00:00:00
JACK: Sometimes you read the news and the story
sticks with you forever. One such news story I
00:00:06
saw was some security news I heard and I’ll
always remember it. It was when I first saw
00:00:11
a presentation about the NSA ANT catalogue. Have
you seen this? It’s mind-bending. [MUSIC] Okay,
00:00:19
here’s what happened. Someone with access to NSA
documents took the ANT catalogue and gave it to
00:00:24
journalists at Der Spiegel and then they published
it. At first, we thought it was Snowden who leaked
00:00:30
these documents but we’re not sure if it was him
or a second leaker. I asked Snowden on Twitter if
00:00:35
it was him, but he didn’t respond. So, what’s
NSA’s ANT catalogue? ANT stands for Advanced
00:00:42
Network Technology and in this catalogue are a
list of hacks, exploits, and cyber-surveillance
00:00:48
devices that the NSA can use for certain missions.
If you work at the NSA and you need an exploit,
00:00:54
you look through this catalogue and then request
to get one of these devices or pieces of software.
00:01:00
When you look through it, it looks like the work
of science fiction but these are all real devices.
00:01:06
Let me point out a few to you; the NSA has created
a device codenamed COTTONMOUTH. It looks like a
00:01:13
typical USB plug; one you’d see on a mouse or
a keyboard but it’s actually capturing all the
00:01:18
data going through it and wirelessly transmitting
that data. It listens for mouse clicks, keyboard
00:01:23
strokes, or any other data going through it. Now,
the receiver has to be close by; I don’t know,
00:01:28
twenty feet maybe, and with a strong antenna
and nothing in the way could probably transmit
00:01:32
much further. Someone could be listening maybe
in the room next door to everything that your
00:01:38
USB connector is seeing. This is some next-level
technology that the NSA developed in 2008 which
00:01:44
still isn’t even available commercially today. The
ANT catalogue even lists a price for this; $20,000
00:01:51
per USB implant. Jeez, that’s a lot. The NSA ANT
catalogue has loads of other hacks and implants.
00:01:58
There’s DROPOUTJEEP which is a piece of software
that if you can get it onto an iPhone, it’ll give
00:02:04
you all the text messages, contacts, voicemail,
it’ll hot mic or open the video-camera, and get a
00:02:09
geo-location of that phone. There’s Firewalk
which is a pretty amazing network sniffer.
00:02:15
There’s JETPLOW which is a firmware that gives
the NSA backdoor access to a Cisco firewall. Then,
00:02:21
there’s DEITYBOUNCE which is an implant that goes
onto a Dell server which can get them backdoor
00:02:26
access to that, but one of my favorites is called
RAGEMASTER. This is a little device that taps into
00:02:31
any VGA port. This is the connector that goes
from your computer to your monitor. With this,
00:02:37
it can wirelessly transmit everything that
VGA connector sees, essentially cloning that
00:02:42
monitor to be seen by someone else at a distance.
Let’s imagine how these hacks might take place;
00:02:48
the NSA might intercept a Cisco firewall
being delivered somewhere and they’ll open
00:02:53
the box carefully, put their firmware
on it, and then seal the box back up.
00:02:58
This will give them permanent backdoor access
into that firewall whenever they want, or if they
00:03:03
know their target is going to stay at a hotel,
they can get a room next door to their target,
00:03:07
break into their target’s room, install
COTTONMOUTH or RAGEMASTER and then listen
00:03:13
in the other room for the wireless signal to see
everything that person was typing and seeing. Even
00:03:19
if that person wasn’t connected to the wireless
or any network at all, this is possible and
00:03:24
it’s insanely impressive. Yes, fifty items in this
catalogue were leaked to the public in 2013 but we
00:03:32
only saw descriptions of these devices; no actual
devices were seen. Now, upon closer inspection,
00:03:39
we see that these items were intended to be used
by TAO. TAO stands for Tailored Access Operations,
00:03:46
TAO. It’s a unit within NSA that has a primary
objective to gather intelligence on computer
00:03:52
systems. The people within TAO have access to the
most sophisticated hacking tools ever created.
