Posts

In media res: the FBI’s WannaCry Attribution

I’ve been working through the complaint charging Park Jin Hyok with a slew of hacking attributed to the Lazarus group associated with North Korea. Reading it closely has led me to be even less convinced about the government’s attribution of the May 2017 WannaCry outbreak to North Korea. It’s going to take me a series of posts (and some chats with actual experts on this topic) to explain why. But for now, I want to point to a really suspect move the complaint makes.

The FBI’s proof that Park and Lazarus and North Korea did WannaCry consists, speaking very broadly, of proof that the first generation of the WannaCry malware shared some key elements with other attacks attributed to Lazarus, and then an argument that the subsequent two generations of WannaCry were done by the same people as the first one. While the argument consists of a range of evidence and this post vastly oversimplifies what the FBI presents, three key moves in it are:

  • The earlier generations of WannaCry are not known to be publicly available
  • Subjects using a known Lazarus IP address were researching how to exploit the Microsoft vulnerability in the weeks before the attack
  • Both WannaCry versions 1 and 2 cashed out Bitcoin in a similar way (which the complaint doesn’t describe)

For now, I’m just interested in that middle point, which the complaint describes this way:

221. On March 14, 2017, Microsoft released a patch for a Server Message Block (SMB) vulnerability that was identified as CVE-2017-0144 on its website, https://technet.microsoft.com/en-us/library/security/ms17-010.aspx. Microsoft attempted to remedy the vulnerability by releasing patches to versions of Microsoft Windows operating systems that Microsoft supported at the time. Patches were not initially released for older versions of Windows that were no longer supported, such as Windows XP and Windows 8.

222. The next month, on April 15, 2017, an exploit that targeted the CVE-2017-0144 vulnerability (herein the “CVE-2017-0144 exploit”) was publicly released by a group calling itself the “Shadow Brokers.”

223. On April 18, 2017 and April 21, 2017, a senior security analyst at private cyber security company RiskSense, Inc. (“RiskSense”) posted research on that exploit on his website: https://zerosum0x0.blogspot.com.

224. On May 9, 2017, RiskSense released code on the website github.com with the stated purpose of allowing legal “white hat” penetration testers to test the CVE-2017-0144 exploit on unpatched systems. Essentially, RiskSense posted source code that its employees had reverse-engineered for the CVE-2017-0144 exploit, which cyber security researchers could then use to test vulnerabilities in client computer systems. I know based on my training and experience that penetration testers regularly seek to exploit vulnerabilities with their customers’ consent as a proof-of-concept to demonstrate how hackers could illegally access their customers’ systems.

225. On May 12, 2017, a ransomware attack called “WannaCry” (later identified as “WannaCry Version 2,” as discussed below) began affecting computers around the globe.

[snip]

242. Records that I have obtained show that the subjects of this investigation were monitoring the release of the CVE-2017-0144 exploit and the efforts by cyber researchers to develop the source code that was later packaged into WannaCry Version 2:

a. On numerous days between March 23 and May 12, 2017, a subject using North Korean IP Address #6 visited technet.microsoft.com, the general domain where Microsoft hosted specific webpages that provide information about Microsoft products, including information on Windows vulnerabilities (including CVE-2017-0144), although the exact URL or whether the information on this particular CVE was being accessed is not known.

b. On April 23, April 26, May 10, May 11, and May 12, 2017, a subject using North Korean IP Address #6 visited the blog website zerosum0x0.blogspot.com, where, on April 18, 2017 and 21, 2017, a RiskSense researcher had posted information about research into the CVE-2017-0144 exploit and progress on reverse-engineering the exploit; RiskSense subsequently released the exploit code on GitHub.com.

According to the in media res story told by the FBI, the following is the chronology:

March 14: Microsoft drops a vulnerability seemingly out of the blue without publicly calling attention to it

Starting on March 23: Someone using known Lazarus IP address #6 tracks Microsoft’s vulnerabilities reports (note, the FBI doesn’t mention whether this was typical behavior or unique for this period)

April 15: Shadow Brokers releases the Eternal Blue exploit

April 18 and 23: RiskSense releases a reverse engineered version of Eternal Blue

Starting on April 23 and leading up to May 12: Someone using that same known Lazarus IP #6 makes a series of visits to the RiskSense site that released an exploit reverse engineered off the Shadow Brokers release

May 12: A version of WannaCry spreads across the world using the RiskSense exploit

Of course, that’s not how things really happened. FBI neglects to mention that on January 8, Shadow Brokers offered to auction off files that NSA knew included the SMB exploit that Microsoft issued a patch for on March 14.

Along with that important gap in the narrative, the FBI Agent who wrote the affidavit behind this complaint, Nathan Shields, is awfully coy in describing Shadow Brokers simply as “a group calling itself the ‘Shadow Brokers.'” While the complaint remained sealed for three months, by June 8, 2018, when the affidavit was written, the FBI assuredly knew far more about Shadow Brokers than that it was a group with a spooky name.

As public proof, DOJ signed a plea agreement with Nghia Pho on November 29 of last year. Pho was reportedly the guy from whose home computer some of these same files were stolen. While the publicly released plea has no cooperation agreement, the plea included a sealed supplement, which given the repeated delays in sentencing, likely did include a cooperation agreement.

Pho is due to be sentenced next Tuesday. The sentencing memos in the case remain sealed, but it’s clear from the docket entry for Pho’s that he’s making a bid to be treated in the same way that David Petraeus and John Deutsch were — that is, to get a misdemeanor treatment and probation for bringing code word documents home to store in an unlocked desk drawer — which would be truly remarkable treatment for a guy who allegedly made NSA’s hacking tools available for theft.

And while it’s possible that FBI Agent Shields doesn’t know anything more about what the government knows about Shadow Brokers than that it has a spooky name, some of the folks who quoted in the dog-and-pony reveal of this complaint on September 6, not least Assistant Attorney General John Demers, do know whatever else the government knows about Shadow Brokers.

Including that the announcement of the sale of Eternal Blue on January 8 makes the searches on Microsoft’s site before the exploit was actually released on April 15 one of the most interesting details in this chronology. There are lots of possible explanations for the fact that someone was (as the FBI’s timeline suggests) searching Microsoft’s website for a vulnerability before the import of it became publicly known.

But when you add the January 8 Shadow Brokers post to the timeline, it makes culprits other than North Korea far more likely than the FBI affidavit makes out.

GRU’s Alice Donovan Persona Warned of a WannaCry-Like Event a Year before It Happened

As I disclosed last month, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

In this post, I suggested that The Shadow Brokers persona served as a stick to the carrots Vladimir Putin dangled in front of Donald Trump. When Donald Trump took an action — bombing Syria to punish Bashar al-Assad — that violated what I believe to be one of the key payoffs in the election quid pro quo, Shadow Brokers first bitched mightily, then released a bunch of powerful NSA tools that would soon lead to the WannaCry global malware attack.

It turns out GRU warned of that kind of attack a year before it happened.

One of the tidbits dropped into a very tidbit-filled GRU indictment is that GRU ran the Alice Donovan propaganda persona.

On or about June 8, 2016, and at approximately the same time that the dcleaks.com website was launched, the Conspirators created a DCLeaks Facebook page using a preexisting social media account under the fictitious name “Alice Donovan.”

That tidbit has led to some follow-up on the Donovan figure, including this typically great DFRLab piece arguing that Russia had two parallel streams of troll campaigns, the Internet Research Agency one focused on the election, and the GRU one focused on foreign policy.

Donovan was first exposed in December of last year after WaPo reported on and CounterPunch did a review of “her” work after then WaPo reporter Adam Entous contacted CP after learning the FBI believed “she” had some tie to Russia.

We received a call on Thursday morning, November 30, from Adam Entous, a national security reporter at the Washington Post. Entous said that he had a weird question to ask about one of our contributors. What did we know about Alice Donovan? It was indeed an odd question. The name was only faintly familiar. Entous said that he was asking because he’d been leaked an FBI document alleging that “Alice Donovan” was a fictitious identity with some relationship to Russia. He described the FBI document as stating that “Donovan” began pitching stories to websites in early 2016. The document cites an article titled “Cyberwarfare: Challenge of Tomorrow.”

As both pieces emphasize, the first article that Donovan pitched — and “she” pitched it to multiple outlets — pertained to cyberattacks, specifically to ransomware attacks on hospitals.

The article was first published in Veterans Today on April 26, 2016. That’s the same day that Joseph Mifsud first told George Papadopoulos Russia had emails — emails hacked by Donovan’s operators — they planned to leak to help defeat Hillary Clinton.

CounterPunch published the cybersecurity article on April 29. That’s the day the DNC first figured out that GRU (and FSB’s APT 29) had hacked them.

