ShadowBrokers’ Kiss of Death

In the ShadowBrokers’ latest post, I got a kiss of death. At the end of a long rambling post, TSB called me out — misspelled “EmptyWheel” with initial caps — as “true journalist and journalism is looking like.”

TSB special shouts outs to Marcy “EmptyWheel” Wheeler, is being what true journalist and journalism is looking like thepeoples!

TheShadowBrokers, brokers of shadows.

Forgive me for being an ingrate, but I’m trying to engage seriously on Section 702 reform. Surveillance boosters are already fighting this fight primarily by waging ad hominem attacks. Having TSB call me out really makes it easy for surveillance boosters to suggest I’m not operating in the good faith I’ve spent 10 years doing.

Way to help The Deep State, TSB.

Worse still, TSB lays out a load of shit. A central focus of the post (and perhaps the reason for my Kiss of Death) is the latest fear-mongering about Russian AV firm, Kaspersky.

Are ThePeoples enjoying seven minutes of hate at Russian hackers and Russian security company? Is after October 1st, new moneys is being in US government budgets for making information warfares payments. Is many stories of NSA + lost data. Is all beings true? Is NSA chasing shadowses? Is theequationgroup still not knowing hows thems getting fucked? Is US government trying out storieses to be seeing responses? TheShadowBrokers be telling ThePeoples year ago how theshadowbrokers is getting data. ThePeoples is no believing. ThePeoples is got jokes. ThePeoples is making shits up. So TheShadowBrokers then saying fucks it, theshadowbrokers can be doings that too.

TheShadowBrokers is thinkings The Peoples is missings most important part of storieses. Corporate media company (WSJ) publishes story with negative financial impacts to foreign company (Kaspersky Labs) FROM ANONYMOUS SOURCE WITH NO PHYSICAL EVIDENCE. WTF? Can they being doing that? Libel law suits? But is ok, Kaspersky is Russian security peoples. Russian security peoples is being really really, almost likes, nearly sames as Russian hackers. Is like werewolves. Russian security peoples is becoming Russian hackeres at nights, but only full moons. AND AMERICA HATES RUSSIAN HACKERS THEY HACKED OUR ELECTION CIA, GOOGLE, AND FACEBOOK SAID. If happening to one foreign company can be happening to any foreign company? If happening to foreign company can be happen to domestic? Microsoft Windows 10 “free” = “free” telemetry in Microsoft cloud.

TSB tries to claim that the Kaspersky stories are a US government attempt to explain how TSB got the files he is dumping. But as I have pointed out — even the NYT story on this did — it doesn’t make sense. That’s true, in part because if the government had identified the files the TAO hacker exposed to Kaspersky in spring 2016 as Shadowbrokers’, they wouldn’t have gone on to suggest the files came from Hal Martin when they arrested him. Mind you, Martin’s case has had a series of continuations, which suggests he may be cooperating, so maybe he confessed to be running Kaspersky on his home machine too? But even there, they’d have known that long before now.

Plus, TSB was the first person to suggest he got his files from Kaspersky. TSB invoked Kaspersky in his first post.

We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic.

And TSB more directly called out Kaspersky in the 8th message, on January 8, just as the US government was unrolling its reports on the DNC hack.

Before go, TheShadowBrokers dropped Equation Group Windows Warez onto system with Kaspersky security product. 58 files popped Kaspersky alert for equationdrug.generic and equationdrug.k TheShadowBrokers is giving you popped files and including corresponding LP files.

The latter is a point fsyourmoms made in a post and an Anon made on Twitter; I had made it in an unfinished post I accidentally briefly posted on September 15.

But I don’t think the Kaspersky call-out in January is as simple as people make it out to be.

First, as Dan Goodin and Jake Williams noted collectively at the time, the numbers were off, particularly with regards to whether all of them were detected by Kaspersky products.

The post included 61 Windows-formatted binary files, including executables, dynamic link libraries, and device drivers. While, according to this analysis, 43 of them were detected by antivirus products from Kaspersky Lab, which in 2015 published a detailed technical expose into the NSA-tied Equation Grouponly one of them had previously been uploaded to the Virus Total malware scanning service. And even then, Virus Total showed that the sample was detected by only 32 of 58 AV products even though it had been uploaded to the service in 2009. After being loaded into Virus Total on Thursday, a second file included in the farewell post was detected by only 12 of the 58 products.

Most weren’t uploaded to Virus Total, but that’s interesting for another reason. The dig against Kaspersky back in 2015 — based off leaked emails that might have come from hacking it — is that in 2009 they were posting legit files onto Virus Total to catch other companies lifting its work.

