The Rabbit Files 3.0: In The Shadow of the Brokers

Previous: The Rabbit Files 2.0: Russian Hackers, DCLeaks, and Guccifer 2

Approximately one month after DCLeaks.com and the Guccifer 2 WordPress account started releasing documents, Democratic staffer, Seth Rich, was gunned down in a Washington D.C. suburb during the early hours of July 10, 2016. Within 24 hours of his murder, conspiracy theorists were already mulling over his death including one Reddit user using the handle “Kurtchella,” who theorized that Rich may have been killed for having insider information about voter fraud perpetrated by the DNC. After Julian Assange mentioned Seth Rich during a Danish television interview a month later, rumors soared that he was the source for WikiLeaks’ DNC emails:

“Whistleblowers go to significant efforts to get us material and often very significant risks. There’s a 27-year old that works for the DNC who was shot in the back, murdered, uh, just a few weeks ago for unknown reasons as he was walking down the street in Washington.”

Spurring on the conspiracy, later that same day WikiLeaks announced a $20,000 reward for information leading to the conviction for the murder of Rich. In the middle of these shenanigans, Guccifer 2 was still releasing documents and three days after WikiLeaks’ reward offering, DDoSecrets’ Emma Best reached out to them about a conversation she allegedly had with the online Romanian persona.

Emma Best and Guccifer 2

On August 12, 2016, the G2 WordPress account leaked the private email addresses and phone numbers of both current and former Democratic congressional members. At the bottom of the post they wrote, “Dear journalists, you may send me a DM if you’re interested in exclusive materials from the DCCC, which I have plenty of.” DDoSecrets’ Emma Best decided to personally contact the G2 Twitter account and was told that they planned on sending “a large trove” of documents to WikiLeaks. Best then reached out to WikiLeaks and told them that they were also “considering giving me at least part of the cache.”

As the story goes, WikiLeaks asked her to be their go-between but she declined the offer and stopped messaging Guccifer 2. According to Buzzfeed, less than an hour after WikiLeaks’ last message to Best, the @GUCCIFER_2 Twitter account posted that it had sent the trove of documents to the publishing outlet. But the account didn’t say that. What the account did say was, “I’ll send the major trove of the #DCCC materials and emails to #wikileaks…,” as in no documents had been sent at the time of the tweet which was posted a few hours after midnight on August 13th. Additionally, Buzzfeed failed to mention that WikiLeaks never published any DCCC material.

Sometime later that day, the Guccifer 2 WordPress account and G2 Twitter account were both suspended (for approximately 24 hours). The WordPress was suspended for leaking the private email addresses and phone numbers and it appears that the @GUCCIFER_2 Twitter account was suspended for retweeting a link to the leak. While WikiLeaks was busy criticizing the censorship of both accounts, a new hacking group, whose actions would lead to a devastating ransomware attack, showed up on the scene.

The Shadow Brokers

On August 13, 2016, a hacking group called “The Shadow Brokers” made their debut via the Twitter handle @shadowbrokersss and claiming that they had stolen an arsenal of cyber weapons and exploits from the NSA’s Equation Group. According to riskbasedsecurity.com, “It started with the creation of a Reddit account on the 1st of August and then over the next 13 days it appears they created accounts at GitHub, Twitter, and Imgur.” The Shadow Brokers also posted some sort of manifesto and discussed auctioning off the weapons via Pastebin:

“What this have do with fun Cyber Weapons Auction? We want make sure Wealthy Elite recognizes the danger cyber weapons, this message, our auction, poses to their wealth and control. Let us spell out for Elites. Your wealth and control depends on electronic data. You see what ‘Equation Group’ can do. You see what cryptolockers and stuxnet can do…If Equation Group lose control of cyber weapons, who else lose or find cyber weapons? If electronic data go bye bye where leave Wealthy Elites? Maybe with dumb cattle? ‘Do you feel in charge?’”

After posting a “free” exploit on GitHub about Cisco and Forinet firewalls, security experts quickly realized that the stuff that they had was real. “This malware would allow the attacker to send an exploit to a fully-patched firewall and allow the hacker to take full control of that firewall,” explained Jake Williams, a former employee of the NSA’s hacking group, Tailored Access Operations (TAO). 

On October 1, 2016, the Shadow Brokers posted a rambling message in broken English that centered on the auction and why the media wasn’t paying attention to it. Two weeks later, they posted another message with an entirely fake (and nasty) conversation that took place between Bill Clinton and Loretta Lynch during that infamous tarmac meeting at an airport in Phoenix, Arizona. And another two weeks after that, they hinted that the 2016 election hacking was payback for Stuxnet (Iran).