Those dates may well be coincidences (though they make it clear the Donovan persona paralleled the hack-and-leak campaign). I’m less sure about the third publication of the article, in Mint Press, on August 17, 2016, just four days after Shadow Brokers went live. So just days after Shadow Brokers had called out, “!!! Attention government sponsors of cyber warfare and those who profit from it !!!” an article was republished with the penultimate paragraph accusing the US of planning to shut down Iran’s power grid.

Moreover, the U.S. has been designing crippling cyber attack plans targeting the civilian sector. In case its nuclear negotiations with Iran failed, the U.S. was prepared to shut down the country’s power grid and communications networks.

The basis for that accusation was actually this article, but “Donovan” took out the reference (bolded below) to GRU’s attack on Ukraine’s power grid in the original.

Today such ransomware attacks are largely the work of criminal actors looking for a quick payoff, but the underlying techniques are already part of military planning for state-sponsored cyberwarfare. Russia showcased the civilian targeting of modern hybrid operations in its attack on Ukraine’s power grid, which included software designed to physically destroy computer equipment. Even the US has been designing crippling cyberattack plans targeting the civilian sector. In case its nuclear negotiations with Iran failed, the US was prepared to shut down the country’s power grid and communications networks.

Imagine a future “first strike” cyberattack in which a nation burrowed its way deeply into the industrial and commercial networks of another state and deployed ransomware across its entire private sector, flipping a single switch to hold the entire country for ransom. Such a nightmare scenario is unfortunately far closer than anyone might think. [my emphasis]

And “Donovan” adds in this sentence (from elsewhere in the Forbes article).

Government itself, including its most senior intelligence and national security officials are no better off when a single phishing email can redirect their home phone service and personal email accounts.

When this article was first published, the memory was still fresh of the Crackas with Attitude hack, where self-described teenagers managed to hack John Brennan and James Clapper and forward the latter’s communications (among the men serving prison sentences for this attack are two adult Americans, Andrew Otto Boggs and Justin Liverman).

Most of the rest of the article uses the threat of malware attacks on hospitals to illustrate the vulnerability of civilian infrastructure to cyberattack. It cites a Kaspersky proof of concept (recall that Shadow Brokers included a long play with Kaspersky). It cites an FBI agent attributing much of this hacking to Eastern Europe.

Stangl said the hackers, most of them from Eastern Europe, have increasingly targeted businesses, which are often able to pay more than individuals to unlock data. The hackers “scan the Internet for companies that post their contact information,” then send them email phishing attacks. Unsuspecting employees, Stangl said, are asked to click on what seem to be innocuous links or attachments — perhaps something as simple as a .PDF purporting to be a customer complaint — and before they know it, their computers are infected.

And the “Donovan” article explains at length — stealing from this article — why hospitals are especially vulnerable to malware attacks.

Such attacks may all sound like nightmare scenarios, but the experts say they’re becoming almost routine. And hospitals have not made cybersecurity a priority in their budgets. On average hospitals spent about 2 percent on IT, and security might be 10 percent of that. Compare that percentage to the security spending by financial institutions: for example, Fidelity spends 35 percent of its budget on IT.

Moreover, medical facilities are vulnerable to these attacks in part because they don’t properly train their employees on how to avoid being hacked, according to Sinan Eren, who has worked in cybersecurity for government and health-care organizations for two decades.

“It’s not like the financial-services industry, where they train employees how to spot suspicious emails,” said Eren, general manager at Avast Mobile Enterprise. Also, many hospital computer systems are outdated, bulky and in dire need of upgrades or newer software, he said. But such institutions often don’t have — or don’t want to spend — the money to make sweeping changes.

While it’s still unclear which computer WannaCry first infected in May 2017, Britain’s National Health Service was easily the most famous victim, with about a third of the system being shut down. Not long after WannaCry, NotPetya similarly spanned the globe in wiperware designed to appear as ransomware (though the latter’s use of NSA tools was mostly just show). While the US and UK have publicly attributed WannaCry to North Korea (I’m not convinced), NotPetya was pretty clearly done by entities close to GRU.

And a year before those global pseudo-ransomware worms were launched, repeated just days after Shadow Brokers started releasing NSA’s own tools, GRU stole language to warn of “a nation burrow[ing] its way deeply into the industrial and commercial networks of another state and deploy[ing] ransomware across its entire private sector, flipping a single switch to hold the entire country for ransom. Such a nightmare scenario is unfortunately far closer than anyone might think.”

(h/t TC for the heads up on this file and a number of the insights in this piece)

Update: MB noted that the “added” sentence actually also comes from the original Forbes article (it links to an earlier column that notes the Crackas tie explicitly).

How to Charge Americans in Conspiracies with Russian Spies?

As I laid out a few weeks ago, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

In general, Jack Goldsmith and I have long agreed about the problems with charging nation-state spies in the United States. So I read with great interest his post laying out “Uncomfortable Questions in the Wake of Russia Indictment 2.0 and Trump’s Press Conference With Putin.” Among other larger normative points, Goldsmith asks two questions. First, does indicting 12 GRU officers in the US expose our own nation-state hackers to be criminally prosecuted in other countries?

This is not a claim about the relative moral merits of the two countries’ cyber intrusions; it is simply a claim that each side unequivocally breaks the laws of the other in its cyber-espionage activities.

How will the United States respond when Russia and China and Iran start naming and indicting U.S. officials?  Maybe the United States thinks its concealment techniques are so good that the type of detailed attribution it made against the Russians is infeasible.  (The Shadow Brokers revealed the identities of specific NSA operators, so even if the National Security Agency is great at concealment as a matter of tradecraft that is no protection against an insider threat.)  Maybe Russia and China and Iran won’t bother indicting U.S. officials unless and until the indictments actually materialize into a trial, which they likely never will.  But what is the answer in principle?  And what is the U.S. policy (if any) that is being communicated to military and civilian operators who face this threat?  What is the U.S. government response to former NSA official Jake Williams, who worked in Tailored Access Operations and who presumably spoke for many others at NSA when he said that “charging military/gov hackers is dumb and WILL eventually hurt the US”?

And, how would any focus on WikiLeaks expose journalists in the United States to risks of prosecution themselves.

There is a lot of anger against WikiLeaks and a lot of support for indicting Julian Assange and others related to WikiLeaks for their part in publishing the information stolen by the Russians.  If Mueller goes in this direction, he will need to be very careful not to indict Assange for something U.S. journalists do every day.  U.S. newspapers publish information stolen via digital means all the time.  They also openly solicit such information through SecureDrop portals.  Some will say that Assange and others at WikiLeaks can be prosecuted without threatening “real journalists” by charging a conspiracy to steal and share stolen information. I am not at all sure such an indictment wouldn’t apply to many American journalists who actively aid leakers of classified information.

I hope to come back to the second point. As a journalist who had a working relationship with someone she came to believe had a role in the attack, I have thought about and discussed the topic with most, if not all, the lawyers I consulted on my way to sitting down with the FBI.

For the moment, though, I want to focus on Goldsmith’s first point, one I’ve made in the past repeatedly. If we start indicting uniformed military intelligence officers — or even contractors, like the trolls at Internet Research Agency might be deemed — do we put the freedom of movement of people like Jake Williams at risk? Normally, I’d absolutely agree with Goldsmith and Williams.

But as someone who has already written extensively about the ConFraudUs backbone that Robert Mueller has built into his cases, I want to argue this is an exception.

As I’ve noted previously, while Rod Rosenstein emphasized that the Internet Research Agency indictment included no allegations that Americans knowingly conspired with Russians, it nevertheless did describe three Americans whose activities in response to being contacted by Russian trolls remain inconclusive.

Rod Rosenstein was quite clear: “There is no allegation in the indictment that any American was a knowing participant in the alleged unlawful activity.” That said, there are three (presumed) Americans who, both the indictment and subsequent reporting make clear, are treated differently in the indictment than all the other Americans cited as innocent people duped by Russians: Campaign Official 1, Campaign Official 2, and Campaign Official 3. We know, from CNN’s coverage of Harry Miller’s role in building a cage to be used in a fake “jailed Hillary” stunt, that at least some other people described in the indictment were interviewed — in his case, for six hours! — by the FBI. But no one else is named using the convention to indicate those not indicted but perhaps more involved in the operation. Furthermore, the indictment doesn’t actually describe what action (if any) these three Trump campaign officials took after being contacted by trolls emailing under false names.

On approximately the same day, Defendants and their co-conspirators used the email address of a false U.S. persona, [email protected], to send an email to Campaign Official 1 at that donaldtrump.com email account, which read in part:

Hello [Campaign Official 1], [w]e are organizing a state-wide event in Florida on August, 20 to support Mr. Trump. Let us introduce ourselves first. “Being Patriotic” is a grassroots conservative online movement trying to unite people offline. . . . [W]e gained a huge lot of followers and decided to somehow help Mr. Trump get elected. You know, simple yelling on the Internet is not enough. There should be real action. We organized rallies in New York before. Now we’re focusing on purple states such as Florida.

