Darknet Diaries - 53: Shadow Brokers
Episode Date: December 10, 2019The NSA has some pretty advanced, super secret, hacking tools. What if these secret hacking tools were to end up in the wrong person’s hands? Well, that happened.GuestThanks to Jake William...s from Rendition Security for telling us the story.SponsorsThis episode was sponsored by Thinkst Canary. Their canaries attract malicious actors in your network and then send you an alert if someone tries to access them. Great early warning system for knowing when someone is snooping around where they shouldn’t be. Check them out at https://canary.tools.Support for this episode comes from Blinkist. They offer thousands of condensed non-fiction books, so you can get through books in about 15 minutes. Check out Blinkist.com/DARKNET to start your 7 day free trial and get 25% off when you sign up.
Transcript
Discussion (0)
Sometimes you read the news, and the story sticks with you forever.
One such news story I saw was some security news I heard, and I'll always remember it.
It was when I first saw a presentation about the NSA ANT catalog.
Have you seen this? It's mind-bending.
Okay, here's what happened.
Someone with access to NSA documents took the ANT catalog
and gave it to journalists at Der Spiegel, and then they published it.
At first, we thought it was Snowden who leaked these documents, but we're not sure if it was him or a second leaker.
I asked Snowden on Twitter if it was him, but he didn't respond.
So what's NSA's ANT catalog?
ANT stands for Advanced Network Technology. And in this catalog are a list of hacks, exploits, and cyber surveillance devices that the NSA can use for certain missions.
If you work at the NSA and you need an exploit, you look through this catalog and the request to get one of these devices or pieces of software.
When you look through it, it looks like the work of science fiction, but these are all real devices.
Let me point out a few to you.
NSA has created a device, codenamed Cotton Mouse.
It looks like a typical USB plug, one you'd see on a mouse or a keyboard.
But it's actually capturing all the data going through it and wirelessly transmitting that data.
It listens for mouse clicks, keyboard strokes, or any other data going
through it. Now, the receiver has to be close by, I don't know, 20 feet maybe, and with a strong
antenna and nothing in the way, it could probably transmit much further. So someone can be listening
maybe in the room next door to everything that your USB connector is seeing. This is some next
level technology that the NSA developed in 2008, which still isn't even available commercially today.
And the ANT catalog even lists the price for this, $20,000 per USB implant.
Jeez, that's a lot.
The NSA ANT catalog has loads of other hacks and implants.
There's Dropout Jeep, which is a piece of software that if you can get it onto an iPhone, it'll give you all the text messages, contacts, voicemail,
it'll hot mic or open the video camera and get a geolocation of that phone.
And there's Firewalk, which is a pretty amazing network sniffer.
And there's Jetplow, which is a firmware that gives the NSA backdoor access to a Cisco firewall.
And then there's Deity Bounce, which is an implant that goes onto a Dell server,
which can
get them backdoor access to that. But one of my favorites is called Rage Master. This is a little
device that taps into any VGA port. This is the connector that goes from your computer to your
monitor. And with this, it can wirelessly transmit everything that VGA connector sees, essentially
cloning that monitor to be seen by someone else at a distance.
So let's imagine how these hacks might take place.
The NSA might intercept a Cisco firewall being delivered somewhere, and they'll open the
box carefully, put their firmware on it, and then seal the box back up, and this will give
them permanent backdoor access into that firewall whenever they want.
Or if they know their target is going to stay at a
hotel, they can get a room next door to their target, break into their target's room, install
Cottonmouth or Rage Master, and then listen in the other room for the wireless signal to see
everything that person was typing and seeing. Even if that person wasn't connected to the wireless
or any network at all, this is possible. And it's insanely impressive.
And yes, 50 items in this catalog were leaked to the public in 2013, but we only saw descriptions
of these devices. No actual devices were seen. Now, upon closer inspection, we see that these
items were intended to be used by TAO. TAO stands for Tailored Access Operations, TAO.
And it's a unit within NSA that has a primary objective
to gather intelligence on computer systems.
The people within TAO have access
to the most sophisticated hacking tools ever created.
They have the budget and ability to spend years
on research and development to make insane tools
and then
use them whenever they need. Tau is NSA's elite hacking force. And they've actually changed their
name to Computer Network Operations now. But for this story, I'm going to just keep calling them
Tau. Now, when security companies research hacking campaigns, they can't tell for sure who did it.
So they give hackers a unique code name. Fancy Bear is what's given to the Russian hackers.
Charming Kitten is given to Iran and so on. But security companies have investigated certain
malware that's come from the NSA. And so a hacking name was given to the NSA. The name they were
given is the Equation Group. And it's believed that whoever is doing work for the Equation Group
is specifically Tao within the NSA.
These are true stories from the dark side of the Internet.
I'm Jack Recider.
This is Darknet Diaries. is sponsored by Delete Me. I know a bit too much about how scam callers work. They'll use anything they can find about you online
to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work,
what kind of car you drive, it's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete Me.
Delete Me is a subscription service
that finds and removes
personal information from hundreds of data brokers' websites and continuously works to keep it off.
Data brokers hate them because Delete.me makes sure your personal profile is no longer theirs
to sell. I tried it and they immediately got busy scouring the internet for my name and gave me
reports on what they found. And then they got busy deleting things. It was great to have someone on
my team when it comes to my privacy. Take control of your data and keep your private life
private by signing up for Delete Me, now at a special discount for Darknet Diaries listeners.