00:03:59
They have the budget and ability to spend
years on research and development to make
00:04:03
insane tools and then use them whenever they
need. TAO is NSA’s elite hacking force and
00:04:09
they’ve actually changed their name to Computer
Network Operations now but for this story,
00:04:13
I’m gonna just keep calling them TAO. When
security companies research hacking campaigns,
00:04:18
they can’t tell for sure who did it, so they
give hackers a unique codename. Fancy Bear is
00:04:24
what’s given to the Russian hackers. Charming
Kitten is given to Iran and so on. But security
00:04:29
companies have investigated certain malware
that’s come from the NSA. A hacking name was
00:04:34
given to the NSA. The name they were given
is the Equation Group and it’s believed
00:04:41
that whoever is doing work for the Equation
Group is specifically TAO within the NSA.
00:04:47
JACK (INTRO): [INTRO MUSIC] These are true
stories from the dark side of the internet.
00:04:58
I’m Jack Rhysider. [00:05:00] This is
Darknet Diaries. [INTRO MUSIC ENDS]
00:05:09
JACK: Okay, today we’re talking with someone
who I really wanted to talk to for a long time;
00:05:21
someone who knows a lot about security
and has been doing this for decades.
00:05:24
When you’re battling hackers for that long,
you surely have some interesting stories.
00:05:29
JAKE: My name’s Jake Williams. I’m
the founder of Rendition InfoSec.
00:05:34
I think right now I’m an InfoSec dumpster fire
putter-outer, basically. All over the board,
00:05:39
when it comes to InfoSec, incidence
response, Red Team, SOC, whatever.
00:05:42
JACK: What does Rendition Security do?
00:05:45
JAKE: Well, we’re on a managed security
operation center, so I manage SOC,
00:05:49
or vSOC as some people call it. We do that 24/7
here in the US to actually manage out of Augusta,
00:05:55
Georgia. Separately, worldwide, we do Red Team
and incident response. We have folks actually in
00:06:02
several countries and do a lot of international
work as well as domestic work as well.
00:06:09
Basically, Red Team incident response
is a big piece for digital forensics.
00:06:13
Some security architecture work
and then of course, the vSOC.
00:06:17
JACK: For you Twitter folks out there, this is
@MalwareJake on Twitter. I say that because he
00:06:23
has fifty thousand followers on Twitter
and he’s pretty well-known. Besides being
00:06:26
the founder of Rendition Security, he also
teaches SANS courses. These are information
00:06:31
security courses and specifically he teaches
courses on threat intelligence, forensics,
00:06:36
penetration testing, and even threat
detection. SANS courses are usually
00:06:40
fantastic and extremely informative and have
some of the best teachers. For this story,
00:06:44
we’re gonna go back to August 2016. [MUSIC] Jake
was working for Rendition Security then and his
00:06:50
client had a specific security issue that was
so big they needed Jake to go on-site to help.
00:06:55
This was an incident response; the client
was hit with something serious so Jake and
00:07:00
his team went to the client location and took
over a conference room to begin doing triage.
00:07:06
JAKE: We already had a War Room per se
right there for the incident response.
00:07:10
JACK: Jake had been at this client site for
a few days now trying to help resolve this
00:07:15
security incident. Back at the home office of
Rendition Security, they have a full-on SOC,
00:07:20
a Security Operations Center. While a few
people were on-site helping the client,
00:07:25
there were many more people back in the office
helping out, too. A SOC is usually quite a sight
00:07:30
to see. They have lots of technicians or analysts
sitting in desks with three or four monitors each,
00:07:36
analyzing alerts. But on the wall in the front of
the SOC will be all kinds of big screen monitors;
00:07:41
world maps, attack maps, rosters, news
feeds. On one of the monitors in this
00:07:47
SOC was a Twitter feed. Now, in the early
morning of August 13th, 2016, one of the
00:07:53
people in the SOC saw something on that Twitter
feed and they knew they needed to tell Jake.
00:07:58
JAKE: Maybe 6:30 or 7:00 in the morning,
00:08:01
something like that. I remember we were
just rolling out. If I remember correctly,
00:08:05
I think the Sonic for breakfast; grabbing
some of those breakfast burritos they have.
