atlas,” a multi-page document that exposed the locations of Amazon’s cloud and data centers.  But in case you missed it they weren’t the only ones dropping hints.  On October 9, 2018, @AnonScan tweeted this out,

The video includes clips about the CIA, rendition plane #N977GA, hacking, surveillance, and the dangers that Julian Assange still faces especially in lieu of the fact that Ecuador’s President Lenin Moreno seems to have lost his goddamn mind and President Trump hardly batted an eye at the shocking murder of journalist Jamal Khashoggi inside a Saudi consulate.  As for their use of the hashtag #QuestOfRandomClues, it’s an obvious reference to WikiLeaks’ recent publication but what exactly does “lizard people” mean?



You’re probably familiar with the conspiracy theory that the world is run by reptiles but I’m betting that’s not what we’re talking about here.  A more germane definition can be found at Urban Dictionary which defines “lizard people” as, “People in position of high authority (usually politics) that are so disingenuous, Machiavellian, and detached from the plight of common people that it’s almost like they belong to another conspiring, self-serving race entirely.”

But conspiracy theories and crooked politicians aside, someone brought to my attention that @AnonScan’s lizard hashtag was actually in reference to WikiLeaks’ response to a story written by @NatSecGeek a.k.a. Emma Best in which she alleged that “content has disappeared and links have been broken…,” on their website.  WikiLeaks responded with,

…which is probably what @AnonScan was talking about when they originally used the term “lizard people” in this tweet from October 5, 2018, the day after WikiLeaks’ birthday.


WikiLeaks’ response to @NatSecGeek was posted at file.wikileaks.org, the same index where they posted the message, “Conspiracy theories only benefit those who seek our destruction.  Stop them.,” during the 2017 lead-up to the Vault 7 publication.  But it wasn’t just WikiLeaks’ response that we all missed and that Emma Best failed to mention, it was the message’s url:


Mmhmm.  So that happened.

Then, on October 5, 2018, @AnonScan posted a “hint” for their “We tried to give your followers a chance on your BirthDay” tweet (above), a link to their earlier videos about Hillary’s emails being hacked by China, the missing emails, Weiner and his wife Huma Abedin, a video clip of Julian Assange reiterating that Russia was not their source for the DNC and Podesta emails, Benghazi, and the Clinton Foundation.  And don’t forget about this tweet from February 11, 2017,

“Files concerning Benghazi are in Vault 7″…?  What does that mean exactly because Vault 7 has been pretty technical up until this point.  But remember when WikiLeaks announced that their publication “Year Zero” was less than one percent of its Vault 7 series?  And remember this….

This chart was published with Vault 7 and WikiLeaks has dropped documents from all of the highlighted branches.  They also published Dumbo,” a CIA Physical Access Group (PAG) project that can “identify, control and manipulate monitoring and detection systems on a target computer” running Microsoft Windows.

With that said they haven’t published anything that I know of from, say, branches under PAG like FINO or FIO which might be an acronym for Foreign Intelligence Operations.  I think most people forgot that “Russia” was on this chart and listed under FIO and I’m wondering if Libya’s there, too…and China…and Pakistan…and Venezuela…and some European friends of the United States…

So is that what they’re hinting at, that they’re going to publish more documents from a different branch of the CIA?  Even if that’s the case none of this answers what “lizard people” means (is there a deeper meaning?) but looking at the CIA chart again and things like the Software Development Branch and Closed Network Branch, I’m reminded of a WikiLeaks’ Hacking Team email I came across when searching for the term.



WikiLeaks’ “lizard people” response to @NatSecGeek’s article looks like something that came from a WikiLeaks email so naturally I searched the website.  I came up empty-handed but I did find an email about something called the “Lizard Squad,” a hacking group that was apparently “making quite a nuisance of itself,” back in 2014-2015.

According to a Cyber Security Intelligence newsletter that was sent in the email, the Lizard Squad was behind a number of attacks including ones against Malaysia Airlines’ website and Facebook.  But far more disturbing was the fact that they claimed to be ISIS-related.  During the airline attack they called themselves a “Cyber Caliphate” and the “hacking wing of the Islamic States.”  They also left ISIS flags on Sony’s server during an attack on Christmas Day, 2014.

Their weapon of choice was the “Lizard Stressor,” a DDoS tool they developed and then sold to others for a whopping $6/month.  As one blogger put it, “Lizard Squad is turning DDoS attacks into a commoditized service…”  But Lizard Squad isn’t what caught my eye in the newsletter…



In the same newsletter, Cyber Security reported that thousands of computers worldwide had been infected with NSA spyware, some of which had been embedded in the hard drives. The malware was found in at least thirty countries including Iran, Russia, and China, and it targeted “governments and diplomatic institutions, military, Islamic activists and key industries like telecommunications, aerospace, energy, financial institutions and oil and gas.”