Today, get 20% off your Delete Me plan when you go to joindeleteme.com slash darknetdiaries and
use promo code darknet at checkout. The only way to get 20% off is to go to joindeleteme.com slash Darknet Diaries
and enter code Darknet at checkout. That's joindeleteme.com slash Darknet Diaries. Use code
Darknet. Support for this show comes from Black Hills Information Security. This is a company that does penetration testing, incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there, and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call.
I'm sure they can help.
But the founder of the company, John Strand, is a teacher.
And he's made it a mission to make Black Hills Information Security world-class in security training.
You can learn things like penetration testing, securing the cloud, breaching the cloud, digital forensics, and so much more.
But get this, the whole thing is pay what you can.
Black Hills believes that great intro security classes do not need to be expensive,
and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195,
you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills
and showing them off to potential employers.
Head on over to blackhillsinfosec.com
to learn more about what services they offer
and find links to their webcasts
to get some world-class training.
That's blackhillsfosec.com. BlackHillsInfosec.com.
Okay, today we're talking with someone who I really wanted to talk to for a long time. Someone
who knows a lot about security and has been doing this for decades. And when you're battling hackers
for that long, you surely have some interesting stories. My name is Jake Williams. I'm the
founder of Rendition InfoSec. And I think right now I'm an InfoSec dumpster fire putter outer,
basically, basically all over the board when it comes to InfoSec, incident response,
red team, SOC, whatever. What does Rendition Security do?
Well, we do, we run a managed security operations center, so managed SOC or VSOC, as some people call it.
And we do it 24 by 7 here in the U.S.
It's actually managed out of Augusta, Georgia.
And then separately, worldwide, we do red team and incident response.
We have folks actually in several countries and do a lot of international work as well as domestic work as well.
And yeah, so basically Red Team, incident response is a big piece for us, digital forensics,
some security architecture work, and then of course the BSOC.
And for you Twitter folks out there, this is Melward Jake on Twitter.
And I say that because he has 50,000 followers on Twitter and he's pretty well known.
Besides being the founder of Rendition Security, he also teaches SANS courses.
These are information security courses.
And specifically, he teaches courses on threat intelligence, forensics, penetration testing, and even threat detection.
SANS courses are usually fantastic and extremely informative and have some of the best teachers.
For this story, we're going to go back to August 2016.
Jake was working for Rendition Security then,
and his client had a specific security issue that was so big
they needed Jake to go on-site to help.
This was an incident response.
The client was hit with something serious.
So Jake and his team went to the client location
and took over a conference room to begin doing triage.
We already had a war room
per se right there for the incident response. So Jake had been at this client site for a few days
now trying to help resolve this security incident. Now back at the home office of Rendition Security,
they have a full-on SOC, a security operations center. So while a few people were on site
helping the client, there were many more people back in
the office helping out too. A SOC is usually quite a sight to see. They have lots of technicians or
analysts sitting in desks with three or four monitors each analyzing alerts. But on the wall
in the front of the SOC will be all kinds of big screen monitors, world maps, attack maps,
rosters, news feeds. And on one of the monitors in this sock was a Twitter feed.
Now in the early morning of August 13th, 2016,
one of the people in the sock saw something on that Twitter feed.
And they knew they needed to tell Jake.
Maybe 6.30 or 7 in the morning, something like that.
And I remember we were just rolling out, if I remember correctly, I think to Sonic for breakfast, right?
And grabbing some of those breakfast burritos they have.
The tweet that Jake read was posted by someone
with the name Shadow Brokers with two S's at the end.
The tweet said, quote,
we follow equation group traffic.
We find equation group source range.
We hack equation group.
We find many equation group cyber range. We hack equation group. We find many equation group
cyber weapons. You see picture. We give you some equation group files free. You see,
this is good proof. No, you enjoy. You break many things. You find many intrusions. You write many
bad words, but not all. We are auction the best files, end quote. That is hard to understand.
Sounds like whoever wrote that.
English was not their first language.
But it basically said this group, Shadow Brokers, have stolen some cyber weapons from the NSA.
Specifically, Tau within the NSA, which is what Equation Group is.
And that they're giving away one of these exploits for free to everyone now and auctioning the rest off.
So the rendition sock saw this, thought it was important.
We got alerted from one of them and said, hey, are you seeing this?
And up to that point, the answer is no, we haven't seen this.
And so then we're popping up on Twitter and going out to GitHub and saying,
okay, you know, hey, first it was the download the stuff from GitHub,
and then it was a, oh, snap, this is real.
Right. This isn't a hoax. This is real stuff.
So even though Jake is the president of Rendition Security, and even though he was on a client site at the time,
he felt this was so important that he took time out of his day to download these files and to look at this malware that the shadow brokers had released.
The malware was a specific exploit for Cisco and Fortinet firewalls, and this malware would
allow the attacker to send an exploit to a fully patched firewall and allow the hacker
to take full control of that firewall.
Well, I downloaded some files, but we'll say for sake of of argument, look legit.
Right? So...
Hmm. Jake says it looks legit.
Let's consider what that means for a moment.
Someone calling themselves Shadow Brokers
has claimed that they got one of Tau's secret exploits
and publicly dumped it for the world to see.
An exploit that Cisco and Fortinet did not know existed.