The email also identified thirteen “confirmed locations” in Florida for the rallies and requested the campaign provide “assistance in each location.”

[snip]

Defendants and their co-conspirators used the false U.S. persona [email protected] account to send an email to Campaign Official 2 at that donaldtrump.com email account.

[snip]

On or about August 20, 2016, Defendants and their co-conspirators used the “Matt Skiber” Facebook account to contact Campaign Official 3.

Again, the DOJ convention of naming makes it clear these people have not been charged with anything. But we know from other Mueller indictments that those specifically named (which include the slew of Trump campaign officials named in the George Papadopoulos plea, KT McFarland and Jared Kushner in the Flynn plea, Kilimnik in the Van der Zwaan plea, and the various companies and foreign leaders that did Manafort’s bidding, including the Podesta Group and Mercury Public Affairs in his indictment) may be the next step in the investigation.

In the GRU indictment, non US person WikiLeaks is given the equivalent treatment.

On or about June 22, 2016, Organization I sent a private message to Guccifer 2.0 to “[s]end any new material [stolen from the DNC] here for us to review and it will have a much higher impact than what you are doing.” On or about July 6, 2016, Organization 1 added, “if you have anything hillary related we want it in the next tweo [sic] days prefable [sic] because the DNC [DemocraticNationalConvention] is approaching and she Will solidify bernie supporters behind her after.” The Conspirators responded,“0k . . . i see.” Organization I explained,“we think trump has only a 25% chance of winning against hillary . . . so conflict between bernie and hillary is interesting.”

But the activities of other American citizens — most notably Roger Stone and Donald Trump — are discussed obliquely, even if they’re not referred to using the standard of someone still under investigation. Here’s the Roger Stone passage.

On or aboutAugust 15,2016, the Conspirators,posing as Guccifer 2.0,wrote to a person who was in regular contact with senior members of the presidential campaign of Donald J. Trump, “thank u for writing back. . . do u find anyt[h]ing interesting in the docs i posted?” On or about August 17, 2016, the Conspirators added, “please tell me if i can help u anyhow . . . it would be a great pleasureto me.” On or about September 9, 2016,the Conspirators, again posing as Guccifer 2.0, referred to a stolen DCCC document posted online and asked the person, “what do u think of the info on the turnout model for the democrats entire presidential campaign.” The person responded,“[p]retty standard.”

The Trump one, of course, pertains to the response GRU hackers appear to have made when he asked for Russia to find Hillary’s emails on July 27.

For example, on or about July 27, 2016, the Conspirators attempted after hours to spearphish for the first time email accounts at a domain hosted by a third‑party provider and used by Clinton’s personal office. At or around the same time, they also targeted seventy‐six email addresses at the domain for the Clinton Campaign.

Finally, there is yesterday’s Mariia Butina complaint, which charges her as an unregistered Russian spy and describes Aleksandr Torshin as her boss, but which also describes the extensive and seemingly willful cooperation with Paul Erickson and another American, as well as with the RNC and NRA. Here’s one of the Americans, for example, telling Butina that her Russian bosses should take the advice he had given her about which Americans she needed to meet.

If you were to sit down with your special friends and make a list of ALL the most important contacts you could find in America for a time when the political situation between the U.S. and Russia will change, you could NOT do better than the list that I just emailed you. NO one — certainly not the “official” Russian Federation public relations representative in New York — could build a better list.

[snip]

All that you friends need to know is that meetings with the names on MY list would not be possible without the unknown names in your “business card” notebook. Keep them focused on who you are NOW able to meet, NOT the people you have ALREADY met.

Particularly as someone whose communications (including, but not limited to, that text) stand a decent chance of being quoted in an indictment in the foreseeable future, let me be very clear: none of these people have been accused of any wrong-doing.

But they do suggest a universe of people who have attracted investigative scrutiny, both by Mueller and by NSD, as willing co-conspirators with Russian spies.

Granted, there are three different kinds of Russian spies included in these three documents:

  • Uniformed military intelligence officers working from Moscow
  • Civilian employees who might be considered intelligence contractors working from St. Petersburg (though with three reconnaissance trips to the US included)
  • Butina and Torshin, both of whom probably committed visa fraud to engage as unregistered spies in the US

We have a specific crime for the latter (and, probably, the reconnaissance trips to the US by IRA employees), and if any of the US persons and entities in Butina’s indictment are deemed to have willingly joined her conspiracy, they might easily be charged as well. Eventually, I’m certain, Mueller will move to start naming Americans (besides Paul Manafort and Rick Gates) in conspiracy indictments, including ones involving Russian spies operating from Russia (like Konstantin Kilimnik). It seems necessary to include the Russians in some charging documents, because otherwise you’ll never be able to lay out the willful participation of everyone, Russian and American, in the charging documents naming the Americans.

So while I generally agree with Goldsmith and Williams, this case, where we’re clearly discussing a conspiracy between Russian spies — operating both from the US and from Russia (and other countries), wearing uniforms and civilian clothing –and Americans, it seems important to include them in charging documents somewhere.

As the Summit Arrives, Keep in Mind that Putin Manages Trump with Carrots and Sticks

As I laid out last week, I provided information to the FBI on issues related to the Mueller investigation, so I’m going to include disclosure statements on Mueller investigation posts from here on out. I will include the disclosure whether or not the stuff I shared with the FBI pertains to the subject of the post. 

In my post revealing that I went to the FBI with information about someone who played a significant role in Russia’s attack on US elections, I revealed that the person sent me a text less than 15 hours after polls closed indicating Trump had ordered Mike Flynn to start working on Syrian issues.

Both Jared Kushner’s public statement and Mike Flynn’s anonymous confidant’s comments corroborate that Trump focused on Syria immediately after the election. I have taken from that that conceding to Russian plans to leave Bashar al-Assad in place is one of the payoffs Trump owed Putin for help winning the election.

For that reason, I want to look at the Shadow Brokers Don’t Forget Your  Base post, posted on April 9, 2017, just three days after Trump retaliated against Syria for a chemical weapons attack on civilians. It was the first post after Shadow Brokers had announced he was going away on January 12 (which, I now realize, was the day after the Seychelles meeting set up a back channel with Russia through Erik Prince). It preceded by days the Lost in Translation post, which released powerful NSA hacking tools that would lead directly to the WannaCry malware attack in May. And while the Don’t Forget Your Base post did release files, it was mostly about messaging.

That messaging included a bunch of things. Among other things (such as that Trump shouldn’t have fired Steve Bannon and should refocus on his racist domestic policies), the post argues that Trump should just own up to Russia helping Trump win the election.

Your Supporters:

  • Don’t care what is written in the NYT, Washington Post, or any newspaper, so just ignore it.
  • Don’t care if you swapped wives with Mr Putin, double down on it, “Putin is not just my firend he is my BFF”.
  • Don’t care if the election was hacked or rigged, celebrate it “so what if I did, what are you going to do about it”.

It talks about what the people who got Trump elected expect.

The peoples whose voted for you, voted against the Republican Party, the party that tried to destroying your character in the primaries. The peoples who voted for you, voted against the Democrat Party, the party that hates, mocks, and laughs at you. Without the support of the peoples who voted for you, what do you think will be happening to your Presidency? Without the support of the people who voted for you, do you think you’ll be still making America great again?

It claims that embracing Russian foreign policy will make America great.

TheShadowBrokers isn’t not fans of Russia or Putin but “The enemy of my enemy is my friend.” We recognize Americans’ having more in common with Russians than Chinese or Globalist or Socialist. Russia and Putin are nationalist and enemies of the Globalist, examples: NATO encroachment and Ukraine conflict. Therefore Russia and Putin are being best allies until the common enemies are defeated and America is great again.

And it argues (in a thoroughly muddled description of what happened) that Trump shouldn’t have bombed Syria.

Respectfully, what the fuck are you doing? TheShadowBrokers voted for you. TheShadowBrokers supports you. TheShadowBrokers is losing faith in you. Mr. Trump helping theshadowbrokers, helping you. Is appearing you are abandoning “your base”, “the movement”, and the peoples who getting you elected.

Good Evidence:

#1 — Goldman Sach (TheGlobalists) and Military Industrial Intelligence Complex (MIIC) cabinet
#2 — Backtracked on Obamacare
#3 — Attacked the Freedom Causcus (TheMovement)
#4 — Removed Bannon from the NSC
#5 — Increased U.S. involvement in a foreign war (Syria Strike)

[snip]

Because from theshadowbrokers seat is looking really bad. If you made deal(s) be telling the peoples about them, peoples is appreciating transparency. But what kind of deal can be resulting in chemical weapons used in Syria, Mr. Bannon’s removal from the NSC, US military strike on Syria, and successful vote for SCOTUS without change rules?