At that level, then, the reference to Kaspersky could be another reference to insider knowledge, as TSB made elsewhere.

But there are several other details of note regarding that January post.

First, it was a huge headfake. It came four days after TSB had promised to post the guts of the Equation Group warez — Danderspritz and the other powerful tools that would eventually get released in April in the Lost in Translation post, which would in turn lead to WannaCry. Having promised some of NSA’s best and reasonably current tools (which may have led NSA to give Microsoft the heads up to patch), TSB instead posted some older ones that mostly embarrassed Kaspersky.

And that was supposed to be the end of things. TSB promised to go away forever.

So long, farewell peoples. TheShadowBrokers is going dark, making exit. Continuing is being much risk and bullshit, not many bitcoins.

As such, the events of that week were almost like laying an implicit threat as the US intelligence community’s Russian reports came out and the Trump administration began, but backing off that threat.

But I’m not sure why anyone would have an incentive to out Kaspersky like this. Why would TSB want to reveal the real details how he obtained these files?

Two other things may be going on.

First, the original TSB post was accompanied by the characters shi pei.

I haven’t figured out what that was supposed to mean. It might mean something like “screw up,” or it might be reference using the wrong characters to Madame Butterfly (is this even called a homophone in Mandarin, where intonations mean all?), Shi Pei Pu, the drag Chinese opera singer who spied on France for 20 years. [Update: Google Translate says it is “loser”.] I welcome better explanations for what the characters might mean in this context. But if it means either of those things, they might be a reference to the December arrest, on treason charges, of Kaspersky researcher Ruslan Stoyanov, who along with cooperating with US authorities against some Russian spammers, may have also received payment from foreign companies. That is, either one might have been a warning to Kaspersky as much as an expose of TSB’s sources.

[Update on shi pei, from LG’s comment: “It’s a polite formula meaning: “excuse me (I must be going)” or simply “goodbye”, which would make sense given that the post indicated that they intended to retire.”]

All of which is to say, I have no idea what this January post was really intended to accomplish (I have some theories I won’t make public), but it seems far more complex than an early admission that Russia was stealing NSA files by exploiting Kaspersky AV. And if it was meant to expose TSB’s own source, it was likely misdirection.

For what it’s worth, with respect to my Kiss of Death, my post on the possibility TSB shares “the second source” with Jake Appelbaum got at least as much interesting attention as my briefly posted post on the earlier TSB Kaspersky post.

In any case, I think the far more interesting call out than mine in TSB’s post is that he gives Matt Suiche. Ostensibly, TSB apologizes for missing his Black Hat talk.

TheShadowBrokers is sorry TheShadowBrokers is missing you at theblackhats or maybe not? TSB is not seeing hot reporter lady giving @msuiche talk, was that not being clear required condition? TheShadowBrokers is being sures you understanding, law enforcements, not being friendly fans of TSB. Maybe someday. Dude? “…@shadowbrokerss does not do thanksgiving. TSB is the real Infosec Santa Claus…” really? “Trick or Treet”, cosplay and scarring shits out of thepeoples? TheShadowBrokers favorite holiday, not holiday, but should be being, Halloween!

Of course, TSB could have done that in last month’s post. Instead, this reference is a response to this thread on whether he might dump something on Thanksgiving to be particularly disruptive. In which case, it seems to be a tacit threat: that he will dump on Halloween, just a few weeks away.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

19 replies
  1. JonKnowsNothing says:

    “Fame is a fickle friend, Harry. Celebrity is as celebrity does. Remember that.”
    J.K. Rowling, Harry Potter and the Chamber of Secrets

    But honestly — How would TSB even NOTICE anything you’ve written? Even the MSM stuff? Unless you are on their SELECTOR list? To be on anyone’s SELECTOR list – even with a “clipping service” app means you have to have risen to above the NOTABLE line.

    If TSB has their own links to or is being tapped/trapped by global security apparatchiks, this only highlights all the issues you have been writing about.

    I think you might want to have their rant framed …

  2. Pete says:

    “First they ignore you. Then they ridicule you. And then they attack you and want to burn you. And then they build monuments to you.”
    Many variations of this “quote” attributed to several – perhaps none – maybe just made up.  But it seems to fit.

    Where would you like your monument?  I’m thinking outside Lambeau Field ;-)

  3. SpaceLifeForm says:

    One must not assume that Kaspersky actually was needed for the exfiltration of the tools.