And this exploit does in fact work on a fully updated firewall,
meaning it was previously unknown to the world,
and now Jake is saying it looks legit.
Yeah, I mean, I think that's as far as I can go directly
without confirming or denying.
We'll say looks like legitimate threats.
Hmm, I feel like Jake might know something more about this than he's leading on. I mean,
what president of a security company is going to take time out to download a potential NSA
exploit, test it, and then come out and say it looks legit? And after this,
he went into the client office to continue doing work for them.
Actually was a Cisco customer who had a lot of legacy Cisco equipment.
And having some of that legacy Cisco equipment with the basically, we'll just say it was equipment that was itself vulnerable in some of the configurations.
Some of the stuff they had actually was vulnerable to some of the stuff that was itself vulnerable in some of the configurations, some of the stuff they had
actually was vulnerable to some of the stuff that was released, right? Which is obviously not a
best case kind of scenario there. So yeah, so definitely was doing some digging into,
you know, what's in the dump and what kind of exposure does that leave, you know, not just
them that we're on site with, but obviously other clients as well. Both Cisco and Fortinet confirmed this was a vulnerability they were not aware of,
an issue to patch right away.
But this barely fixed the issue.
The issue now is, who are these shadow brokers?
How many exploits do they have?
How did they get these?
Not to mention, they're selling even more of these to the highest bidder.
They even went on to say if they can get 1 million Bitcoin, they'll dump everything to the public for everyone to see.
But the immediate problem is realizing that this top secret exploit is now in the enemy's hands.
Well, everybody's hands, right? I guess as the, you know, at the time, bear in mind, right, it's one zip file and it is a, you know, it's one zip file, right?
And there's no evidence at this point
that they have anything else specifically.
I know they claim to, right?
But in their initial post, you know,
that's all gibberish anyway.
And, you know, so I'm kind of looking at it going like,
it's one file, right?
And, you know, without getting into specifics,
let's just say that it is the kind of thing that I could see somebody having without having everything else.
Like there are plausible scenarios in which one could have that specific thing and not have everything else at the end of the day.
Okay. And did you think – did you have a guess at who might be shadow brokers at that point uh i i think at
that point it was a little too early for me to really develop a uh you know much of a theory
beyond the you know beyond the wow um you know this is this is it was it was quite a dump so i
think at the time we did quite a uh or we did a lot of internal kind of discussion analysis, you know, a rendition.
We did quite a bit of that. And I think for us, we were kind of split between either this is legit.
They're dumping this to show that they have, you know, legit other stuff to sell.
Right. Because remember, that was part of the offer, right? Was that they would release the keys to decrypt these other awesome, you know, as of yet unknown,
even what the, you know, quantity and quality, these other zero days, right? We're going to
release all this stuff. You know, this is the preview, right? Or the teaser, as it were, right?
To get people's appetites wet. So that was, you know, I think about half of us at the group,
you know, kind of looked and said, yeah, that's probably what it is. So that was, you know, I think about half of us at the group, you know, kind
of looked and said, yeah, that's probably what it is. And there was another group that was,
you know, another contingent that was like, yeah, no, this has nothing to do with money.
Absolutely nothing to do with money. This is full on, regardless of what else they have,
this is full on an information operation. Right. And I think I kind of flopped between the two.
I gravitated to information operation, but, you, but I could see the other argument being legit as well,
that some insider perhaps had walked out with stuff and was motivated by money.
The news was now spreading all over the Internet that the shadow brokers had leaked NSA hacking tools.
The Guardian was posting about it, Ars Technica. Engadget. The Atlantic. Wired.
Even the New York Times. This was a really big deal and had the attention of the world.
So how much did the auction get to? Well, in the first 24 hours after the dump, the auction only
received $937, which I think was quite a disappointment for the shadow brokers. People
everywhere were trying to guess how they got these exploits.
Did someone hack the NSA?
Maybe the NSA hacked them, but then left their hacker tools behind.
Because if the NSA is going to hack something,
they need to put their exploit there first and then execute it.
So maybe they just left their exploits behind.
Or maybe someone from the NSA grabbed this stuff and walked out with it.
Nobody knew for sure, but these shadow brokers had captured the attention of the world.
Two months later, Joe Biden was on NBC's Meet the Press.
The two were talking about Russia possibly hacking the elections, and they had this to say.
I talked with former Russian Ambassador Mike McFaul.
And we talked about the idea that you've got to respond when they're hacking.
You've got to do something.
He described it as a high, hard one.
Maybe just sort of like in baseball, you throw a high, hard one to send a message.
Why haven't we sent a message yet to Putin?
We're sending a message.
We have the capacity to do it.
And the message...
He'll know it?
He'll know it.
It'll be at the time of our choosing
and under the circumstances that have the greatest impact.
Look, at...
So a message is going to be sent?
Will the public know it?
I hope not.
Mr. Vice President, I'll leave it there.
Thank you, sir.
Thank you.
Two weeks after that, shadow brokers published their second dump.
First, they say this right away, quote,
Why is Dirty Grandpa threatening CIA cyber war with Russia? End quote.
Now, I believe they're calling Biden Dirty Grandpa here because of what he said just a few weeks earlier,
which is a really, really weird thing to say.
But, okay.
The contents of this second dump was just a big list of IP addresses,
and the shadow brokers claimed that this was a list of servers in the world
that the NSA had infected or was using as a server to launch exploits from.
This wasn't quite that big of a dump.