[snip]

Mr Trump, we getting it. You having special empathy for father whose daughter is killed. We know this is root cause for anti-illegal immigrant policy. Illegal immigrant shoot man’s daughter in San Francisco. Now is Syrian man daughter killed by chemical gas. We agree its needless tragedy. But tragedies happening everyday and wars endangers all the children not just Syrian.

There is, admittedly, a lot going on here, even ignoring that it sounds like a batshit insane rant.

But is also that case that Shadow Brokers had gone away in the transition period. And then shortly after Trump bombed Syria, he came back, and very quickly released tools he had threatened to release during the transition period. The release of those tools did significant damage to the NSA (and its relations with Microsoft and other US tech companies) and led directly to one of the most damaging malware attacks in history.

It is my opinion that Russia manages Trump with both carrots — in the form of election year assistance and promises of graft — and sticks — in this case, in the form of grave damage to US security and to innocent people around the world.

And Trump is poised to head into a meeting with Vladimir Putin on Monday — showing no embarrassment about the proof laid out yesterday that without Putin, Trump wouldn’t have won the election — to discuss (among other things) a deal on Syria.

Meanwhile, Trump’s own Director of National Intelligence, Dan Coats, says the lights are blinking red like they were in advance of 9/11.

Director of National Intelligence Dan Coats raised the alarm on growing cyberattack threats against the United States, saying the situation is at a “critical point” and coming out forcefully against Russia.

“The warning signs are there. The system is blinking. It is why I believe we are at a critical point,” Coats said, addressing the Hudson Institute in Washington, DC, on Friday.

“Today, the digital infrastructure that serves this country is literally under attack,” he said.
Coats compared the “warning signs” to those the United States faced ahead of the September 11 terrorist attacks.

Rather than doing the things to prepare for an attack, Trump has virtually stood down, firing his very competent cyber czar and providing no order to take more assertive steps to prepare for an attack.

This is why I came forward two weeks ago to talk about how quickly someone involved in the election attack learned of Trump’s policy shift on Syria. I believe Trump is cornered — has allowed himself to be cornered. And in spite of everything, Trump is prepared to go alone into a meeting on Monday with Vladimir Putin — the guy wielding both carrots and sticks against Trump — and make a deal.

Everyone is worried that Putin might release a pee tape. I think what Putin holds over Trump may be far more serious. And if something happens, know that there’s good reason to believe Trump brought it on the country himself, willingly.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

The Preferred Anti-Obama Russian Hack Story Remains Silent on Shadow Brokers

Michael Isikoff and David Corn are fluffing their upcoming book on the Russian tampering with the 2016 election. This installment covers the same ground, and the same arguments, and has the same weaknesses that this WaPo article did: It describes how urgent but closely held the CIA tips were (without considering whether the close hold on the intelligence led the IC to make incorrect conclusions about the attack). It describes efforts to make a public statement that got drowned out by the Pussy Grabber and Podesta releases. It airs the disappointment of those who thought Obama should have launched a more aggressive response.

Perhaps the biggest addition to the WaPo version is that this one includes more discussion of Obama’s thoughts on cyber proliferation, with the acknowledgement that the US would be more vulnerable than Russia in an escalating cyber confrontation.

Michael Daniel and Celeste Wallander, the National Security Council’s top Russia analyst, were convinced the United States needed to strike back hard against the Russians and make it clear that Moscow had crossed a red line. Words alone wouldn’t do the trick; there had to be consequences. “I wanted to send a signal that we would not tolerate disruptions to our electoral process,” Daniel recalled. His basic argument: “The Russians are going to push as hard as they can until we start pushing back.”

Daniel and Wallander began drafting options for more aggressive responses beyond anything the Obama administration or the US government had ever before contemplated in response to a cyberattack. One proposal was to unleash the NSA to mount a series of far-reaching cyberattacks: to dismantle the Guccifer 2.0 and DCLeaks websites that had been leaking the emails and memos stolen from Democratic targets, to bombard Russian news sites with a wave of automated traffic in a denial-of-service attack that would shut the news sites down, and to launch an attack on the Russian intelligence agencies themselves, seeking to disrupt their command and control modes.

[snip]

One idea Daniel proposed was unusual: The United States and NATO should publicly announce a giant “cyber exercise” against a mythical Eurasian country, demonstrating that Western nations had it within their power to shut down Russia’s entire civil infrastructure and cripple its economy.

[snip]

The principals did discuss cyber responses. The prospect of hitting back with cyber caused trepidation within the deputies and principals meetings. The United States was telling Russia this sort of meddling was unacceptable. If Washington engaged in the same type of covert combat, some of the principals believed, Washington’s demand would mean nothing, and there could be an escalation in cyber warfare. There were concerns that the United States would have more to lose in all-out cyberwar.

“If we got into a tit-for-tat on cyber with the Russians, it would not be to our advantage,” a participant later remarked. “They could do more to damage us in a cyber war or have a greater impact.” In one of the meetings, Clapper said he was worried that Russia might respond with cyberattacks against America’s critical infrastructure—and possibly shut down the electrical grid.

[snip]

Asked at a post-summit news conference about Russia’s hacking of the election, the president spoke in generalities—and insisted the United States did not want a blowup over the issue. “We’ve had problems with cyber intrusions from Russia in the past, from other counties in the past,” he said. “Our goal is not to suddenly in the cyber arena duplicate a cycle escalation that we saw when it comes to other arms races in the past, but rather to start instituting some norms so that everybody’s acting responsibly.”

The most dramatic part of the piece quotes an angry Susan Rice telling her top Russian expert to stand down some time after August 21.

One day in late August, national security adviser Susan Rice called Daniel into her office and demanded he cease and desist from working on the cyber options he was developing. “Don’t get ahead of us,” she warned him. The White House was not prepared to endorse any of these ideas. Daniel and his team in the White House cyber response group were given strict orders: “Stand down.” She told Daniel to “knock it off,” he recalled.

Daniel walked back to his office. “That was one pissed-off national security adviser,” he told one of his aides.

But like the WaPo article before it, and in spite of the greater attentiveness to the specific dates involved, the Isikoff/Corn piece makes not one mention of the Shadow Brokers part of the operation, which first launched just as NSC’s Russian experts were dreaming up huge cyber-assaults on Russia.

On August 13, Shadow Brokers released its first post, releasing files that had compromised US firewall providers and including a message that — while appearing to be an attack on American Elites and tacitly invoking Hillary — emphasizes how vulnerable the US would be if its own cybertools were deployed against it.

We want make sure Wealthy Elite recognizes the danger cyber weapons, this message, our auction, poses to their wealth and control. Let us spell out for Elites. Your wealth and control depends on electronic data. You see what “Equation Group” can do. You see what cryptolockers and stuxnet can do. You see free files we give for free. You see attacks on banks and SWIFT in news. Maybe there is Equation Group version of cryptolocker+stuxnet for banks and financial systems? If Equation Group lose control of cyber weapons, who else lose or find cyber weapons? If electronic data go bye bye where leave Wealthy Elites?

Sure, it’s possible the IC didn’t know right away that this was a Russian op (though Isikoff and Corn claim, dubiously and in contradiction to James Clapper’s November 17, 2016 testimony, that the IC had already IDed all the cut-outs Russia was using on the Guccifer 2.0 and DC Leaks operations). Though certainly the possibility was publicly discussed right away. By December, I was able to map out how it seemed the perpetrators were holding the NSA hostage to any retaliation attempts. Nice little NSA you’ve got here; it’d be a shame if anything happened to it. After the inauguration, Shadow Brokers took a break, until responding to Trump’s Syria strike by complaining that he was abandoning those who had gotten him elected.

Respectfully, what the fuck are you doing? TheShadowBrokers voted for you. TheShadowBrokers supports you. TheShadowBrokers is losing faith in you. Mr. Trump helping theshadowbrokers, helping you. Is appearing you are abandoning “your base”, “the movement”, and the peoples who getting you elected.

That was followed by a release of tools that would soon lead to billion dollar attacks using repurposed NSA tools.

As recently as February, the NSA and CIA were still trying to figure out what Russia (and the stories do appear to confirm the IC believed this was Russia) had obtained.

I mean, it’s all well and good to complain that Obama asked the NSC to stand down from its plans to launch massive cyberattacks as a warning to Putin. But you might, first, consider whether that decision happened at a time when the US was facing far greater uncertainty about our own vulnerabilities on that front.