    Not at all. Kaspersky identified attacks, found ip addresses, documented them.

    “How much you pay for enemies cyber weapons? Not malware you find in networks. Both sides, RAT + LP, full state sponsor tool set? We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons.”

    Let me parse:

    “We follow Equation Group traffic.”

    {Kaspersky had already identified ip addresses involved with the various malware]

    “We find Equation Group source range.”

    [They find via traffic analysis where the real C2s are that control the throw-away C2 servers]

    “We hack Equation Group.”

    [How, one would ask, can this happen? Tor. NSA uses Tor. They got hacked back]

    [And they continue to whine about 702 , going dark, responsible encryption, yet not many whine about Rob Joyce who was head of TAO whose tools were exfiltrated.

    This blame Russia, blame Kaspersky certainly can be cover for NSA dropping the ball]

    • orionATL says:

      tx.

      your translation is very helpful. without it there is no way to understand this character’s patois.

      also helpful in general, for folks who care but don’t know acronyms, is writing things out.

      again, tx.

      rob joyce? named? wow.!

      • greengiant says:

        orionATL: I had to google Joyce. Been in the news and twitter verse for months, was at NSA TAO and now working at the Trump Tower South. Could guess SLF was slamming here.  The shadow did not name him this time. Joyce came out against Kapersky so it is a running joke about whose fault the TAO leaks really were versus the attacks on Kapersky.  Note to all,  Putin does not love you.

  4. Evangelista says:

    Marcy,

    Here is your Real Problem:  “…I’m trying to engage seriously on Section 702 reform.”

    “Section 702” and all that surrounds it, in fact, the entirety of Surveillance Legislation, along with Surveillance Rule-making, Surveillance Directive-ing, and everything that compasses, includes and propels all aspects of Surveillance-by-Government-Entities in the United States is Illegal in the United States.

    For this, there is nothing legitimate to reform, and effort to reform what is illegitimate is, at best, waste of time, at worse “legitimizing” ( or pseudo-legitimizing) of illegality, which empowers it to pretend to legitimacy, or, at least, popularity amongst who don’t know basis for law, or don’t understand law as a constituent in social construction, or who perceive law a manipulable component of power and so don’t give a damn about, or have no use for, basis-base in law.

    The United States was constituted to have the individual people stand at the top of the government system, to each and in common, where agreement may be reached, supervise the activities of servants who have, through expressions of interest and applications to their fellows, indicated willingness to serve as public servants for their fellow people.

    For this, the people with highest authority in the United States, and therefrom who are rightfully to be privy to any secrets and all products of surveillances undertaken by servants-of-the-people in their employ, are the people.

    The purpose was to form a government where other means than a hierarchy of government, a self-aggrandized, self-empowered self-defined superior elite imposing and enforcing to coerce and control the people to its mandatings was required by the ultimate law, the law that controls all other law in the social system.

    For this basis the ultimate law of the United States prohibits government surveillance of people, making such surveilling key-hole peeping by the servants engaged in against those servants’ masters.

    Wherefore it is not possible to reform any surveillance ‘permissions’ any of the servants in any levels of servant-governments in the United States may have at any time granted themselves.  The grants are illegal grants of illegal ‘authorities’, which authorities are also illegal.

    Attempt to ‘legitimize’ what is fundamentally illegal, to crowd the illegal into ‘law’ for the United States is attempt to alter the basis of the law of the United States, which is attempt to overthrow the United States created by the United States Constitution, which is law for the government of the United States, and therefore the base law for the United States created by the Constitution.  Such attempt is Treason, and actions that forward the Treason are evidences of the Treason.

    There is a lot of this Treason going on today, and informations like this, the foregoing here, are to assure knowledge, will and intention by those engaging in actions that constitute such Treason.

    • bmaz says:

      Marcy, Here is your Real Problem: 

      Welp, that is one hell of an asinine, and yet again idiotic, way to open your comment. I guess I am not surprised, but still.

      And, by the way, you concluding portion where you clacked about “treason” proved that you wouldn’t know the law and theory of treason if it hit you in your ass. And, since you do not have a clue, please do not engage in such efforts as to make people here dumber. And that is exactly what your clacking would otherwise do.

      For anybody else who read Evangelista’s discussion of “treason”, please understand that, under both the Constitution, and statutory law, her claims are ridiculous and have no basis whatsoever.

    • emptywheel says:

      Actually JUST DID (there had been some confusion a bit ago bc USPS merged my box with someone else, so there was a backlog).

      It was a really welcome surprise. Thank you.