The message was more like telling the NSA that the shadow brokers weren't going away,
and this is a reminder that they're still a threat.
I think the second dump was really interesting because, you know,
the second dump, given all the IP addresses that were there,
became a really interesting data set for researchers who had a lot of NetFlow data.
And we did indeed,
and I think just like anybody else, went back through NetFlow data for
our clients and said, okay, do we see IP addresses
from this list connecting to any client to anything? Because
obviously if they are, that could be an indicator of compromise. It's definitely an indicator of concern.
But yeah, other than analyzing what they are, that could be an indicator of compromise. It's definitely an indicator of concern. But yeah, I mean, other than analyzing what they wrote,
the shadow brokers themselves wrote and posted.
I think they were going to steam it still at the time.
Yeah, steam it.
And basically, beyond looking at what they wrote,
it wasn't really a...
That next drop wasn't earth-shattering.
There was nothing really in there besides the IP addresses.
But it was more actionable than the first one, to be honest,
for the majority of InfoSec professionals.
The reason why this was actionable for some InfoSec professionals is because, you might be able to notice if the NSA was hacking you, or at least in theory, that's what
you could possibly check for. Stay with us, because after the break, the world is about to change.
This episode is sponsored by SpyCloud. With major breaches and cyber attacks making the news daily,
taking action on your company's exposure is more important than ever.
I recently visited SpyCloud.com to check my darknet exposure
and was surprised by just how much stolen identity data criminals have at their disposal.
From credentials to cookies to PII.
Knowing what's putting you and your organization at risk
and what to remediate
is critical for protecting you and your users from account takeover, session hijacking,
and ransomware. SpyCloud exists to disrupt cybercrime with a mission to end criminals'
ability to profit from stolen data. With SpyCloud, a leader in identity threat protection,
you're never in the dark about your company's exposure from third-party breaches,
successful phishes, or info-stealer infections.
Get your free Darknet exposure report at spycloud.com slash darknetdiaries.
The website is spycloud.com slash darknetdiaries.
Now, something huge happened in the world just after this second dump the u.s had a presidential
election and donald trump took the election there was a lot of rhetoric at the time that the russians
meddled with the election and just as people were starting to talk about that in january of 2017 the
shadow brokers made another post and this one saying goodbye the post said that they did not get
the bitcoin they were hoping for so they're just going to release more hacking tools for free for
anyone they posted 61 windows executables link libraries and drivers claiming each one was
developed by the equation group tau within the nsa and can be used to hack windows computers
again these did check out and they were new exploits,
not previously seen, and they looked legit again,
as in they were probably created by the Tau in NSA.
The shadow brokers then signed off, saying goodbye,
claiming they're going to go dark because they didn't get enough Bitcoins.
67 or something files, the actual files themselves also get sent out.
And that was a pretty big deal for us, right? Because in their directory listing, it says,
you know, something like event log edit or edit event log something, and there's multiple
references to it. And, you know, in the InfoSec community, particularly in the forensics,
their deeper community, a lot of folks take those event logs to be, you know, sacred, right? You know, there are whole
textbooks written about how you can basically clear an event log, but you can't surgically
edit one. And those of us in incident response have known that's been not true for some period
of time. But we don't have, you know, most of us don't have publicly available tools that we can point to and say,
no, no, look, here's the capability.
The capability definitely exists.
Here's where it's at, right?
Again, anybody who's in this business knows that it's a capability.
We even know who had it up to that point.
But suddenly overnight, everybody had it, right?
And it changed the game on,
on incident response. And, and having seen that we wanted to go ahead and, and, you know, basically
that was one of the first major posts that I wrote about it was to say, Hey, look, you know, this is
a, this is a game changer for incident response. It's a game changer for a lot of stuff, but,
but specifically for IR, this is a full on game changer. Pay attention.
Yeah. The exploit they dumped means a hacker canon game changer. Pay attention. Hmm, yeah.
The exploit they dumped means a hacker can edit an event log in Windows.
This was previously not a capability.
Well, not a capability except for the TAU unit within the NSA.
But now the whole world has this capability.
This could have a big impact.
And so Jake continued to analyze what the shadow brokers were dumping.
And yeah, he was blogging about it, talking about what he thinks of this and what the important takeaways are from these dumps.
But this wasn't the last we heard from shadow brokers.
About three months later, in the first week of April, they showed back up.
They made another post, dumping more stolen hacking tools.
And in this post, they even had a message for the president.
Quote, the shadow brokers voted for you. The shadow broker supports you. The shadow brokers is losing faith in you, Mr. Trump. It's appearing you are abandoning your base, the movement,
and the people's who getting you elected. End quote. Hmm. Does this mean the shadowbrokers are part of the far right?
Or is this some kind of smokescreen?
Well, again, Jake
saw this dump, analyzed it,
made sense of it, and then made a blog
post about it. I said, look, if you
track the dumps, and you track
some of the rhetoric, right, the timing
of the dumps is
very convenient around,
basically conveniently aligned around times that Russia
is being called out in the press for hacking.
And literally what they're doing is, you know, I hypothesized and I said, you know, basically
while I can't say for sure that, you know, the timing is coincidental or circumstantial,
whatever, we can say that the Shadow Brokers dumps, the timing of these definitely lines up with
times that Russian hacking is in the news. And, you know, in the tech space, which is largely
where that's being covered, them dumping these or, you know, creating these dumps is completely
taking, you know, the focus away from Russian hacking and putting it on, oh my gosh, NSA lost tools, allegedly, right?