During this time period they also published a list of IP addresses that the Shadow Brokers claimed was “a list of servers in the world that the NSA had infected or was using as a server to launch exploits from.” According to Jack Rhysider, the creator and host of darknetdiaries.com, if you could cross-reference that list with IP addresses “coming into your network like hits to your website, logins to your VPN, that kind of thing, you might be able to notice if the NSA was hacking you; or, at least in theory, that’s what you could possibly check for.” 

In January 2017, the Shadow Brokers returned, upset that their auction wasn’t exactly the roaring success they had hoped it would be and they decided to release more hacking tools for free. They published “sixty-one Windows executables, link libraries, and drivers, claiming each one was developed by the Equation Group, TAO within the NSA, and can be used to hack Window computers.” As Rhysider put it, they were legit exploits that were previously unknown to the general public and now they were out in the wild. Williams also pointed out that the dump included a way to edit event logs which “in the InfoSec community, and the forensics [community]…a lot of folks take those event logs to be sacred.”

So here’s the dealio: Apparently you can clear an event log but most people didn’t realize up until this point that you could also edit it. Thanks to the Shadow Brokers now everyone could, including hackers. According to Williams: 

“You can disable logging without an event indicating logging has been turned off. You can turn it off, do your dirty work, then turn it back on and there’s no evidence that the logs have been tampered with which is really scary but important to know. There’s also a capability of removing individual events. This is important for us defenders to know because Window event logs are so important to us. They tell us the truth of what happened…now you need to be looking for what’s not there.” 

Even a tech idiot like myself can understand the significance of this. On April 8, 2017, the Shadow Brokers posted one of their last messages, a scathing letter to President Trump about how he was abandoning “his base.” They chided him over chemical weapons in Syria, Bannon’s removal from the NSC, and U.S. military strikes on Syria. They also pushed for the “ideologies and policies of Steven Bannon, Anti-Globalism, Anti-Socialism, Nationalism, Isolationism,” stating that “European or Western Culture has proven is being best and most dominant, nothing to do with skin colors white, brown, yellow, but is having to do with being red…red as in blood.”

They also talked about white nationalism, they were familiar with the U.S. directory assistance phone number 555-1212 (oftentimes used in trolling), and they were “happy to unmask anyone we considering [sic] to be an enemy of the Constitution of the United States.” But before you get your knickers in a bunch, just remember that these messages were probably a smokescreen to hide who they really were, just like the poor English. A few days after they posted the message to Trump, they released EternalBlue and EternalRomance, the “biggest of all the exploits they released,” which led to the crippling WannaCry ransomeware attacks.

Rumor has it that the NSA warned Microsoft about the EternalBlue exploit ahead of time and they did, indeed, release a patch for it approximately a month before the Shadow Brokers released it. However, many systems either didn’t apply the patch or the ransomware spread through older systems.

A Very Quiet Head’s Up

After the Shadow Brokers’ first release, WikiLeaks acknowledged what they published by publicly announcing that they had the “archive of cyber weapons released today” and that they would be releasing their “own pristine copy.” Whether or not that meant they only had those documents from the day or a larger archive that the Shadow Brokers also had, remains unclear—at least to this tech idiot. With that said, I’m going to go out on a limb and get wildly speculative. During the time period between January 2017 – March 2017, Julian Assange was in negotiations with the U.S. government:

“Assange had a bargaining chip: The U.S. government knew he had a massive trove of documents from classified CIA computers, identifying sensitive assets and chronicling the agency’s offensive cyber warfare weapons.”

According to The Hill, U.S. attorney Adam Waldman was hired (pro bono) by Assange’s attorneys to “see if the new Trump administration would negotiate with the WikiLeaks founder.” The U.S. government was considering giving Assange limited immunity with the expressed desire that he redact upcoming publications. Assange, in turn, wanted help assessing “how some hostile foreign powers might be infiltrating or harming WikiLeaks staff.” Huh. Lemme put it in bold and quotes for those in the back:

…how some hostile foreign powers might be infiltrating or harming WikiLeaks staff.”

Assange also offered to provide evidence that the DNC emails did not come from the Russians, as well as technical assistance with “flaws in security systems that led to the loss of the U.S. cyber weapons program.”

With that said and based on WikiLeaks’ own admission that they had the “archive of NSA cyber weapons released earlier today” (among other things which we’re getting to), is it possible that it was Assange who notified the U.S. government/NSA about EternalBlue who, in turn, gave “a very quiet heads up” to Microsoft that the exploit might be in an upcoming Shadow Brokers’ dump? Again, I’m just speculating.