How a Russian Dangle about Shadow Brokers Started Dictating NSA’s Twitter Feed

As you may know, we’ve been fostering dogs. Our current dog, June Bug (pictured above), is a terrorist. She’s really smart. She creates diversions so she can try to steal our food. We can only get her to play with dog toys if we “trick” her, by hiding them in boxes that she first destroys. But today, she got outfoxed (heh) by a squirrel. We were walking south towards a bush and a big oak and she saw the squirrel under the bush. While we were walking past the oak, the squirrel bolted up the oak so high that June Bug (who at least is better at understanding a third dimension than McCaffrey the Millennial Lab was) couldn’t see her. June Bug kept looking under the bush until finally she turned to the oak but by then the squirrel was well beyond her vision up in the oak.

This story, reported in both the Intercept and the NYT, on the CIA and NSA’s efforts to reach out to Russia to get Shadow Brokers tools feels like that exchange. Reading the two in tandem, it’s clear that the Russians learned the CIA and NSA were trying to buy back the tools released by Shadow Brokers, and used the channel the US set up with a Russian “businessman” to provide likely disinformation about Trump’s ties to Russia instead. NYT describes obtaining,

Russian produced unverified and possibly fabricated information involving Mr. Trump and others, including bank records, emails and purported Russian intelligence data.

[snip]

All are purported to be Russian intelligence reports, and each focuses on associates of Mr. Trump. Carter Page, the former campaign adviser who has been the focus of F.B.I. investigators, features in one; Robert and Rebekah Mercer, the billionaire Republican donors, in another.

The Intercept said the government even obtained an FBI report that had been purloined.

Recently, the Russians have been seeking to provide documents said to be related to Trump officials and Russian meddling in the 2016 campaign, including some purloined FBI reports and banking records.

It’s equally clear that, as things soured, the source reached out to James Risen to make sure the story would come out with the spin that the CIA had cut off the exchange because it didn’t want to receive dirt on Trump. Note, the NYT story doesn’t include the agency split.

What’s perhaps most embarrassing about the story is that the NSA tweeted out pre-arranged tweets at least ten times (the Intercept describes which tweets they were) as a signal that the American businessman intermediary was really working on behalf of the US government. The last that Risen lists is one pertaining to Section 702 on December 13.

Effectively, Russia was yanking NSA’s chain, and possibly tracking communication pathways from the American intermediary through NSA to the Twitter feed.

The incident is interesting for several reasons. First, it may corroborate the “second source” theory I posited back in September (which I was pretty sure was in the neighborhood in any case given some curious attention the post got). It seems to confirm that the spooks at least came to believe that Russia was behind the Shadow Brokers and Vault 7 compromises (though Russia doesn’t appear to have shared any legitimate non-public files, so it’s not necessarily proven).

Trump is now using this effort at disinformation the same way he has used the Steele dossier: in a bid to claim his own innocence.

I’m perhaps most interested in the timing of this. The government seemed to treat the Nghia Hoang Pho plea in early December as its explanation for how the Shadow Brokers files got stolen. If that’s true, it should know what Russia or whoever else took (or they could at least ask Kaspersky nicely, which seems to have a pretty good idea of what was there). It wouldn’t need to chase this intermediary for two more months.

And yet they did.

Has Hal Martin Finally Gotten the Government to Admit He Didn’t Feed Shadow Brokers?

Hal Martin may finally get a plea deal.

On Tuesday, Martin’s (excellent) public defender James Wyda asked to cancel a guilty plea to one of the 20 charges against him which had been scheduled for next week, stating that continuing negotiations may settle the whole case.

The defense requests a cancellation of the Rule 11 guilty plea hearing currently scheduled for January 22, 2018. The parties are continuing negotiations with the hope of resolving the entire case.

As John Gerstein had previously reported, last month Martin unilaterally moved to plead guilty to retaining one document described as “a March 2014 NSA leadership briefing outlining the development and future plans for a specific NSA organization,” though the government still threatened to ask for the maximum sentence on that one charge. But something changed since then to reinvigorate plea discussions.

I’m particularly interested in the schedule Judge Marvin Garbis had set in response to Martin’s bid to plead to one charge. The plea would have triggered a CIPA review, the process by which judges decide what classified information is necessary for a criminal trial, often in substitute form.

This is to confirm, as stated at the conference held this date:

1. On January 8, 2018, Defendant shall file a letter including its version of the statement of facts as to Count One of the Indictment.

2. Defendant Martin intends to plead guilty to Count One on January 22, 2018 at 10:00 A.M.

3. Defendant Martin expects to file a CIPA § 4 submission on January 26, 2018.

4. The Government shall make an ex parte presentation regarding its contentions and its pending CIPA § 4 motion in an on-the-record sealed proceeding on February 1, 2018 commencing at 10:00 A.M.

5. Defendant Martin shall make an ex parte presentation regarding its contentions and its forthcoming CIPA § 4 submission in an on-the-record sealed proceeding at a time to be scheduled by further Order.

That’s presumably an indication that Martin wanted to use classified evidence to mitigate his sentence. And all of this has happened in a six week extension Martin’s lawyers asked for on December 8, explaining that they had only just gotten access to information seized (back in August 2016) from Martin’s car and home.

On November 28, 2017, we had the opportunity to conduct an evidence review at the Baltimore FBI Field Office’s Sensitive Compartmented Information Facility for the first time of some of the items allegedly seized from Mr. Martin’s car and residence. In light of the volume of material made available for our review, we expect to return to the FBI multiple more times to review the remainder of the items.

All of which suggests the defense saw something in their classified discovery that made them think they can mitigate Martin’s sentence and, possibly, eliminate the government’s interest in trying him for those other 19 retained documents.

So to recap: on December 8, Martin’s lawyers ask for more time. On December 22, he moves to plead guilty. In the last few weeks, the judge set in motion the process to allow Martin to use classified information in his sentencing (and his lawyers submitted their version of what he would plead guilty to). And now a plea deal may be in the offing.

All that happened in the wake of Nghia Hoang Pho pleading guilty on December 1, after some interesting timing delays as well, timing which I laid out here.

The actual plea deal is dated October 11. It states that “if this offer has not been accepted by October 25, 2017, it will be deemed withdrawn.” The information itself was actually signed on November 29. Friday, the actual plea, was December 1.

So while there’s not a substantial cooperation component in the plea deal, certainly a substantial amount of time took place in that window, enough time to cooperate.

And consider the news coverage that has happened during that period. The initial plea offer was made in the week following a big media blitz of stories blaming Pho (and through him Kaspersky) for the Russian theft of NSA tools. In the interim period between the offer and the acceptance of the plea deal, Kaspersky confirmed both verbally and then in a full incident report that his AV had found the files in question, while noting that a third party hacker had compromised Pho’s machine during the period he had TAO’s tools on it.

In other words, after at least an 18 month investigation, Pho finally signed a plea agreement as the media started blaming him for the compromise of these tools.

In that plea deal, the government noted that they could have charged Pho as they had charged Martin, with one count for each retained file (though in reality Martin got charged for a tiny fraction of what he brought home).

During much of that period, Harold Martin was in custody and under investigation for a similar crime: bringing a bunch of TAO tools home and putting them on his computer. Only, unlike Pho, Martin got slammed with a 20-count indictment, laying a range of files, and not just files from NSA. Indeed, the Pho plea notes,

This Office and the Defendant agree that the Defendant’s conduct could have been charged as multiple counts. This Office and the Defendant further agree that had the Defendant been convicted of additional counts, … those counts would not group with the count of conviction, and the final offense level would have increased by 5 levels.

That is, the government implicity threatened Pho to treat him as Martin had been, with a separate charge tied to the individual files he took.

Now, perhaps that’s all that Martin’s lawyers were going to note, that a similarly situated defendant in the same district had been able to plead guilty to a single charge.

But I wonder if there’s not more, specifically related to that plea, pertaining to the real source of the Shadow Brokers files. That is, if Pho was permitted to plead guilty after having making the Shadow Brokers files accessible to third party hackers coming in after Kaspersky’s AV got shut down, then why couldn’t Martin, whose files were air gapped from such measures, obtain a similar plea?

Fake Russian Metadata that Will Do Nothing to Prevent Nuclear War

Apparently I’m not the only one troubled by Tom Bossert’s attribution of WannaCry to North Korea the other day.

In this post, Jack Goldsmith suggests the attribution will do nothing for deterrence.

He said that he thought the public attribution alone, without more, accomplished something important in holding North Korea accountable. As he put it, somewhat confusingly, later:

It’s about simple culpability. We’ve determined who was behind the attack and we’re saying it. It’s pretty straightforward. All I learned about cybersecurity I learned in kindergarten. We’re going to hold them accountable and we’re going to say it. And we’re going to shame them for it.

There you have it: The U.S. government thinks that naming and shaming by itself is a useful response to a cyberattack that caused billions of dollars of damage (though relatively little in the United States) and targeted precisely the types of critical infrastructure officials have long warned was a red line.

