Snowden-deal

The NSA has taken the biggest hit since Edward Snowden exposed their domestic spying activities in 2013. A mysterious group of hackers called the Shadow Brokers released a data dump of 300+ megabytes obtained from the NSA linked “Equation Group” on Monday, which they claim is only an appetizer before the main course. They plan to either release the bulk of their data to the public for 1 million bitcoins, or auction it off to the highest bidder.

The name of the group “Shadow Brokers”, is a reference to Mass Effect. In the game, the Shadow Broker is an individual, or possibly a group, who trades in secrets and always sells to the highest bidder. The information released by the real world counterparts seems intended to lead to the conclusion that the hack originated in Russia, but it is impossible to prove for certain. Of course, lack of evidence has never stopped me from speculating before. While the Russians may be in the mix, I suspect direct involvement by Edward Snowden.

Almost two weeks ago, Snowden went dark. He posted an odd message on Twitter asking for former associates to reach out, saying “It’s time”, and included a 64 digit code. He then deleted the tweets and disappeared from social media for 10 days. The message and corresponding absence of Snowden led some on the Internet to wonder if the post had been a “dead man’s switch”, an action carried out automatically if an individual does not prevent it every 24 hours or so. Glenn Greenwald, the journalist who Snowden corresponded with during his original leak, confirmed that Snowden was still alive.

Since then, I’ve been waiting for something like what happened this weekend. Snowden reappeared on Twitter two days ago, around the same time the hack of Equation might have allegedly taken place. Immediately after the release of the data by the Shadow Brokers, he offered commentary on the data, the hackers, and the motivations involved:


(A number of tweets have been assembled
into paragraphs for the ease of the reader here.)
The hack of an NSA malware staging server is not unprecedented, but the publication of the take is. Here’s what you need to know: NSA traces and targets malware C2 servers in a practice called Counter Computer Network Exploitation, or CCNE. So do our rivals. NSA is often lurking undetected for years on the C2 and ORBs (proxy hops) of state hackers. This is how we follow their operations. This is how we steal their rivals’ hacking tools and reverse-engineer them to create “fingerprints” to help us detect them in the future.

Here’s where it gets interesting: the NSA is not made of magic. Our rivals do the same thing to us — and occasionally succeed. Knowing this, NSA’s hackers (TAO) are told not to leave their hack tools (“binaries”) on the server after an op. But people get lazy. What’s new? NSA malware staging servers getting hacked by a rival is not new. A rival publicly demonstrating they have done so is. Why did they do it? No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack.

Circumstantial evidence and conventional wisdom indicates Russian responsibility. Here’s why that is significant: This leak is likely a warning that someone can prove US responsibility for any attacks that originated from this malware server. That could have significant foreign policy consequences. Particularly if any of those operations targeted US allies. Particularly if any of those operations targeted elections. Accordingly, this may be an effort to influence the calculus of decision-makers wondering how sharply to respond to the DNC hacks.

TL;DR: This leak looks like a somebody sending a message that an escalation in the attribution game could get messy fast. Bonus: When I came forward, NSA would have migrated offensive operations to new servers as a precaution – it’s cheap and easy. So? So… The undetected hacker squatting on this NSA server lost access in June 2013. Rare public data point on the positive results of the leak. You’re welcome, @NSAGov. Lots of love.”

I’m not an expert on cyber-security, or even very tech savvy, but here’s what I think all of that means. The Russians were not happy about being accused by the Democrats of manipulating the US elections. They likely had knowledge that the NSA had manipulated elections before, both our own and in other countries. The best way to prove US involvement is to show the code that was used.

Snowden’s assumption that these were State actors, and not just your average hackers, jives with a statement by Guccifer 2.0, who also pointed out that this isn’t normal behavior for hackers. While selling hacked information is common, the grandiose display is not. Snowden says that they were trying to send a message, and I tend to agree with him. As I’ve said, I think that he would know.

It is interesting to note, as Snowden himself points out, that the data released are dated to late 2013, just after Snowden hightailed it out of the country. Whoever released the data was sitting on it for several years. I suspect that one Snowden’s former associates at the NSA was holding onto some encrypted data, ready to release it if anything happened to him. The tweets put out just before Snowden dropped off twitter may have been instructing that individual to decrypt and release the data. This doesn’t mean that the Russians weren’t involved, but it would indicate people within the United States, possibly even within the NSA.

This whole thing comes at a convenient time for Donald Trump. Barack Obama was laughing at him for saying that US elections could be rigged not long ago. Now, Obama has egg on his face. If the code stolen by the Shadow Brokers did have to do with election manipulation, Obama probably knew about it. It may have even been used to secure his place in the White House.

Of course, don’t expect any of this to be reported by the mainstream media. Snowden very clearly indicated that NSA malware could be involved in manipulating elections, but this detail has been completely ignored. This attack is being reported in much the same way the hacks of the DNC were covered. The media are attempting to turn Russia into a super-villain, and keep us on the march toward war with them. If the Russians are responsible, and if the data have anything to do with election manipulation, we should be thanking them for pulling back the curtain to reveal who is pulling the levers of power. Personally, I have never voted on a machine, and never will.