Suspects in the Shadow Brokers Case

According to Politico, approximately 30 minutes before the Shadow Brokers started releasing NSA hacking tools and exploits, a Twitter account using the handle @HAL999999999 sent “five cryptic, private messages to two researchers” from the Russian security firm, Kaspersky Lab. One of the messages stated, “So…figure out how we talk. With Yevgency [CEO of Kaspersky] present. Shelf life, three weeks.”

The Twitter handle was likely a take off of HAL9000 from Arthur C. Clarke’s book, A Space Odyssey, and the Stanley Kubrick movie that followed. If you were paying attention during Vault 7, you might remember some of the Twitter accounts allegedly tied to Assange that made numerous references to Clarke and the movie. Anyhoo—

“I’m sorry Dave, I’m afraid I can’t do that.” – Hal 9000, A Space Odyssey

Gizmodo.com reported that according to U.S. court documents, the Twitter account was traced back to Harold T. Martin III, a Booz Allen Hamilton contractor within the NSA’s TAO division, because the account “had a display picture matching the MVA photo of the Defendant.” I’m assuming they mean his driver’s license picture and as gizmodo.com pointed out, this seems like a pretty sloppy mistake on Martin’s part in light of his career. This is almost as absurd as Guccifer 2 planting deliberate and obvious Russian fingerprints in the first five documents they published.

Marcy Wheeler (@EmptyWheel) published a really interesting article about Martin suggesting it’s possible someone else wrote and sent the DMs to Kaspersky Lab. She also noted other social media profiles that had used the same username “HAL999999999.” So was Martin set up? I don’t know but here’s the thing: The Twitter account never actually did anything wrong.

Regardless, federal authorities obtained a search warrant for Martin’s home shortly after the Shadow Brokers’ leak where they did find something terribly wrong: An estimated 50 terabytes of data, as well as printed and classified documents, all of which were located in Martin’s house, shed, and/or car and some of which dated back to the 1990s—which, as Wheeler basically reported, if whoever was behind the Shadow Brokers knew about Martin’s hoarding habits, he would have been the perfect scapegoat for the leaks (while simultaneously cleaning up a dangerous situation). According to a researcher who goes by Micheal Whelan and runs a website called Unresolved:

“Harold Martin had spent years stockpiling millions of pages of classified intelligence; most of which was stored on more than 50 terabytes of hard drives. He had kept these hard drives and miscellaneous documents in his home, his unlocked shed in the backyard, and even his car… some of the documents could be read by simply looking in his car windows. It was a major gap in national security, made all the more shocking as investigators learned just how brazen Martin had been in this theft. He had hoarded virtually every piece of intelligence he could get his hands on, and the information he possessed was comparable with most other nations’ entire cyber-arsenal (if not even more impressive).” 

Martin was arrested, charged, and eventually sentenced to nine years in prison but according to gizmodo.com, “prosecutors have struggled to prove that Martin had any malicious intent or shared the documents with a third-party.” Politico:

“The newly disclosed legal opinion leaves little doubt that Martin, 54, was once one of the prime suspects in the Shadow Brokers leak two years ago. However, whether he ever actually leaked anything classified to anyone or even inadvertently disclosed anything that eventually appeared online remains unclear.”

Another TAO employee, Nghia Pho, was sentenced to prison in September 2018 for “taking a large amount of top-secret information home from 2010 – 2015.” He was charged in March 2015. But unlike Martin, the NSA claimed that “Pho’s actions had a severe impact, resulting in the spy agency’s having to abandon a number of techniques it previously relied on.” It was also reported that some of his files may have reached the Shadow Brokers “through Kaspersky anti-virus software that Pho had on his home computer.” To be honest, I’m not even sure if this was in response to the Pho case, but Kaspersky put this out in 2017, while facing increasing scrutiny from the U.S. government:

“In October of 2017, Kaspersky did confirm that his company downloaded classified documents from an NSA analyst in 2014. But according to Kaspersky, this was simply because his software detected malware on the analyst’s computer. The analyst allegedly set his Kaspersky software to send reports of any malicious detection, and as instructed it proceeded to download a 7-zip archive of documents for further review. According to Kaspersky, staff discovered that the file contained classified information, and he ordered it destroyed.”

As for Harold Martin, it has never been made clear if the Shadow Brokers ever came in contact with any of the documents/data in his possession. According to Politico, investigators had “zeroed in on other potential suspects,” like Nghia Pho but that’s the only other suspect I’m aware of that they were looking into with regards to the Shadow Brokers’ leaks. 