[snip]

it’s not just that name and shame is ineffective. For at least two reasons, it is counterproductive for the United States to take evident pride in an attribution of a major cyberattack that it at the same time concedes it lacks the tools to retaliate against or deter. First, the consequence of the attribution, and the emphasis on the damage caused by WannaCry, is to raise expectations, at least domestically, about a response. Second, the effect of such a drum-beating attribution and statement of damage, combined with a weak response, is to reveal what has been apparent for a while: “We currently cannot put a lot of stock … in cyber deterrence,” as former DNI Clapper last year. “It is … very hard to create the substance and psychology of deterrence.” When we overtly signal to North Korea that we have no tools to counteract their cyberattacks, we invite more attacks by North Korea and others—though to be fair, for the reasons Inglis stated, North Korea already has plenty of incentive, since cyber is a relatively inexpensive but very consequential tool for it, and since the United States has already imposed such extensive sanctions and seems out of tools.

I must be missing something here. Probably what I am missing is that the public attribution sends an important signal to the North Koreans about the extent to which we have penetrated their cyber operations and are watching their current cyber activities. But that message could have been delivered privately, and it does not explain why the United States delayed public attribution at least six months after its internal attribution, and two months after the U.K. had done so publicly.

In this thread, Emily Maxima notes that not everyone in the Infosec community agrees with this attribution (here’s an old piece I did on some oddities with it) and worries that the attribution might be used to justify war with North Korea.

So in the context of a potential hot-war with DPRK, the attribution chain from Wannacry to DPRK is *really* fucking important.

She then goes on to explain one of her concerns about the attribution to Lazarus group.

A few months back, I was doing some research into malware that used obfuscation mechanisms in their campaigns and code that could be used to misattribute them to other actors/nations.

It turns out, Lazarus group was one of these actors that had examples of misleading operation that made it seem like it was made in Russia, but was likely built to act as a false flag deus ex machina to lead researchers away from the true actors.

[snip]

[W]e’re talking about an increasingly tense situation where the largest attack on networked computer infrastructure in probably the last 5 years may be pinned on a group known for running false flag operations.

She points to this article that shows that some 2016 watering hole attacks that had targeted Polish and Mexican bank supervisor sites, which might be associated with Lazarus, used Russian words as a false flag to hide their origin.

In spite of some ‘Russian’ words being used, it is evident that the malware author is not a native Russian speaker.

Of our previous examples, five of the commands were likely produced by an online translation. Below we provide the examples and the correct analogues for reference:

Word Type of error Correct analogue
“ustanavlivat” omitted sign at the end, verb tense error “ustanovit'” or “ustanoviti”
“poluchit” omitted sign at the end “poluchit'” or “poluchiti”
“pereslat” omitted sign at the end “pereslat'” or “pereslati”
“derzhat” omitted sign at the end “derzhat'” or “derzhati”
“vykhodit” omitted sign at the end, verb tense error “vyiti”

Another example is “kliyent2podklyuchit”. This is most likely a result of an online translation of “client2connect” (which means ‘client-to-connect’). In this case, the two words “client” and “connect”were translated separately, then transliterated from the Russian pronunciation form into the Latin alphabet and finally joined to produce “kliyent2podklyuchit”.

[snip]

Internally, the ActionScript also uses transliterated Russian words, similar to the tactic seen in the bot code:

Transliterated Russian words used in AS Translated from Russian
Podgotovkaskotiny Preparation of farm animals
geigeigei3raza Hey, hey, hey 3 times
chainik Dummy (a stupid person)
chainikaddress Dummy’s address
poishemdatu Let’s search for data
poiskvpro Searching in ‘pro’
vyzov_chainika Calling the dummy (a stupid person)
daiadreschainika Get address of the dummy
runskotina Execute farm animals
babaLEna Old woman Lena

As seen in the table, while the words are technically Russian, their usage is out-of-context.

In one code fragment, the ActionScript contains both “chainik” and “dummy”:

01 private function put_dummy_args(param1:*) : *
02 {
03 return chainik.call.apply(null,param1);
04 }
05 private function vyzov_chainika() : *
06 {
07 return chainik.call(null);
08 }

As such, it is obvious that the word “dummy” has been translated into “chainik”. However, the word “chainik” in Russian slang (with the literal meaning of “a kettle”) is used to describe an unsophisticated person, a newbie; while, the word “dummy” in the exploit code is used to mean a “placeholder” or an “empty” data structure/argument.

The BAE analysis suggests that this incorrect usage is evidence proving the attackers are not native Russian speakers (leaving open the possibility they’re North Korean, though the report doesn’t attribute that aggressively).

I point to all this because of my continuing obsession with attacks featuring Russian metadata — starting from the first stolen Democratic files released by Guccifer 2.0 in June 2016 to faked Macron leak documents and extending to metadata ShadowBrokers left in some SWIFT files released in April — that served to deflect blame.

Perhaps it’s just fashionable to blame Russians these days.

Mind you, that other Russian metadata is for a totally unrelated watering hole attack, not for WannaCry. It’s worth remembering, however, that in addition to using Lazarus code, WannaCry also appears to have used code from Metasploit.

Ah well. I guess none of this will matter when North Korea nukes Seoul.

The Bankrupt Attribution of WannaCry

I’ve been puzzling through this briefing, purportedly attributing the WannaCry hack to North Korea, which followed last night’s Axis of CyberEvil op-ed (here’s the text). The presser was … perhaps even more puzzling than the Axis of CyberEvil op-ed.

Unlike the op-ed, Homeland Security Czar Tom Bossert provided hints about how the government came to attribute this attack.

Bossert makes much of the fact that the Five Eyes plus Japan all agree on this.

We do so with evidence, and we do so with partners.

Other governments and private companies agree.  The United Kingdom, Australia, Canada, New Zealand, and Japan have seen our analysis, and they join us in denouncing North Korea for WannaCry.

He also points to the Microsoft and (unnamed — because it’d be downright awkward to name Kaspersky in the same briefing where you attack them as a cybersecurity target) security consultant attributions from months ago.

Commercial partners have also acted.  Microsoft traced the attack to cyber affiliates of the North Korean government, and others in the security community have contributed their analysis.

Here are the specific things he says about how the US, independent of Microsoft and villains like Kaspersky, made an attribution.

What we did was, rely on — and some of it I can’t share, unfortunately — technical links to previously identified North Korean cyber tools, tradecraft, operational infrastructure.  We had to examine a lot.  And we had to put it together in a way that allowed us to make a confident attribution.

[snip]

[I]t’s a little tradecraft, to get to your second question.  It’s hard to find that smoking gun, but what we’ve done here is combined a series of behaviors.  We’ve got analysts all over the world, but also deep and experienced analysts within our intelligence community that looked at not only the operational infrastructure, but also the tradecraft and the routine and the behaviors that we’ve seen demonstrated in past attacks.  And so you have to apply some gumshoe work here, not just some code analysis.

Nevertheless, Bossert alludes to people launching this attack from “keyboards all over the world,” but says because these “intermediaries … had carried out those types of attacks on behalf of the North Korean government in the past,” they were confident in the attribution.

People operating keyboards all over the world on behalf of a North Korean actor can be launching from places that are not in North Korea.  And so that’s one of the challenges behind cyber attribution.

[snip]

[T]here were actors on their behalf, intermediaries, carrying out this attack, and that they had carried out those types of attacks on behalf of the North Korean government in the past.  And that was one of the tradecraft routines that allowed us to reach that conclusion.

Taking credit for stuff the private sector did

In his prewritten statement, Bossert provides on explanation for the timing of all this. One of the reasons the US is attributing the WannaCry attack now — aside from the need to gin up war with North Korea — is that Facebook and Microsoft, “acting on their own initiative last week,” took action last week against North Korean targets.

We applaud our corporate partners, Microsoft and Facebook especially, for acting on their own initiative last week without any direction by the U.S. government or coordination to disrupt the activities of North Korean hackers.  Microsoft acted before the attack in ways that spared many U.S. targets.

Last week, Microsoft and Facebook and other major tech companies acted to disable a number of North Korean cyber exploits and disrupt their operations as the North Koreans were still infecting computers across the globe.  They shut down accounts the North Korean regime hackers used to launch attacks and patched systems.

Yet even while acknowledging that Microsoft and Facebook are busy keeping the US safe, he demands that the private sector … keep us safe.

We call today — I call today, and the President calls today, on the private sector to increase its accountability in the cyber realm by taking actions that deny North Korea and the bad actors the ability to launch reckless and disruptive cyber acts.

Golly how do you think the US avoided damage from the attack based on US tools so well?

