The Russian Metadata in the Shadow Brokers Dump

When I first noted, back in April, that there was metadata in one of the Shadow Brokers dumps, I suggested two possible motives for the doxing of several NSA hackers. First (assuming Russia had a role in the operation), to retaliate against US indictments of Russian hackers, including several believed to be tied to the DNC hack.

A number of the few people who’ve noted this doxing publicly have suggested that it clearly supports the notion that a nation-state — most likely Russia — is behind the Shadow Brokers leak. As such, the release of previously unannounced documents to carry out this doxing would be seen as retaliation for the US’ naming of Russia’s hackers, both in December’s election hacking related sanctions and more recently in the Yahoo indictment, to say nothing of America’s renewed effort to arrest Russian hackers worldwide while they vacation outside of Russia.

But leaving the metadata in the documents might also make the investigation more difficult.

[F]our days before Shadow Brokers started doxing NSA hackers, Shadow Brokers made threats against those who’ve commented on the released Shadow Brokers files specifically within the context of counterintelligence investigations, even while bragging about having gone unexposed thus far even while remaining in the United States.

Whatever else this doxing may do, it will also make the investigation into how internal NSA files have come to be plastered all over the Internet more difficult, because Shadow Brokers is now threatening to expose members of TAO.

With that in mind, I want to look at a Brian Krebs piece that makes several uncharacteristic errors to get around to suggesting a Russian-American might have been the guy who leaked the files in question.

He sets out to read the metadata I noted (but did not analyze in detail, because why make the dox worse?) in April to identify who the engineer was that had NSA files discovered because he was running Kaspersky on his home machine.

In August 2016, a mysterious entity calling itself “The Shadow Brokers” began releasing the first of several troves of classified documents and hacking tools purportedly stolen from “The Equation Group,” a highly advanced threat actor that is suspected of having ties to the U.S. National Security Agency. According to media reports, at least some of the information was stolen from the computer of an unidentified software developer and NSA contractor who was arrested in 2015 after taking the hacking tools home. In this post, we’ll examine clues left behind in the leaked Equation Group documents that may point to the identity of the mysterious software developer.

He links to the WSJ and cites, but doesn’t link, this NYT story on the Kaspersky related breach.

Although Kaspersky was the first to report on the existence of the Equation Group, it also has been implicated in the group’s compromise. Earlier this year, both The New York Times and The Wall Street Journal cited unnamed U.S. intelligence officials saying Russian hackers were able to obtain the advanced Equation Group hacking tools after identifying the files through a contractor’s use of Kaspersky Antivirus on his personal computer. For its part, Kaspersky has denied any involvement in the theft.

Then he turns to NYT’s magnum opus on Shadow Brokers to substantiate the claim the government has investigations into three NSA personnel, two of whom were related to TAO.

The Times reports that the NSA has active investigations into at least three former employees or contractors, including two who had worked for a specialized hacking division of NSA known as Tailored Access Operations, or TAO.

[snip]

The third person under investigation, The Times writes, is “a still publicly unidentified software developer secretly arrested after taking hacking tools home in 2015, only to have Russian hackers lift them from his home computer.”

He then turns to the Shadow Brokers’ released metadata to — he claims — identify the two “unnamed” NSA employees and the contractor referenced in The Times’ reporter.”

So who are those two unnamed NSA employees and the contractor referenced in The Times’ reporting?

From there, he points to a guy that few reports that analyzed the people identified in the metadata had discussed, A Russian! Krebs decides that because this guy is Russian he’s likely to run Kaspersky and so he must be the guy who lost these files.

The two NSA employees are something of a known commodity, but the third individual — Mr. Sidelnikov — is more mysterious. Sidelnikov did not respond to repeated requests for comment. Independent Software also did not return calls and emails seeking comment.

Sidelnikov’s LinkedIn page (PDF) says he began working for Independent Software in 2015, and that he speaks both English and Russian. In 1982, Sidelnikov earned his masters in information security from Kishinev University, a school located in Moldova — an Eastern European country that at the time was part of the Soviet Union.

Sildelnikov says he also earned a Bachelor of Science degree in “mathematical cybernetics” from the same university in 1981. Under “interests,” Mr. Sidelnikov lists on his LinkedIn profile Independent Software, Microsoft, and The National Security Agency.