@Hal999999999 Twitter DMs via Politico

After their initial release, Edward Snowden was nice enough to take to Twitter and let us all know that the Shadow Brokers had hacked an NSA malware staging server which some experts later argued didn’t necessarily make sense due to some of the material they released. Snowden also pushed the Russian angle stating that “circumstantial evidence and conventional wisdom indicates Russian responsibility.” Conventional wisdom puts Russia above China? Hmm.

And no, I don’t think China was behind the Shadow Brokers but I do think that they enjoy flying under the radar a little more often then they should because of guys like Snowden pushing Russian hysteria. Anyways, he went on to say that the Shadow Brokers’ leaks were:

“[L]ikely a warning that someone can prove US responsibility for any attacks that originated from this malware server. That could have significant foreign policy consequences. Particularly if any of those operations targeted US allies. Particularly if any of those operations targeted elections. Accordingly, this may be an effort to influence the calculus of decision-makers wondering how sharply to respond to the DNC hacks.” 

This, “Don’t retaliate against the DNC leaks, Love from Russia,” narrative as well as the idea that the Shadow Brokers were trying to distract from the hacks/leaks became popular theories but here’s the thing: Some of the cyber weapons that the Shadow Brokers leaked were found in something called the ANT catalog which appears to have been first leaked sometime in 2013, and may well have originated from the same source.

Sources and Attribution

Jacob Applebaum and the ANT Catalog

All of the Shadow Brokers’ documents were later determined to be from 2013 (time stamps, not the actual document dates), a few months after Snowden left for Hong Kong, suggesting that the NSA had another leaker on their hands. A number of hacking tools that they released were also found in the classified Tailored Access Operations (TAO) catalog of NSA hacking tools called Advanced Network Technology (ANT).

When journalist James Bamford met with Snowden in 2014, he refused to talk about the catalog but he gave Bamford access to his entire tranche of documents. Bamford couldn’t find “a single reference” to the catalog, again, suggesting another leaker (for more on this there’s some good back and forth about whether or not Snowden was also the 2nd leaker in the comments here via the schneier.com website). 

The ANT catalog was first revealed on December 29, 2013, by Jacob Applebaum via an article he wrote for Der Spiegel. In fact, spiegel.de published at least nine articles about the NSA and TAO between December 29th and 30th. Click “Show more” below for the full Der Spiegel publishing timeline.

First, let me just say that it’s astounding, based on what the U.S. government has done to Assange and WikiLeaks, that they never went after anyone from Der Spiegel for publishing a leak that kinda seemed like a big deal (I suppose it’s like how they never went after anyone from The Guardian, The New York Times, The Intercept blah blah blah over publishing the Manning and Snowden leaks). And yes, from @EmptyWheel’s point of view (if I understand the superseding indictment and her assertions correctly), I respectfully acknowledge that Assange has also been charged with a conspiracy to hack which I personally think is debatable.

Back to Applebaum. He also discussed the 50-page ANT catalog during a CCC cyber conference that took place on December 30th. This appears to be the same conference mentioned in the superseding indictment against Julian Assange. On page 20, starting with line #86:

“On December 31, 2013, at the annual conference of the Chaos Computer Club (“CCC”) in Germany, ASSANGE, [Applebaum] and [Sara Harrison] gave a presentation titled ‘Sysadmins of the World, Unite! A Call to Resistance.’ On its website, the CCC promoted the presentation by writing, ‘[t]here has never been a higher demand for a politically-engaged hackerdom’ and that ASSANGE and [Applebaum] would ‘discuss what needs to be done if we are going to win.‘”

“…ASSANGE exhorted the audience to join the CIA in order to steal and provide information to WikiLeaks, stating, ‘I’m not saying don’t join the CIA; no, go and join the CIA. Go in there, go into the ballpark and get the ball and bring it out.’”

NSA/CSS Texas

After one of the Shadow Brokers’ releases, someone noticed that three of their documents came from the TAO unit at the NSA Cryptologic Center in San Antonio, Texas, known as NSA/CSS Texas. Documents from the same TAO unit were included in some of Der Spiegel’s 2013 articles and you may have noticed that one of them was entitled, “Plumbers From San Antonio.” Additionally, Der Spiegel’s main story (the one they initially published called, “Documents Reveal Top NSA Hacking Unit,” the article starts out with:

“In January 2010, numerous homeowners in San Antonio, Texas, stood baffled in front of their closed garage doors. They wanted to drive to work or head off to do their grocery shopping, but their garage door openers had gone dead, leaving them stranded. No matter how many times they pressed the buttons, the doors didn’t budge.”