In 2015, Kaspersky Lab identified the attackers as the Equation Group who are considered “one of the most sophisticated cyber attack groups in the world” and were long suspected of being State-sponsored due to their high level of sophistication.  Vault 7 confirmed those suspicions.  In a WikiLeaks document entitled, “What did Equation do wrong, and how can we avoid doing the same?,” members of the CIA’s Technical Advisory Council discussed Kaspersky’s report on the Equation Group attacks noting that, “The ‘custom’ crypto is more of the NSA falling to its own internal policies..” and, “As a result the NSA crypto guys blessed one library as the correct implementation and every one was told to use that.”  One member added, “Basically when we answer who is the Equation Group?  It isn’t a single entity.  The better question would be who uses the ‘Equation Group’ tools?”

Indeed, CIA…who uses them now that the NSA lost them?

Kaspersky also stated that the group had been “mapping air-gapped networks,” and that the NSA malware was found in computers made by Toshiba, Western Digital, Seagate, and IBM which usually means only one thing:  Supply chains.  And sure enough, according to Cyber Security (technically from the Snowden documents),

“Computer products also appeared to be intercepted while being shipped and implanted with malware…a little-known unit within the NSA known as Tailored Access Operations has covertly intercepted computers, router and software being shipped in order to install spying tools allowing for the secret surveillance of targets.”

Remember Vault 7’s Dark Matter?  And if you’re not familiar with Tailored Access Operations (TAO) which works with the Equation Group (whether it’s an actual group or set of tools), it’s considered the U.S. government’s top hacking team although I suspect the CIA has given them quite a nice run for their money.  According to a WikiLeaks email with a subject line that reads, “More about the NSA’s Tailored Access Operations,” the hacking unit has access to the United States’ “hardest targets” and aggressive attacks are considered their M.O.

A former TAO chief stated that TAO, “needs to continue to grow and must lay the foundation for integrated Computer Network Operations,” which sounds an awful lot like the CIA’s Computer Operations Group (COG) and their Network Operations Division (NOD) (See organizational chart above).  For more about TAO’s programs like ANT that “burrowed its way” into Cisco and Huawei products (which is hilarious considering the fact that the U.S. and Australia banned Huawei from the 5G mobile network citing “risks of foreign interference and hacking”), read WikiLeaks’ document here.  I mean, this is the NSA’s Vault 7 first revealed by Edward Snowden.

So what does any of this have to do with my interest in the CIA’s Software Development and Closed Network branches in the CIA chart above that I mentioned earlier?  One word:  Stuxnet.



Did you ever see the movie “Live Free or Die Hard” a.k.a. “Die Hard 4?”  In the film cyberterrorist Thomas Gabriel engages in a “firesale” attack against the United States — a “three-stage coordinated attack on a country’s transportation, telecommunications, financial, and utilities infrastructure systems.”  According to fandom.com (what can I say, the term “firesale” in this context was coined by the movie), stage one involves shutting down all transportation systems, stage two would disable the financial and banking systems, and stage three would turn off all public utility systems like gas, electricity, telecommunications, and satellites.  Sounds fun, right?  Welcome to Stuxnet.

Stuxnet, a malicious worm that was built by the United States and Israel and deployed by TAO/Equation Group, is considered the “world’s first digital weapon.”  The worm contained an unheard-of four zero-day exploits and was developed under the codename “Olympic Games.”  Although it infected god only knows how many computers, the code was written to target and destroy centrifuges at an Iranian nuclear facility and it did just that–despite the fact that the facility had an air-gapped system.  No other systems besides the one at the Iranian facility were attacked.

Simply put, Stuxnet knew which controller software to look for and the configuration of the centrifuges at the facility and ignored everything else.  And despite the fact that the facility’s system was completely isolated from the internet, Stuxnet was still able to destroy the centrifuges by infecting it via USB flash drives and taking control of it without detection.  According to most experts, it was “the first time anyone had seen digital code in the wild being used to physically destroy something in the real world.”

The attack came off the heels of the Iranians funneling money and arms to the Huthis along the northern border of Yemen and Saudi Arabia.  The fact that Iran was developing nuclear capabilities didn’t help matters at least not as far as Israel was concerned.  During a March 2009 visit to the United States, former Lt. General Gabi Ashkenazi met with Hillary Clinton and others stating that Israel would not “tolerate a nuclear Iran,” and later that same year he made statements about Iran’s centrifuges “working day and night.”