Both The Times and The Journal have reported that the contractor suspected of leaking the classified documents was running Kaspersky Antivirus on his computer. It stands to reason that as a Russian native, Mr. Sildelnikov might be predisposed to using a Russian antivirus product.

Krebs further suggests Sidelnikov must be the culprit for losing his files in the Kaspersky incident because the guy who first pointed him to this metadata, a pentester named Mike Poor, said a database expert like Sidelnikov shouldn’t have access to operational files.

“He’s the only one in there that is not Agency/TAO, and I think that poses important questions,” Poor said. “Such as why did a DB programmer for a software company have access to operational classified documents? If he is or isn’t a source or a tie to Shadow Brokers, it at least begets the question of why he accessed classified operational documents.”

There are numerous problems with Krebs’ analysis — which I pointed out this morning but which he blew off with a really snotty tweet.

First, the NYT story he cites but doesn’t link to notes specifically that the Kaspersky related breach is unrelated to the Shadow Brokers leak, something that I also  pointed out was logically obvious given how long the NSA claimed Hal Martin was behind the Shadow Brokers leak after the government was known to be investigating the Kaspersky related guy.

It does not appear to be related to a devastating leak of N.S.A. hacking tools last year to a group, still unidentified, calling itself the Shadow Brokers, which has placed many of them online.

Krebs also misreads the magnum opus NYT story. The very paragraph he quotes from reads like this:

The agency has active investigations into at least three former N.S.A. employees or contractors. Two had worked for T.A.O.: a still publicly unidentified software developer secretly arrested after taking hacking tools home in 2015, only to have Russian hackers lift them from his home computer; and Harold T. Martin III, a contractor arrested last year when F.B.I. agents found his home, garden shed and car stuffed with sensitive agency documents and storage devices he had taken over many years when a work-at-home habit got out of control, his lawyers say. The third is Reality Winner, a young N.S.A. linguist arrested in June, who is charged with leaking to the news site The Intercept a single classified report on a Russian breach of an American election systems vendor.

That is, there aren’t “two unnamed NSA employees and [a] contractor referenced in The Times’ reporting.” The paragraph he refers to names two of the targets: Hal Martin (the other TAO employee) and Reality Winner. Which leaves just the Kaspersky related guy.

Krebs seemed unaware of the WaPo versions of the story, which include this one where Ellen Nakashima (who was the first to identify this guy last year) described the engineer as a Vietnamese born US citizen. Not a Russian-American, a Vietnamese-American.

Mystery solved Scoob! All without even looking at the Shadow Brokers’ metadata. There’s one more part of the Krebs story which is weird — that he takes the same non-response he got from the known NSA guys doxed by Shadow Brokers from Sidelnikov as somehow indicative of anything, even while if he had been “arrested” as Krebs’ headline mistakenly suggests, then you’d think his phone might not be working at all.

There’s more I won’t say publicly about Krebs’ project, what he really seems to be up to.

But the reason I went through the trouble of pointing out the errors is precisely because Krebs went so far out of his way to find a Russian to blame for … something.

We’ve been seeing Russian metadata in documents for 17 months. Every time such Russian metadata is found, everyone says, Aha! Russians! That, in spite of the fact that the Iron Felix metadata was obviously placed there intentionally, and further analysis showed that some of the other Russian metadata was put there intentionally, too.

At some point, we might begin to wonder why we’re finding so much metadata screaming “Russia”?

Update: After the Vietnamese-American’s guilty plea got announced, Krebs unpublished his doxing post.

A note to readers: This author published a story earlier in the week that examined information in the metadata of Microsoft Office documents stolen from the NSA by The Shadow Brokers and leaked online. That story identified several individuals whose names were in the metadata from those documents. After the guilty plea entered this week and described above, KrebsOnSecurity has unpublished that earlier story.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

29 replies
  1. Rapier says:

    “At some point, we might begin to wonder why we’re finding so much metadata screaming “Russia?”

    The “why”, firstly, means who. Well that seems to be the case for me. I suppose that’s implicit but if not I thought I would throw it out there. If the who is known then the motive,” why”, would be somewhat clear. However my perhaps stupid rule of thumb is that motive can rarely be fully known because people reporting on their motives just might be lying. So all in all I think the better question is who.