And, you know, checkbox, right?
So it's always weird when hacking stories get political for me, because I don't think
us security people even consciously realize when it does get political.
We just see some shadowy group of people dumping hacking tools, which is a real impact on the
networks we're trying to secure.
But if you lean into the story, you start seeing things like Biden and Russia and elections and Donald Trump.
Well, these were some of the observations that Jake saw, and he was starting to post this to his blog.
Now, keep in mind, Jake here is known as Malware Jake on Twitter, where he has 50,000 followers.
And when he posts a blog post, it gets considerable
eyes on it. And this particular blog post got retweeted and started spreading.
Well, more, yeah, not just retweeted, but like that actually took the content and said,
and basically wrote stories around the content, right? Saying, oh, Jake, you know,
Jake Williams, the rendition says, you know, that he believes this is, you know,
if not a Russian operation in the interest
of Russia, right, kind of thing. And so folks wrote stories about the analysis kind of deal.
It's kind of exciting to have a blog post of yours gain some traction like that. It feels good that
you have something helpful to say about the conversation and people appreciate your thoughts.
But then the next day... I wake up and I check Twitter notifications. And, you know, like at the time, I saw all my notifications going to the phone, what have you.
And I just do like a little drag down.
It's like 99 plus, right?
99 is where it stops counting, right?
It's like 99 plus notifications.
And I'm like, oh, either something really good has, you know, like a blog post has gone viral or something.
You know, I'm like, my first thought is like, I tweeted something that really pissed
a bunch of people off. And, you know, I've got some like, whatever it is, you know, the gang up
kind of thing going or, you know, dogpiling or something. And then I, my blood ran cold when I
saw what had actually happened. Shadowbrokers, the secret hackers who had the attention of the entire InfoSec community and so many more people, had tweeted directly at Jake.
The tweet said, quote,
At malware Jake, you having a big mouth for former Equation Group member.
Shadow Brokers is not in habit of outing Equation Group members, but had to make exception for big mouth.
End quote.
The English was rubbish, but the message was clear.
Whoever these shadow brokers were had just stated publicly
for everyone in the world to know that Jake was a former member of NSA's TAL,
a.k.a. the equation group.
Yes. Yep.
And the thing is, it's true.
Jake had spent almost two decades working in the
information community for the government and about five years in Tao. But Jake had kept this a secret
almost just to himself. Even though he was a public figure with tons of Twitter followers,
a speaker at a fence, a SANS instructor, nobody outside his close friends and family and ex
co-workers knew he was a former member of TAL.
No, I certainly wasn't, you know, wasn't like tweeting that. Now, I mean, I had a hole in my,
you know, obviously, if you go to my LinkedIn, you can see I work for the DOD, right? There's no
question there. But I mean, you know, in our space, there's a lot of people in InfoSec that
worked at some time for the DOD, right? And I was former Army. And so I felt like that was all, you know,
yeah, again, it was DOD, right?
But yeah, to get in and say NSA,
and really on top of that,
to say NSA hacker, right,
is a whole different level of,
yeah, that, I guess, right?
It wasn't something that I really was planning
to start talking about out there,
but whatever.
What's your initial reaction when you saw that?
Well, I'll be honest and say it was unprecedented. And I didn't really have a good feel for how the government was going to handle this.
And a lot of people have chatted about this with some other folks over the last couple of years. And I said, you know, what I didn't know at the time, the thing that most concerned me was it was the complete lack of predictability for what the U.S. government was going to do.
Like, I didn't know if the FBI was going to sweep in and be like, holy goodness, this is Russia.
You've got to be, you know, I just don't know.
There is, even at that time time a thought that it's that it's Russia.
And, you know, in the community, there are definitely you mentioned before some of the Trump rhetoric.
And I I didn't know if, you know, it wasn't just what was the U.S. government going to do, but how were like ordinary people going to react to this?
And it just was it was a very challenging time because of that, I think, more than anything else was the unpredictability.
And, you know, just unprecedented.
Like that must have ruined your whole day.
Oh, like I said, I was already sick.
I'll be honest and tell you that I can't picture a better place to have to deal with that than teaching a SANS class.
And it's what we call a boot camp class that runs from nine in the morning till 7
PM. Um, and I feel like that night, uh, I know we had some other event that I was staffing there.
So I, I literally worked from like nine to nine, um, despite being sick and I cannot fathom a
better way to have dealt with that. Why it was, it was forced distraction. So it wasn't like I,
I didn't have time to mull over it as much as just go do your thing, right?
And so I think that was helpful to me.
Yeah, so I was just wondering like an overall message.
Do you think they're guessing at who you were or?
No, not a bit.
I can say with confidence that – with high confidence that they 100% were not guessing at who I was. I say that with high confidence that they 100% were not guessing at who I was.
I say that with high confidence.
I can't get into the why,
but I will say for sure
they were not guessing at who I was.
They had that dead to rights.
They knew it wasn't a guess.
And based on some other stuff that they've written,
I'm fairly certain they had that.
Yeah.
But what the message was is another thing entirely, right?
You know, it could be, and I put a lot of thought into this, right?
The message could be purely that they didn't like what I was writing and wanted me to shut up
and wanted that blog post down.
And my business partner at the time reacted exactly that way and took the blog post down.