Then Bossert invites Assistant Secretary for Cybersecurity and Communications at DHS Jeanette Manfra to explain not how the US attributed this attack (the ostensible point of this presser), but how the US magically avoided getting slammed — by an attack based on US tools — as badly as other countries did.

By midafternoon, I had all of the major Internet service providers either on the phone or on our watch floor sharing information with us about what they were seeing globally and in the United States.  We partnered with the Department of Health and Human Services to reach out to hospitals across the country to offer assistance.  We engaged with federal CIOs across our government to ensure that our systems were not vulnerable.  I asked for assistance from our partners in the IT and cybersecurity industry.  And by 9:00 p.m. that night, I had over 30 companies represented on calls, many of whom offered us analytical assistance throughout the weekend.

By working closely with these companies and the FBI throughout that night, we were able to issue a technical alert, publicly, that would assist defenders with defeating this malware.  We stayed on alert all weekend but were largely able to escape the impacts here in this country that other countries experienced.

Managing to avoid getting slammed by an attack that the US had far more warning of (because it would have recognized and had 96 days to prepare) is proof, Manfra argues, of our preparation to respond to attacks we didn’t write the exploit for.

[T]he WannaCry attack demonstrated our national capability to effectively operate and respond.

Ix-Nay on the AdowBrokers-Shay

Which brings us to the dramatic climax of this entire presser, where Tom Bossert plays dumb about the fact that his this attack exploited an NSA exploit. In his first attempt to deflect this question, Bossert tried to distinguish between vulnerabilities and the exploits NSA wrote for them.

Q    Had they not been able to take advantage of the vulnerabilities that got published in the Shadow Brokers website, do you think that would have made a significant difference in their ability to carry out the attack?

MR. BOSSERT:  Yeah.  So I think what Dave is alluding to here is that vulnerabilities exist in software.  They’re not — almost never designed on purpose.  Software producers are making a product, and they’re selling it for a purpose.

Pretending a vulnerability is the same thing as an exploit, Bossert pointed to the (more visible but still largely the same) Vulnerabilities Exploit Process Trump has instituted.

When we find vulnerabilities, the United States government, we generally identify them and tell the companies so they can patch them.

In this particular case, I’m fairly proud of that process, so I’d like to elaborate.  Under this President’s leadership and under the leadership of Rob Joyce, who’s serving as my deputy now and the cybersecurity coordinator, we have led the most transparent Vulnerabilities Equities Process in the world.

Hey, by the way, why isn’t Rob Joyce at this presser so the person in government best able to protect against cyber attacks can answer questions?

Oh, never mind–let’s continue with this VEP thing.

And what that means is the United States government finds vulnerabilities in software, routinely, and then, at a rate of almost 90 percent, reveals those.  They could be useful tools for us to then exploit for our own national security benefit.  But instead, what we choose to do is share those back with the companies so that they can patch and increase the collective defense of the country.  It’s not fair for us to keep those exploits while people sit vulnerable to those totalitarian regimes that are going to bring harm to them.

So, in this particular case, I’m proud of the VEP program.  And I’d go one step deeper for you:  Those vulnerabilities that we do keep, we keep for very specific purposes so that we can increase our national security.  And we use them for very specific purposes only tailored to our perceived threats.  I think that they’re used very carefully.  They need to be protected in such a way that we don’t leak them out and so that bad people can get them.  That has happened, unfortunately, in the past.

Hell! Let’s go for broke. Let’s turn the risk that someone can steal our toys and set off a global worm into the promise that we’ll warn people they’ve been hacked.

But one level even deeper.  When we do use those vulnerabilities to develop exploits for the purpose of national security for the classified work that we do, we sometimes find evidence of bad behavior.  Sometimes it allows us to attribute bad actions.  Other times it allows us to privately call — and we’re doing this on a regular basis, and we’re doing it better and in a more routine fashion as this administration advances — we’re able to call targets that aren’t subject to big rollouts.  We’re able to call companies, and we’re able to say to them, “We believe that you’ve been hacked.  You need to take immediate action.”  It works well; we need to get better at doing that.  And I think that allows us to save a lot of time and money.

We’re not yet broke yet, though! When Bossert again gets asked whether WannaCry was based off a US tool, he tried to argue the only tool involved was the final WannaCry one, not than the underlying NSA exploit.

Q    So you talked about the 90 percent of times when you guys share information back with companies rather than exploit those vulnerabilities.  Was this one of the 10 percent that you guys had held onto?

MR. BOSSERT:  So I think there’s a case to be made for the tool that was used here being cobbled together from a number of different sources.  But the vulnerability that was exploited — the exploit developed by the culpable party here — is the tool, the bad tool.

This soon descends into full-on Sergeant Schultz.

I don’t know what they got and where they got it, but they certainly had a number of things cobbled together in a pretty complicated, intentional tool meant to cause harm that they didn’t entirely create themselves.

MalwareTech took a risk doing what he always does [er, did, before the US government kidnapped him] with malware?

Then there’s weird bit — one of those Bossert moments (like when he said WannaCry was spread by phishing) that makes me think he doesn’t know what he’s talking about. When asked if this North Korean attribution changed the government’s intent to prosecute MalwareTech (Marcus Hutchins), Bossert dodged that tricksy question (the answer is, yes, the prosecution is still on track to go to trial next year) but then claimed that Hutchins “took a risk” doing something he has repeatedly said he always does when responding to malware.

I can’t comment on the ongoing criminal prosecution or judicial proceedings there.  But I will note that, to some degree, we got lucky.  In a lot of ways, in the United States we were well-prepared.  So it wasn’t luck — it was preparation, it was partnership with private companies, and so forth.  But we also had a programmer that was sophisticated, that noticed a glitch in the malware, a kill-switch, and then acted to kill it.  He took a risk, it worked, and it caused a lot of benefit.  So we’ll give him that.  Next time, we’re not going to get so lucky.

After dodging the issue of why the government is prosecuting the guy whose “luck” Bossert acknowledges saved the world, he has the gall to say — in the very next breath!! — we need to do the kind of information sharing that Hutchins’ prosecution disincents.

So what we’re calling on here today is an increased partnership, an increased rapidity in routine speed of sharing information so that we can prevent patient zero from being patient 150.

Whatever you do, don’t follow the lack of money

All that was bad enough. But then things really went off the rail when a journalist asked about what one of the poorest countries on earth — a country with a severe exchangeable currency shortage — did with the money obtained in this ransomware attack.

Q    Tom, the purpose of ransomware is to raise money.  So do you have a sense now of exactly how much money the North Koreans raised as a result of this?  And do you have any idea what they did with the money?  Did it go to fund the nuclear program?  Did it go just to the regime for its own benefit?  Or where did that money go?

MR. BOSSERT:  Yeah, it’s interesting.  There’s two conundrums here.  First, we don’t really know how much money they raised, but they didn’t seem to architect it in the way that a smart ransomware architect would do.  They didn’t want to get a lot of money out of this.  If they did, they would have opened computers if you paid.  Once word got out that paying didn’t unlock your computer, the payment stopped.

And so I think that, in this case, this was a reckless attack and it was meant to cause havoc and destruction.  The money was an ancillary side benefit.  I don’t think they got a lot of it.

Wow. A couple things here. First, of one of the poorest countries in the world, Bossert said with a straight face: “They didn’t want to get a lot of money out of this.”

He has to do that, because he has just said that, “They’ve got some smart programmers.” So he has to treat the attack, as implemented, as the attack that the perpetrators wanted. That apparently doesn’t mean he feels bound to offer some explanation for why North Korea would forgo the money that their smart programmers could have earned. Because he never offers that, without which you have zero credible attribution.

Still nuttier, at one level it cannot be true that “we don’t know how much money they raised.” Later in his presser he claims, “cryptocurrency might be difficult to track” and suggests the government only learned about how little they were making because, “targets seem to have reported to us, by and large, that they mostly didn’t pay. … So we were able to track the behavior of the targets in that case.”

Um. No. It was very public! We watched WannaCry’s perps collect $144,000 via the @Actual_ransom account, and we watched the account be cashed out in the immediate wake of the aforementioned MalwareTech arrest (as Hutchins noted, making it look like he had absconded with his Bitcoin rather than gotten arrested by the FBI).  That, too, is a detail that Bossert would have needed to address for this to be a marginally credible press conference.

But wait! There’s more! We also know that as soon as WannaCry’s perps publicly cashed out, Shapeshift blacklisted all its known accounts, making it impossible for WannaCry to launder the money, and adding still more transparency to the process. Which means Bossert should know well the answer to the question “how much did North Korea (or whatever perp) make off this?” is, zero. None. Because their money got cut off in the laundering process. (For some reason, Bossert gave Shapeshift zero credit here, which raises further questions I might return to at a later date.) Either attribution includes details about this process or … it’s not credible.