    Has anyone brooked the possibility that the hacks were done by and distributed from people within US government agencies. Say the FBI or CIA?

    Separately and off in the weeds perhaps,coincidentally with many of these events, in the Spring of 16, Clinton was pushing for a no fly zone in Syria, supported by 50 ‘diplomats’ in the State Department in an open letter to the NY Times. Which the US did not have the capability to enforce but would mean attempting to shoot down Russian planes. Which if Putin’s government backed away from without retaliation would have damaged him immensely politically.

  2. lefty665 says:

    Thank you EW, nice analysis, and for not jumping on “the Russians” bandwagon.

    The hacks/leaks revealed by Wikileaks, Shadow Brokers, etc seem very unlike state run operations where the imperative is to not let the target know he’s been had.

    All the Russian metadata reminds me of a magician friend who would do “pick a card, any card” routine. He would fan out a deck in his hands and use a finger to extend one card that moved around to anticipate where the participant went to select a card. It was a very funny sight gag. It did not occur to me years ago that the moving card might one day be named “Russia”.

    Who would have the skills and the motive to phony up the doxing? Part of CIAs mission is propaganda, and we’ve seen Brennan’s public exercise of those skills. That almost seems too easy considering their own loss of Vault 7. However, if that is indeed all older tools and Russian metadata is larded in them too, perhaps it is of a piece with Shadow Brokers and the DNC/Podesta with Cloudstrike paid to prevaricate.

    What does it seem like to you? Domestic institutional, as in the IC, including contractors for political ends, criminal for profit, international?

    • bmaz says:

      So, as usual, you are just going to drop your hacker ass little shit and act like anybody has a clue what you are referring to? This is an intelligent and broad based community not some cute hacker forum. Talk to us in terms that are actually cognizable, or get out.

      • greengiant says:

        SLF alludes to something not too discussed.  The TLAs ( three letter acronyms,  CIA, NSA, FBI, DIA, etc ) and the NSA TAO may be running on virtual machines in the path whether in the cloud, ( biggest cloud is AWS,  Amazon web services)  or home spun.  I think SLF refers the to right wing nutjob discussion of whether the “DNC” was hacked or leaked via a USB thumb drive on site,  never mind that everyone still waiting for DNC data?  and Guccifer 2.0/DCLeaks/ShadowBrokers  misnamed NGP-VAN dump time stamps  where used in a scam exercise to falsely indicate that it was a leaker and on site.  Nevermind the phishing links that hacked all the gmail accounts and recent “discovery”  that both bad and good guys use the cloud for CPUs and data storage as pertains to exfiltrating DNC and other data.

        When assessing blame look for who benefits and the body trail.   Putin Oligarchs Trump win hands down.

        So it does not have to just be an external hacked local CPU operational failure or some contractor hoarder who was hacked at home per these stories.  Could it be the source and executables were mined from the cloud?  Rob Royce, the head of the  NSA TAO tailored access operation is working at the White House now. Did TAO do something to piss someone off,  US or foreign?

        • bmaz says:

          Thank you for the explanation. Truly helpful. Maybe next time “SLF” can find the common community courtesy to explain that in real time. Like you have done.

        • lefty665 says:

          There is a very real issue of how data got out of the DNC, and we can be pretty sure that the DNC paid propagandists at Clowdstrike fed us a line of crap with the clumsy and fraudulent larding of metadata to show “it was the Russians, see”.

          Is he right, was it an inside job? Dunno that any of us can know the answer to that today. It certainly is plausible and there are several straightforward scenarios as to how that could have happened. Seymour Hersh certainly thinks it was an inside job. He’s got an amazingly good track record over decades and he is nobody’s “right wing nutjob.”

          Thanks for translating some of the acronym driven tech jargon, that is a service to the site, your unsubstantiated editorial opinions, not so much.