And, you know, even even with links to it. Right.
They basically rewrote it as a, you know, one paragraph, nothing, you know, no, no real content to it, no real meat to it.
Just there wasn't a 404 on the website. But I mean, he took that down.
And that was if they were trying to accomplish that goal that they did, that they definitely did.
So I could have also been, you know, that if somebody else was out there, you know, that hadn't yet been identified, that, you know, they were trying to say, like, you know, hey, if you do what this guy does, we're going to out you too? I don't know. I mean, I would expect that if anybody else were thinking about commenting
on, you know, former NSA folks were thinking about commenting on the Shadow Brokers, that would have,
I would expect, I would expect that would be a deterrent as well.
But again, as far as their motivation, it's really hard to nail down.
What a weird and surreal thing to happen to Jake, to be outed publicly by this mysterious hacker crew.
It's like he was doxxed by them.
And the tweet didn't just stop there.
It went on to say how the Shadowbrokers know about some top secret weird missions,
and I'm going to assume classified things that Jake was involved in while at Tau.
The Shadowbrokers tweets started, or their messages were saying things like, connecting
you to things like Oddjob, CCI, Windows Bits, Persistence, and the Q Group.
Does that, do you have any comment about that?
I, there's no safe comment that I can make on any of that.
A few days after that,
the Shadow Brokers released yet another set of stolen exploits.
And this one would make a huge splash in the world.
This dump contained Eternal Blue and Eternal Romance, among others.
Now, what's so important about EternalBlue is that this is an exploit that
can be used to remotely access Windows computers running SMB, which was something that was
installed by default on all Windows machines, making millions and millions and millions of
Windows computers vulnerable to this exploit. EternalBlue was huge. This was the biggest of
all their exploits, and it just landed in the hands of the general public for any hacker in the world to use. EternalBlue might go down as one of the most successful
hacking tools in history. It's really effective for letting hackers into Windows machines. But
here's the strange thing. Just about a month before Shadow Brokers dropped this on the world,
Microsoft had patched it. Yeah, they fixed it right before it was unleashed. The rumor has it that the NSA gave
Microsoft a very quiet heads up that this might be in an upcoming dump, so they can work on patching
it before it hits the streets. Now, of course, this too was a really big deal for Jake. He knew
that Eternal Blue could have far-reaching effects on many of his customers, but he was still coming to grips with the earlier tweet that called him out.
That single tweet, which outed Jake as an equation group member, really changed his life.
Definitely changed my threat modeling. No question about that.
You know, I look at the time, you know, and again, in hindsight, a lot of people, I think, will say overreact, whatever.
But, you know, that I might have been overreacting.
But at the time, again, we just didn't know.
We didn't know what, you know, not just what they were going to do, but what anybody was going to do in response.
You know, our own government included private citizens who were pro-Trump, anti-Trump.
They had taken a Trump stance, whatever that Bergen English language thing was.
And so we just didn't know.
And so I guess the short of it is, from immediate concerns, I mean, I had to call my ex and
say, hey, here's the situation.
My ex, by the way, never having served, doesn't really track with all this.
And I'm having to give her this crash course.
And so we think this is Russia.
Here's the crash course in Russian intelligence services.
We don't think we have to worry about them,
but who knows, right?
I'm more worried about, you know,
people believing that it's Russia
and believing that we're somehow colluding with them.
And the short of it is,
do you want me to see my kid, right?
Kind of thing.
Or I'll totally understand if you say no kind of deal, right?
And so for several weeks, that's the way we played it. Right. Was that me and my kid were
on hangouts like you and I are now, um, and not seeing each other in person. Right. Because again,
we just didn't have a good handle on, you know, how or if, or, you know, whatever people were
going to react to this. So, so yeah, as far as changed my life, I mean, immediately, right.
There were some immediate impacts, um, you know, that that sucked, you know, so yeah. Now, you've probably heard of the FBI's most wanted list.
But did you know there's also an FBI's cyber's most wanted list to criminal hackers that the FBI
is looking for? When the FBI has enough evidence that a hacker has committed a crime, they will
indict the hacker. And if it's severe enough, they'll stick them on this list. Sometimes the FBI indicts nation-state hackers too. Like for instance, the Cyber's Most
Wanted has 11 hackers who work for the Russian government, and they were involved in interfering
with the 2016 elections. There's also four Iranian hackers indicted for conducting espionage against
the U.S. If any of these hackers on the cyber's
most wanted list were to travel to the U.S. or even a country that has an extradition treaty
with the U.S., they will probably be arrested and brought to court. But so far, no hackers have been
indicted for whoever was behind these shadow brokers' dumps. Was there any travel that you
canceled? Definitely. Yeah, no question.
They poked back up in July, I think.
It was either late June or early July, and I canceled a trip to Singapore.
One of the issues that came down was, and a lot of people forget about this in the dumps,
but in the April dump where they dumped Eternal Blue,
they also dumped operational data involving SWIFT banks and some other stuff.
There was our SWIFT transfers with some banks.
And, you know, that said, to me at least, right, you know, without confirming the data is authentic, said to me that it's not just tooling they have.
They have operations data.
This means the shadow brokers are claiming to have seen some of the stuff the NSA has actually done.
And at that point, if you are watching the news and you're watching the U.S. Department of Justice indict foreign hackers, you then have to kind of step back.