To date no one has admitted responsibility for destroying Iran’s centrifuges at their Natanz nuclear facility (and good luck getting anyone to talk about it), but according to the Telegraph, during Ashkenazi’s 2011 retirement party, a video was played detailing his “operational successes.”  Stuxnet was mentioned as one of them.  And one blogger makes a compelling argument that Hillary Clinton made two references to Stuxnet during the 2016 presidential debate.  Also, if you have the time I highly recommend you watch the documentary “Zero Days,” during which they interview an NSA-TAO whistleblower about Stuxnet.

Interestingly, on July 17, 2009, Julian Assange made a public announcement about a “serious nuclear accident” at the Natanz facility, the “primary location of Iran’s nuclear enrichment program” and the same facility that was hit with Stuxnet.  Although WikiLeaks eventually lost contact with their source, they “had reason to believe they were credible.”  The significance of the source’s material besides a general concern over any “serious nuclear accident” was the suspicion that it had to do with the the head of Iran’s Atomic Energy Organization’s resignation under suspicious circumstances.  Whether or not this incident had to do with Stuxnet, I don’t know.

Just recently an article was published on motherboard.vice.com entitled, “People Are Recklessly Speculating that the Massachusetts Gas Explosions Were a Stuxnet-Related Hack.”  The journalist behind the story called the theory, “baseless speculations,” as if Stuxnet had never really happened, and then exclaimed during a clip of “Live Free or Die Hard,” “For god’s sake, look at that video.  The terrorists make computers explode with malware!  As far as we know, this doesn’t happen in real life,” as if he expects the NSA and CIA to notify us when blowing up computers with malware becomes a reality.

And in an effort to curb mass hysteria the article goes on to say, “this kind of baseless speculation is not only wrong but dangerous,” but the only thing wrong and dangerous is this article trying to convince you that something like Stuxnet couldn’t happen again when it absolutely could and quite likely may.  Eugene Kaspersky’s take on cyberterrorism,

“Whether a scenario like that imagined in the 2007 film Die Hard 4 would happen is now a question of when, rather than if…I’m afraid that Stuxnet and all these cyber weapons are a very bad innovation…They can be easily copy-pasted; it’s very easy to employ engineers, easy to develop very similar weapons, and there could be some very, every bad guys somewhere in the mountatins who have zero clue about the technology they have, but they can pay and employ people to create it.”

I mean, take for instance Vault 7’s Brutal Kangaroo.  According to WikiLeaks,

“The [Vault 7] documents describe how a CIA operation can infiltrate a closed network (or a single air-gapped computer) within an organization or enterprise without direct access. It first infects a Internet-connected computer within the organization (referred to as “primary host”) and installs the BrutalKangeroo malware on it. When a user is using the primary host and inserts a USB stick into it, the thumbdrive itself is infected with a separate malware. If this thumbdrive is used to copy data between the closed network and the LAN/WAN, the user will sooner or later plug the USB disk into a computer on the closed network. By browsing the USB drive with Windows Explorer on such a protected computer, it also gets infected with exfiltration/survey malware. If multiple computers on the closed network are under CIA control, they form a covert network to coordinate tasks and data exchange. Although not explicitly stated in the documents, this method of compromising closed networks is very similar to how Stuxnet worked.

“CIA operation can infiltrate a closed network…very similar to how Stuxnet worked,” hence my interest in those two branches I mentioned earlier:  Software Development Branch (SDB) and Closed Network Branch (CNB) because, folks, it appears that Stuxnet has already been turned in for a newer model.



So yeah, I got completely derailed from @AnonScan’s video that I mentioned at the beginning of this post because I doubt WikiLeaks’ and @AnonScan’s goal was to direct us to an email about the Lizard Squad.  But if malware like Stuxnet can infect air-gapped networks and take control of systems we believe are safe like those that control nuclear, electrical, or water facilities–and the NSA and CIA, two of the most, if not the most, irresponsible agencies within the United States government are making more of these weapons–then I’ve done my duty to warn you that we’re probably screwed sooner rather than later.

P.S. I’m still holding out that FIO stands for Foreign Intelligence Operations and WikiLeaks is about to drop the motherlode on Hillary Clinton and crush Russiagate but I digress…

Coming Up → AnonScan’s Lizard People:  Looking For Clues?

Post Disclaimer

This is an Op-ed article. The information contained in this post is for general information purposes only. While we endeavor to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information contained on the post for any purpose. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site.

The views or opinions represented in this blog do not represent those of people, institutions or organizations that the owner may or may not be associated with in professional or personal capacity, unless explicitly stated. Any views or opinions are not intended to malign any religion, ethnic group, club, organization, company, or individual.

The owner will not be liable for any errors or omissions in this information nor for the availability of this information.  The owner will not be liable for any losses, injuries, or damages from the display or use of this information.