      • harpie says:

        Oh, good! I was beginning to wonder if I had transposed numbers like I sometimes do.

        Thanks for all the amazing commentary!

         

  5. Lawrence Garfield says:

    “First, the original TSB post was accompanied by the characters shi pei. … I haven’t figured out what that was supposed to mean.”

    It’s a polite formula meaning: “excuse me (I must be going)” or simply “goodbye”, which would make sense given that the post indicated that they intended to retire. None of my sources suggest that there is any other novel use of the phrase.

  6. Evangelista says:

    bmaz,
    ” ” Marcy, Here is your Real Problem: ”

    Welp, that is one hell of an asinine, and yet again idiotic, way to open your comment.”

    But… But, it’s the way you opened yours, too…?!

    As for your second two paragraphs, if you sheep for the shepherds who would flock us all into their non-Constitutional ‘Statutory Law’ cote (or fold), the expressions expressed would be baa’d.

    In the Constitutionally constituted United States they are bad. But they are not treason; they are free expression. It is only if one attempts to actually impose the “new order” (actually the old order the framers of the Constitution attempted to devise a governmental system that might be capable of transcending [which devising’s discussions drove Hamilton, who championed the old order, with, however, a new order of elite, in which he numbered himself, to give up and walk away in irritation, that, at the very end he returned to, to review the result, and then advocated for adoption of, because he saw its idealisms corruptible, and immediately set about advocating corruptions for, which advocacies have been, and are, dear to the hearts of those who would corrupt the Constitutional system since then; you will notice this if you notice the corruptors citations of Hamilton, who skipped the whole summer of negotiating, as the ‘final authority’ on (unConstitutional) Constitutional interpretation]) knowing that it is nonConstitutional (or, as they say at law, “knowing or having reason to know”).

    I hasten to clarify that I am not a protester or complainer and write not to be weepyous or outrageous when I write about the nonConstitutional Commercial-Law United States and its illegal and under-handed imposition through the arts and artifices of renegade public-servants who have usurped powers of state through abusings of powers we the people innocently and trustingly entrusted to them so they might serve us, abusing those powers to write themselves unConstitutional authorities and to impose an unlawful government, changing our law system and government system through Constitutionally prohibited and illegal acts of statutory fiat, writing themselves authorities for illegal assumptions of powers and assuming lordship over us the people who trusted them, the surreptitiously overthrowing abusers, to honestly and responsibly serve and to heed and hold to the oaths to abide by and respect the law of the Constitution and the restrictions that law of the people imposes.

    I am, instead, a blood-thirsty Constitutionalist whose intention in writing is to assure as many as possible have, and ultimately have had, exposure to the information that I write, that the Commercial Law based United States Government that they have supported and maybe even advocated is illegal and unConstitutional, and that although their advocating for that illegal and illegally imposed government and its systems may have been only error when they did so in ignorance, with having exposure to my information, or opportunity to be exposed to it, if they do so further and in future they will do so knowingly, or with provable reason to know, and so will do so knowingly, intentionally and voluntarily, and so will be liable for their actions that aid the overthrowing government in its efforts to suppress and destroy the Constitutional United States.

    This will make all who so do hangable for Treason under the Constitutional rules of the Constitutional United States when the overthrowing oppressing order collapses and the law of the Constitution is re-imposed.

    Do you think I am a fool talking nonsense, imagining pie-in-the-sky? Look at your Commercial-Law government, standing on one leg, of its three, the “legal” one, and that one shakey, only still standing for police authorities propping it, the other two, the “legislative” paralyzed with corruption-rot and riddled with privilege-patronage worm-holing, while the third, the “executive” waves wildly in spastic gyrations, entirely out of control. This, of course, with this government, is the best of all currently possible worlds. Donald Trump being, in this government, the best of all possible Presidents…

    Really, he is…

    Think about what that means…

    • bmaz says:

      Yes, you are absolutely a fool talking nonsense. And an annoying and self indulgently loquacious one at that. You can just bugger off.

  7. harpie says:

    As usual,I really appreciate that Marcy live-tweeted the Sessions hearing today…very informative, and yet entertaining [see the following]:
    1] WOWOWOW.
    2] WOWOWOWOW.
    3] !!!!!!!
    4] Sessions: specific requests blahblahblah
    5] Sessions: MURDERMURDERMURDER
    6] This is nutballs.
    7] Sessions: Clinton Clinton Clinton.
    8] LOLOLOLOLOL..
    9] Ridiculous answer.

    Don’t know how you do it, but thanks!

Comments are closed.