And I definitely did this. I did a mental inventory of where did I target, right? And then even then doing risk modeling of does it even publicly it's also like we don't know what they're sharing on the back end and you know if this is
russian intelligence or you know even if it's not whatever but what are they whoever they are
sharing on the back side that we don't know about so so that also was was a huge unknown and and
that's something i continue to play you you know, mentally today, right, kind of mentally play through because it's, you know, we saw Canada arrested the Huawei executive on our behalf, right? You know, an airport, for goodness sakes, right? She never even cleared customs. And that's, you know, every time I travel internationally, I'm playing those, you know, that whole risk modeling, not just of, you know, was I involved with this country, but this country, but for the countries that I was involved with targeting, did I basically amount an extradition list someplace?
Or do they have an extradition policy with that other country?
So yeah, I canceled travel to Singapore.
I've had some other opportunities that I've passed on entirely because I safe, you know, traveling to a number of countries as a result.
Yeah, it almost feels like you're at their mercy at this point.
Well, there's no question. I mean, I guess if you want to play, I'm going to try not to play the victim here because, you know, whatever.
I made employment decisions that, you know, they were employment decisions.
That's why that's why, you know, and those, those same decisions are why I'm, you know, where I'm at today. But, but yeah, I mean,
I, they, they have, there's no question in my mind that they have a lot of operational data about me
and it's stuff that could definitely paint it in the wrong light. And, you know, it would paint
it in the wrong light would be very bad and would for me personally.
And I yeah, I am definitely at their mercy for what it is that they choose to release or not release.
I've said repeatedly that I stand I stand by this so far.
You know, we haven't seen any U.S. hackers indicted.
Nation State hackers indicted. But but I I am not a betting man, but I would not bet
against me being the first one or on the first list. I just I can't fathom that I won't be
involved somehow. And I hope I'm not. It's not something I'm wishing for or asking for. But
again, just playing the odds, right? When somebody else finally, when another country
finally pulls a DOJ, you know, and starts indicting, you know, U.S. nation state hackers.
I it will surprise me greatly if I'm not on that list.
Jeez, that I don't even know what to say about that.
This is life in the shadow of the shadow brokers.
It also makes me think about him as a SANS instructor.
Like I've taken a SANS course and it would just blow my mind if I
knew my teacher was wanted in several countries for hacking on behalf of the NSA. Like, is he a
criminal or not? Some countries probably think he is, but back home, he's just carrying out his
orders. And now when I think about it, I think it's actually weird that the FBI indicts the hackers
who were working for foreign governments. The hackers were just carrying out their orders.
Why not indict the officers or generals or the leader who signed the executive order? And at that point, you might as well treat it like an act of hostility from one nation to
another. I don't know. It gets weird and sticky on who to blame for hacking when it comes to
nations hacking nations. It's kind of like when Apple is suing Google for 20 things and Google
is suing Apple for 20 things. Google is suing Apple for 20 things.
Yeah, sure, Russians hacked the U.S., but the U.S. has probably hacked Russia too.
So now what?
Since 2017, we haven't heard anything more from the shadow brokers.
Their last tweet mentioned Jake once again, but it wasn't really saying anything new.
And since then, it's been quiet.
While we normally saw them come back every few months,
they've now been quiet for over two years.
But I don't think that's the end of Shadow Brokers.
I still think there's a huge investigation,
a hunt into who's behind it.
It quite possibly could have been an insider,
a double agent,
someone who works in the NSA
and had access to this stuff,
but was feeding it to another country like Russia. And
yeah, at this point, most signs do point to Russia being behind the shadow brokers, but we don't know
for certain. But if you think about the intent and capabilities of this group, their intent is to do
battle with the most sophisticated hacking group in the world, the NSA, and then burn some of their
expensive exploits. And their capabilities are that they can somehow get these exploits out of the NSA,
probably one of the most secure places in the world,
and then publish them and then get away with it.
When you think about all the intelligence capabilities the NSA has
and they don't have anything on this crew,
this puts shadow brokers in a top-tier category for what their capabilities are.
And then you look at how much they say about Trump
and the ability to shift the news cycles when it comes to Russia. Yeah, it just looks like it's
probably Russian. But like I was saying, there haven't been any FBI indictments about this or
public statements from the US government about this either, and especially nothing from the
president. He typically doesn't call out Russia for stuff like this. But even if he did blame Russia for this, what would that sound like?
I mean, it would admit that the NSA somehow lost control of their secret hacking tools.
And that might make the U.S. look bad.
So it's a complicated issue.
Oh, and I should also mention Harold Martin III somewhere in here too.
There's this theory that Harold is somehow behind this.
Harold was a government contractor working for Booz Allen Hamilton,
and while he was there he was doing some work for the NSA,
and got access to some top secret information within the NSA.
Harold decided to steal 50 terabytes of information from NSA's servers,
and successfully got it out.
We don't know who Harold
gave this 50 terabytes to or if he gave it to anyone. We don't even know what's in the data.
But he was caught and is currently serving nine years in prison for this. The data on the shadow
broker dumps could have been something that Harold stole. The timestamps do seem to line up with this,
but there's no real good evidence that does connect Harold to this whole thing. All right, let's take a step back and try to understand what this whole shadow
brokers thing means. While the NSA has neither confirmed or denied that they've made these tools,
all signs point to these being actual exploits that the NSA has made and kept to themselves
as weapons to attack the enemy with. But let's think about that.