And yes, it turned out that the NSA’s radio antennas from their San Antonio office were screwing with the garage door openers. According to @EmptyWheel, these two sets of documents (one from Applebaum, the other from the Shadow Brokers) are the only ones that have been leaked so far from this particular TAO unit suggesting that it’s possible the source worked at the NSA’s Texas facility. It also suggests that Applebaum and the Shadow Brokers had the same source. Again, it suggests, it does not prove.

Snowden Documents

Days after the Shadow Brokers’ first release, The Intercept published a story confirming that what they had was the real deal based on Snowden documents. “A never-before-published NSA manual makes it clear that malware released by a hacker group this week came from the spy agency,” wrote Sam Biddle. More:

“The evidence that ties the ShadowBrokers dump to the NSA comes in an agency manual for implanting malware, classified top secret, provided by Snowden, and not previously available to the public. The draft manual instructs NSA operators to track their use of one malware program using a specific 16-character string, “ace02468bdf13579.” That exact same string appears throughout the ShadowBrokers leak in code associated with the same program, SECONDDATE.”

Honestly, most of this Intercept article is way above my pay grade but I thought it was important to note that Snowden’s cache also confirmed the Shadow Brokers’ leaks.

Merkel Tasking Report and XKEYSCORE Rules

According to Bruce Scheier, an American cryptographer and computer security specialist, he believes that the same source who leaked the ANT catalog also leaked the Merkel tasking record and XKEYSCORE rules in 2014, the latter of which was also first published by Applebaum, causing additional speculation that the source for the three leaks was leaking directly to him. Also see Electrospaces.net’s, “Leaked Documents That Were Not Attributed To Snowden.”

WikiLeaks

As I mentioned earlier, on August 15, 2016, WikiLeaks acknowledged the Shadow Brokers’ leaks stating, “We had already obtained the archive of NSA cyber weapons released earlier today and will release our own pristine copy in due course.” And so it would seem, based on circumstantial evidence and what experts like Snowden concluded, there’s a good chance that WikiLeaks used the Russians, or at least the same source as the Russians, for Vault 7. I’m not saying they did (and I’m not saying they didn’t), I’m simply trying to incorporate Russian hysteria into this scenario. Going further down the rabbit hole…

On February 23, 2016, eight months before the 2016 election, WikiLeaks released something called “NSA Tasking & Reporting: EU, Italy, UN,” with a headline that read, “NSA Targets World Leaders for US Geopolitical Interests.” The source for the document is unknown but there has been speculation that this also came from the same source as the ANT catalog, Merkel Tasking Report, and the XKEYSCORE rules. In other words, possibly from Applebaum’s 2013 source.

Although it appeared in January 2017 that the ShadowBrokers were closing up shop when they started deleting their online presence, they returned in April 2017 to post their last message to Trump and the link and password to their 2016 data dump. This last dump included several names buried in the metadata, one of which worked for the NSA, and a “list of allies’ civil infrastructure [e.g. universities] unlawfully hacked by the NSA.”

A few days later they released EternalBlue and what I find fascinating in all of this is that Guccifer 2 and DCLeaks never spoiled any of WikiLeaks’ upcoming publications, nor did the Shadow Brokers. The Shadow Brokers disappeared in January 2017, WikiLeaks started publishing Vault 7 in March, and when they returned in April giving up the keys to their kingdom, none of the Shadow Brokers’ documents overlapped with Vault 7. As for WikiLeaks’ announcement that they would release “a pristine copy” of what the Shadow Brokers’ published, they never did.

Recently it was reported that Chinese hackers were in possession of Tao weapons and that two of the exploits dated back to 2013. According to zdnet.com, “Jian [cloned software used by the NSA’s Equation Group that Chinese hackers utilized between 2014-2017] exposed a module containing 4 escalation exploits that were part of DanderSpritz post-exploitation framework.” I have no idea what any of that means but what I do know is that DanderSpritz was mentioned in the ANT catalog. It was also disclosed by the Shadow Brokers.

Next: The Rabbit Files 4.0: Revisiting the .7z Files

Liked it? Take a second to support Jimmysllama on Patreon!
Post Disclaimer

This is an Op-ed article. The information contained in this post is for general information purposes only. While we endeavor to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information contained on the post for any purpose. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site.

The views or opinions represented in this blog do not represent those of people, institutions or organizations that the owner may or may not be associated with in professional or personal capacity, unless explicitly stated. Any views or opinions are not intended to malign any religion, ethnic group, club, organization, company, or individual.

The owner will not be liable for any errors or omissions in this information nor for the availability of this information.  The owner will not be liable for any losses, injuries, or damages from the display or use of this information.

Leave a Reply