          • orionATL says:

            lefty @ 4:13 responds to greengiant’s 3:22 pm comment-

            and lefty knows whereof he speaks, to whit:

            “… There is a very real issue of how data got out of the DNC, and we can be pretty sure that the DNC paid propagandists at Clowdstrike fed us a line of crap with the clumsy and fraudulent larding of metadata to show “it was the Russians, see”…”

            well, here is one of the latest reports on how it came to pass that dnc data left dnc jurisdiction:

            https://www.apnews.com/dea73efc01594839957c3c9a6c962b8a

            summary – it was the russians, stupid.

            now, about those “paid propagandists at crowdstrike” ….?

            • lefty665 says:

              You guys can’t get over your Trump hysteria long enough to exercise common sense.  Binney has forgotten more about traffic analysis than any of us will ever know. The only reason we are hearing his opinion is that Hayden ran him out of NSA because Binney could accomplish their mission constitutionally via ‘Thin Thread’ and without the cubic money Hayden lusted after.

              Aside from respecting the veracity of people like Binney and Hersh, my only analysis is that we don’t yet know how the data left the DNC. The answer may be it exited in several ways. orion, if you don’t understand that Cloudstrike is not a credible source you have not been paying attention. There’s a reason the DNC paid them instead of giving the FBI access.

              • orionATL says:

                as usual, lefty, excuses, excuses, excuses, convoluted explanations on top of convoluted explanations.

                readers here need to remember you are the guy who, twice in recent months, has brought up the cockamamie rightwing propaganda item that the clintons were responsible for russia getting control over u. s. uranium – and then vigorously defending that goofy propaganda from criticism.

                you are the guy who was pleading “give trump a chance” back last winter and spring.

                you are the guy who told us you had left the democratic party years ago, but who has for years here spared no effort to demean the democratic party and the clintons in particular, as if they had done you some personal harm.

                as for who stole the emails from the dnc and the clinton campaign, it is the case that no one knows for sure. but it is also the case that there is a large preponderance of evidence, including that mentioned in the ap article i cited above, that suggests that the russians stole the data. the sources include the four major u. s. intelligence agencies, crowdstrike, another cybersecurity firm whose name i forget, and secureworks, the cybersecurity company mentioned in the ap article. that is a preponerderance of conviction that it was the russians.

                it’s also true we are not sure, even today, if there was more than one shooter in dallas on nov. 23, 1963. but the preponderance of evidence suggests that folks who believe more than one shooter are conspiracy theorists, just as the folks that believe the email thefts were an inside job are likely conspiracy theorists.

          • Palli Davis Holubar says:

            Remember who was the IT staff for DWS at Congress & somehow can anyone overlook the potential/possibility/inevitability of “sloppy” separation of duties in DWS’s office life?

            • lefty665 says:

              Debbie’s Ipad might have been the ideal tool for exfiltrating data from the DNC. It would be better than a thumb drive, it had the advantage that Debbie would take it into the DNC and log onto the network there. Look ma no hands, no physical access needed, we do it all by remote control. It might even have been a twofer and provided access to Hillary’s network after she hired Debbie when she was fired by the DNC. Debbie’s Pak IT staff were inclined to turn anything they had access to into cash and had an interesting Pak partner in their US real estate deals.  Curious we have not heard much about them lately.

  3. orionATL says:

    in brian krebs article, the first citation is this:

    https://www.kaspersky.com/about/press-releases/2015_equation-group-the-crown-creator-of-cyber-espionage

    which contains this passage:

    “… The Fanny worm stands out from all the attacks performed by the Equation group. Its main purpose was to map air-gapped networks, in other words – to understand the topology of a network that cannot be reached, and to execute commands to those isolated systems. For this, it used a unique USB-based command and control mechanism which allowed the attackers to pass data back and forth from air-gapped networks…. ”

    one of the genuinely terrifying accomplishments with a tool like fanny would be to acquire control of a nuclear weapon. i’m not sure a group would be able to take and hold a nuclear weapon hostage for any length of time, but i can imagine extreme malevolence, vindictiveness, or desire for power leading a group to simply take over and launch a missle.

    one can hope any such launch effort would simply be too socially, electronically, and mechanically complex to suceed. nonetheless, the possibility of at least accessing (if not suceeding in using) a nuclear missle’s launch control system seems more real than ever.

  4. SpaceLifeForm says:

    DHS not secure.
    They take over two years to report a breach from 2014.