Bossert’s backflips to pretend Trump isn’t treating North Korea differently than Russia

Now, all this is before you get into the gymnastics Bossert performed to pretend that Trump isn’t treating North Korea — against whom this attribution will serve as justification for war — differently than Russia. After being asked about it, Bossert claimed,

President Trump not only continued the national emergency for cybersecurity, but he did so himself and sanctioned the Russians involved in the hacks of last year.

His effort to conflate last year’s hack-related sanctions with the sanctions imposed by Congress but not fully implemented looked really pathetic.

Q    Have all the sanctions been implemented?

MR. BOSSERT:  This was — yeah, this was the Continuation of the National Emergency with Respect to Significant Malicious Cyber-Enabled Activities.  President Trump continued that national emergency, pursuant to the International Emergency Economic Powers Act, to deal with the “unusual and extraordinary threat to the national security, foreign policy, and economy of the United States.”

Pivoting to one of the most important private companies

Immediately after which, perhaps in an act of desperation, Bossert pivoted to Kaspersky, one of the most important security firms in unpacking WannaCry and therefore utterly central to any claim the answer to cyberattacks is to share between the private and public sector. Bossert said this to defend the claim that the Trump administration is taking Russian threats seriously.

Now, look, in addition, if that’s not making people comfortable, this year we acted to remove Kaspersky from all of our federal networks.  We did so because having a company that can report back information to the Russian government constituted a risk unacceptable to our federal networks.

And then — in the same press conference where Bossert hailed cooperation, including with private security firms like Kaspersky, he boasted about how “in the spirit of cooperation” the US has gotten “providers, sellers, retail stores” to ban one of the firms that was critical in analyzing and minimizing the WannaCry impact.

In the spirit of cooperation, which is the second pillar of our strategy — accountability being one, cooperation being the second — we’ve had providers, sellers, retail stores follow suit.  And we’ve had other private companies and other foreign governments also follow suit with that action.

In case you’re counting, he has boasted about cooperation in the same breath as speaking of both MalwareTech and Kaspersky.

Whatever. From this we’re supposed to conclude we should go to war against North Korea and their non-NK keyboarders the world over and  that the way to defend ourselves against them is to simultaneously demand “cooperation” even while treating two of the most important entities who minimized the threat of WannaCry as outlaws.

The Spooks Struggle with Reciprocity

I’ve written a lot about the norms (or lack thereof) that the US might set by indicting nation-state hackers for their spying. Notably, I was the first to formally note that Shadow Brokers had doxed some NSA hackers in his April release.

On Friday, along with details about previously unknown, very powerful Microsoft vulnerabilities and details on the 2013 hacking of the SWIFT financial transfer messaging system, ShadowBrokers doxed a number of NSA hackers (I won’t describe how or who it did so — that’s easy enough to find yourself). Significantly, it exposed the name of several of the guys who personally hacked EastNets SWIFT service bureau, targeting (among other things) Kuwait’s Fund for Arab Economic Development and the Palestinian al Quds bank. They also conducted reconnaissance on at least one Belgian-based EastNets employee. These are guys who — assuming they moved on from NSA into the private sector — would travel internationally as part of their job, even aside from any vacations they take overseas.

In other words, ShadowBrokers did something the Snowden releases and even WikiLeaks’ Vault 7 releases have avoided: revealing the people behind America’s state-sponsored hacking.

Significantly, in the context of the SWIFT hack, it did so in an attack where the victims (particularly our ally Kuwait and an apparent European) might have the means and the motive to demand justice. It did so for targets that the US has other, legal access to, via the Terrorist Finance Tracking Program negotiated with the EU and administered by Europol. And it did so for a target that has subsequently been hacked by people who might be ordinary criminals or might be North Korea, using access points (though not the sophisticated techniques) that NSA demonstrated the efficacy of targeting years earlier and which had already been exposed in 2013. Much of the reporting on the SWIFT hack has claimed — based on no apparent evidence and without mentioning the existing, legal TFTP framework — that these hacks were about tracking terrorism finance. But thus far, there’s no reason to believe that’s all that the NSA was doing, particularly with targets like the Kuwait development fund.

Yesterday, the spook site Cipher Brief considered the issue (though mostly by calling on CIA officers rather than NSA hackers).

But I was surprised by a number of things these men (seemingly, Cipher Brief couldn’t find women to weigh in) missed.

First (perhaps predictably given the CIA focus), there’s a bias here on anonymity tied to location, the concern that a hacker might have to be withdrawn, as in this comment from Former Acting Assistant Secretary of Defense for Homeland Defense and Americas’ Security Affairs Todd Rosenblum.

It can lead to the recall of exposed and vulnerable officers that are hard to train and embed in the first place.

And this, from John Sipher.

They can arrest or intimidate the officer, they can kick the officer out of the country or can look to publicly shame or embarrass the officer and his/her country.

But the former NSA spooks who’ve been most vocal about being outed — notably Jake Williams, whom Shadow Brokers exposed even before he released documents with more NSA hackers identified in the metadata, but also Dave Aitel — are concerned about traveling. They largely hacked from the comfort of the US, so being doxed primarily will implicate their freedom of movement going forward (which is directly analogous to Russian hackers, who keep getting arrested while on vacation in US friendly countries). In addition to making vacation planning more complicated, doxing former NSA hackers may limit their consulting options going forward.

These spooks struggle with reciprocity. Consider these two passages in the post:

Russian, Chinese and Iranian governments might seek to retaliate in-kind – which among authoritarian governments often rhymes, rather than duplicates, Western actions.

[snip]

Perhaps most importantly, the intention is part of a larger attempt to create a false moral equivalence between U.S. offensive cyber operations and those perpetrated by adversarial nation-states such as Russia, whose cyber operations leading up Western elections have grabbed the media spotlight.

And this comment from former Chief of Station in Russia Steven Hall:

The Russians live and die by reciprocity. For them, that is one of the linchpins of how they deal with issues like these, and basic diplomatic and policy issues. Typically it has been that if we expel five of their guys, they are going to turn around and expel five of ours. They are always going to look for a reciprocal way to push back. But there are times were they do things that aren’t always clear to us why they consider it reciprocal. And this might be one of those things.

It’s clear they’d like to distinguish what Russia does from what US hackers do. But aside from noting that US doxing of foreign nation-state hackers comes in indictments rather than leaked documents, nothing in this post presents any explanation, at all, about what would distinguish our hackers. That’s remarkable especially since there is one distinction: except where the FBI flips criminal hackers (as in the case of Sabu), our former spook hackers generally don’t use their skills for their own profit while also working for the state. Though perhaps that’s because defense contractors make such a killing in this country: why steal when Congress will just hand over the money?

Other than that, though, I can think of no distinction. And until our spooks and policy makers understand that, we’re going to be the ones impeding any norm-setting about this, not other countries.

But I’m most struck by the rather thin conclusions about the purpose of Shadow Brokers’ doxing, which the post sees as about fear.

If the Shadow Brokers are in fact linked to the Kremlin, then the doxing of NSA hackers is designed to similarly impede current and former U.S. cyber operators from traveling and engaging in clandestine operations abroad – particularly should targeted countries, including allies, take legal action against the individuals for their past involvement in NSA operations. It is also designed to instill fear, as the information could potentially inspire violence against the individuals and their families.

I’m sure the doxing is about fear — and also making it even more difficult for the Intelligence Community to recruit skilled hackers.

But there are at least two other purposes the Shadow Brokers doxing appears to have served.

First, as I noted, the release itself revealed that the US continued to hack SWIFT even after Edward Snowden’s leaks. It hacked SWIFT in spite of the fact that the US has front-door access to SWIFT data under the TFTP agreement with the US. Hypothetically, the US is only supposed to access the data for counterterrorism purposes, but I’ve been assured that the US is in violation of the agreement with the EU on that front. That is, NSA was hacking SWIFT even after the international community had capitulated to the US on access.

By IDing the hackers behind one of the SWIFT hacks, the NSA may have made it easier for other entities to target SWIFT themselves, which has increasingly happened.

More important, still, by doxing NSA hackers, Shadow Brokers likely influenced the direction of the investigation, leading the NSA and FBI to focus on individuals doxed, distracting from other possible modes of compromise (such as the Kaspersky aided third person hacks that appears to have happened with Nghia Hoang Pho and possible even Hal Martin).

More than seven months have passed since Shadow Brokers doxed some NSA hackers, even as he bragged that he had gone nine months by that point without being caught. We still have no public explanation (aside from the Pho plea, if that is one) for how Shadow Brokers stole the NSA’s crown jewels, much less who he is. I’d suggest it might be worth considering whether Shadow Brokers’ doxing — on top of whatever else it did to support Russia’s bid for reciprocity — may have served as incredibly effective misdirection that fed on America’s obsession about insider threats.