This means the NSA has a group of researchers who are actively looking for vulnerabilities
in software, like Microsoft Windows. And then when they find these vulnerabilities,
they don't tell Microsoft about it. They keep it to themselves. Now, the NSA has publicly said
they don't hoard zero days or exploits that
nobody knows about. But here's evidence that they do. Now, what does that mean? Well, it seems the
NSA has decided it's more important to be on the offensive versus being on the defensive. If the
NSA was defensive-minded, they would be working with software vendors to find vulnerabilities and
get them fixed. But instead, we see this, where they secretly find vulnerabilities and not tell
the software vendor about it, so that they can later use it on an attack against someone else.
And perhaps this was the message that the shadow brokers was trying to relay,
to place the NSA under extra heat for hoarding zero days like this.
And that's certainly what happened.
A lot of people use this as evidence that the NSA does not have it in their interest
to keep us secure.
But instead, they want to keep these exploits to themselves so they can be better at doing
espionage and surveillance and hacking into other networks, which I suppose could be considered defensive
minded if they're using that to find what an upcoming attack on our country is going to be.
But that's just hard to believe when we see nation states hacking into companies in the US
and creating huge, huge problems for those companies. And see, here's the perfect example
of when that can backfire, when the exploits the NSA makes gets into the wrong hands, or when someone exposes the
capabilities of the NSA. Snowden, the ANT catalog leak, and now the shadow brokers give us a very
clear view into what the NSA is doing. And I think it's important that we all take full note of what we see here.
Now as someone who used to defend networks from threats,
I want to take a moment and talk about what we as defenders should be doing about the shadow brokers.
When the shadow brokers dumped all these NSA-grade hacking tools,
we should be analyzing them and trying to understand them as best we can.
And here's why.
Let's take the Windows event log hack
that was dumped as an example. This is a hack that can turn Windows logging off and then back on
whenever you want. Or it can delete individual event logs from Windows. And here's the thing.
Historically, it's been possible as an admin to turn logging off and on. Okay, fine. But when that
happens, an event is created that says logging has been turned off.
It's also possible to clear all event logs. But again, there's a log created that says that all
the logs have been wiped. And that wipes all logs, not just one or two. But with this hack that was
dumped, you can disable logging without an event indicating logging has been turned off. So you can
turn it off, do your dirty work, then turn it back on,
and there's no evidence that the logs have been tampered with, which is really scary,
but important to know. There's also a capability of removing individual events. So this is important
for us defenders to know because Windows event logs are so important to us. They tell us the
truth of what happened. So how do we handle this?
Well, now you need to be looking for what's not there.
For instance, event logs are numbered.
So what if you saw event log 97, 98, no 99, and then 100?
Well, what happened to event log 99?
Or what happens when you see a logout event but not a login?
If you see stuff like this, you can assume you have a hacker
who's using these Shadow Brokers hacks,
but also isn't that savvy enough to know how Windows Logging works.
Because this hacker was smart enough to delete their login event,
but not good enough to delete their logout event.
And this is the kind of stuff that defenders and incident responders
have to learn about from Shadow Brokers.
But not only that, every sophisticated hacking team in the world paid serious attention to these dumps.
I just told you about the logging one, but there's like 70 other exploits they dropped.
And like government hacking teams have probably done a deep analysis on every single exploit in the dumps
to learn everything they could about it, what it does, how to use it most effectively, and then throw it in their bag of tools to use it whenever they want.
And this is why it's important for the InfoSec community to know this as well. I mean, if the
NSA did create these hacker tools, they probably spent millions of dollars on research and
development to make it. That was paid by my tax dollars. So seeing what their capabilities are
and knowing it's in the hands of every hacker in the world, it's an extremely valuable lesson for anyone working in InfoSec.
It's simply not every day that we get to look at tools this sophisticated. And now any script kitty in the world has them and is using them. And ever since these dumps, digital forensics and incident responder teams
have been seeing a high amount of attacks
that was using stuff from these dumps.
And it still continues to this day.
So it's very important for us defenders to understand this,
especially for the exploit called Eternal Blue.
Eternal Blue would go on to be a key component
for some of the world's biggest hacks.
Hacks that were so big,
they practically caused doomsday scenarios for many people.
So join me in the next episode
as we dig into one of the hacks that used Eternal Blue.
A big thank you to our guest, Jake Williams,
for taking time to share this incredible story with us.
You can follow him on Twitter.
His name there is at MalwareJake.
Good luck out there, Jake.
I also want to give a big thanks to Andy Greenberg from Wired.
He just finished writing a new book called Sandworm,
which goes into detail about this whole Shadow Brokers thing
and then goes into detail about what Eternal Blue went on to be used for. And we're going to interview Andy in the next
episode, so if you want to check out his book, it's Sandworm. It's really good. Don't forget to
help support this show through Patreon, where you can get some bonus episodes exclusive only to
Patreon donators, and you can also get some stickers and an ad free feed. Patreon supporters really
do make a huge impact on keeping this show going and they're absolutely my favorite listeners.
This show is made by me, Grizzly Masquerade, Jack Recider. Sound design this episode is by
the headphone wearing Andrew Merriweather. Editing help this episode by the cyber maiden Damien.
Our theme music is by the jingling Breakmaster Cylinder.
And even though webmasters around the world add my IP to their blacklist,
every time I say it, this is Darknet Diaries.