    The spin is weird too.
    Talking about the PII (Personally Identifying Info) of the nearly quarter million employees, but the bigger story to me is the 159,000 case files from the inspector general’s investigative case management system that at this point there is no way to know who has a copy.

    https://www.usatoday.com/story/news/politics/2017/11/28/sensitive-personal-information-246-000-dhs-employees-found-home-computer/901654001/

    • orionATL says:

      quote from commenter at ars technica:

      “…mikiev wrote:

      Interesting, if true.

      Because that makes me wonder how they knew to hack him, in particular, or if it was just luck on their part to strike the mother lode when they hacked him at random…”

      imagine a system involving american “national security” employees rather like the system cambridge analytica was alleged to have built on some american voters involving dozens of data inputs for each individual.

      break into opm, defense contractors, dod, white house, etc. for names, addresseses, family, employment. track individuals’ personal behavior, shopping interests, on-line social activity, political affiliations, etc. choose individuals who appear ripe for exploiting based on where they work and personal weaknesses. develop a detailed “life-portrait” of those individual pointing specifically to how they might be exploited.

      • Willis Warren says:

        I searched this site for Harold and couldn’t find much, so started reading…. then came back with the sense that no one would call themselves Harold and searched for last name

        Marcy’s got a ton of stuff on this, so I’m still processing it all.  I continue to be amazed at how good this site is.  Wish I had more to give monthly

  5. SpaceLifeForm says:

    So, what is the difference between a NDA and a “very strict” NDA?’

    Just asking for a friend.

    http://amp.dailycaller.com/2017/11/29/house-intel-committee-interviewed-key-trump-tower-witness/

    When reached by The Daily Caller back in July, when the Trump Tower meeting was first reported, Samochornov said he was unable to discuss his work for Veselnitskaya or the Trump Tower meeting because he signed “very strict” non-disclosure agreements.

    On Thursday, the House panel will interview Attorney General Jeff Sessions and Erik Prince, an outside Trump adviser and founder of Blackwater. Prince met earlier this year in the Seychelles with the head of Russia’s foreign direct investment fund.

  6. earlofhuntingdon says:

    The description is unhelpful and self-serving. The speaker is toying with the interviewer and casting himself in the best light possible, with the least power.

    Most NDAs are written by those in power to bind those with much less, if any. Typically, a corporation binds an individual in exchange for money or other compensation, depending on the reason for the NDA. Some are transactional, covering short-term dealings; some are intended to cover years of exposure to what the corporation wants to remain undisclosed.

    NDAs are normally very restrictive in what the individual can disclose. Some even require the individual to say only good things about the other party. All have penalties, often severe, that is, requiring payments far exceeding the amount paid for the NDA, for breaching their terms. Virtually all require disputes to be settled exclusively by binding arbitration, which normally works to the advantage of the corporation.

    • SpaceLifeForm says:

      It was rhetorical.

      Probably a ‘very strict’ NDA includes a loyalty oath.

      Strongly suspect Prince has flipped.

  7. Willis Warren says:

    Marcy, do you think the claim that Snowden took 50 billion files is misinformation to get the Russians to shake him down? I mean, if his handlers think he has more he’s hiding information, would they be less likely to hole him up?

    • lefty665 says:

      50 billion files is certainly “misinformation”. Reasons why anyone would make that silly claim (or repeat it) may vary. There were some early wildly inflated estimates (but not within an order of magnitude of 50 billion) based on the assumption that Snowden took everything he ever had access to. Later more realistic estimates are much lower. As far as NSA was concerned one was too many.

      • SpaceLifeForm says:

        No way 50,000,000,000 files.

        They would all be tiny.

        What he grabbed was training docs.

        50,000 training docs would be a stretch.

  8. me says:

    Someone assaulted a neighbor. When the assaulted person went to report the attack ti the police, the attacker destroyed his own door, and triy to cook up a defense that hevwas the one whobwas attcked first.

    It is unheard of criminals seeting up evidence that points to themselves and then claim they being franed by some other person.

    So if Russia puts Russian meta-data on the fikes it makes the attribution debate very toxic indeed!

  9. greengiant says:

    NSA contractor Pho named in guilty plea.  https://www.nytimes.com/2017/12/01/us/politics/nsa-nghia-pho-classified-information-stolen-guilty.html

     

Comments are closed.