00:08:10
JACK: The tweet that Jake read was posted by
someone with the name Shadow Brokerss with two
00:08:16
s’s at the end. Tweet said, quote, “We follow
Equation Group traffic. We find Equation Group
00:08:23
source range. We hack Equation Group. We find many
Equation Group cyber-weapons. You see picture? We
00:08:31
give you some Equation Group files free. You
see? This is good proof. No, you enjoy. You
00:08:37
break many things, you find many intrusions, you
write many bad words but not all. We are auction
00:08:43
the best files.” End quote. That is hard to
understand. Sounds like whoever wrote that,
00:08:48
English was not their first language. But it
basically said this group, Shadow Brokers,
00:08:53
have stolen some cyber-weapons from the NSA,
specifically TAO within the NSA which is what
00:08:59
Equation Group is, and that they’re giving away
one of these exploits for free to everyone now,
00:09:05
and auctioning the rest off. The Rendition
SOC saw this, thought it was important.
00:09:12
JAKE: [00:10:00] We got alerted from one
of them and said hey, are you seeing this?
00:09:17
Up to that point, the answer is
no, we haven’t seen this. Then,
00:09:20
we’re popping up on Twitter and
going out to GitHub and saying okay,
00:09:23
hey, first it was the download the stuff from
GitHub and then it was a oh snap, this is real.
00:09:29
This isn’t a hoax. This is real stuff.
JACK: Even though Jake is the President
00:09:33
of Rendition Security and even though
he was on a client’s site at the time,
00:09:37
he felt this was so important that he took time
out of his day to download these files and to
00:09:42
look at this malware that the Shadow Brokers had
released. The malware was a specific exploit for
00:09:48
Cisco and Fortinet firewalls. This malware
would allow the attacker to send an exploit
00:09:53
to a fully-patched firewall and allow the
hacker to take full control of that firewall.
00:09:59
JAKE: Well, I downloaded some files that,
we’ll say for sake of argument, looked legit.
00:10:07
JACK: Hm, Jake says it looks legit. Let’s
consider what that means for a moment;
00:10:15
someone calling themselves Shadow Brokers
has claimed that they got one of TAO’s
00:10:20
secret exploits and publically dumped it for
the world to see, an exploit that Cisco and
00:10:25
Fortinet did not know existed. This exploit
does in fact work on a fully-updated firewall,
00:10:31
meaning it was previously unknown to the
world and now Jake is saying it looks legit.
00:10:37
JAKE: Yeah, I mean, I think that’s
as far as I can go directly without
00:10:42
confirming or denying. We’ll say
looked like legitimate threats.
00:10:46
JACK: I feel like Jake might know something
more about this than he’s leading on. I mean,
00:10:52
what president of a security company is going to
take time out to download a potential NSA exploit,
00:10:58
test it, and then come out and
say it looks legit? After this,
00:11:02
he went into the client office
to continue doing work for them.
00:11:06
JAKE: Actually, it was a Cisco customer who had
a lot of Legacy Cisco equipment. Having some of
00:11:15
that Legacy Cisco equipment with the – basically,
we’ll just say it was equipment that was itself
00:11:23
vulnerable in some of the configuration. Some
of the stuff they had, actually, was vulnerable
00:11:27
to some of the stuff that was released which is
obviously not a best-case kind of scenario there.
00:11:34
Yeah, definitely was doing some digging
into what’s in the dump and what kind of
00:11:40
exposure does that leave not just them that we’re
on-site with but obviously other clients as well.
00:11:45
JACK: Both Cisco and Fortinet confirmed this
was a vulnerability they were not aware of
00:11:49
and issued a patch right away but this barely
fixed the issue. The issue now is who are these
00:11:55
Shadow Brokers? How many exploits do they have?
[MUSIC] How did they get these? Not to mention,
00:12:01
they’re selling even more of these to the
highest bidder. They even went on to say if
00:12:05
they can get one million Bitcoin, they’ll dump
everything to the public for everyone to see.
00:12:10
But the immediate problem is realizing that this
top-secret exploit is now in the enemy’s hands.
00:12:16
JAKE: Well, everybody’s hands, right? At the time,
bear in mind, it’s one zip file and it is a – it’s
00:12:20
one zip file and there’s no evidence at
this point that they have anything else
00:12:31
specifically. I know they claimed to but in
their initial post, it’s all gibberish anyway.
00:12:38
I’m kind of looking at it going, it’s one file.
Without giving the specifics, let’s just say that
00:12:46
it is the kind of thing that I could see
somebody having without having everything else.
00:12:52
There are plausible scenarios in which one
could have that specific thing and not have
00:12:59
everything else that they dump later.
00:13:00
JACK: Okay.
00:13:01
JAKE: Yeah.
00:13:01
JACK: Did you think – did you have a guess
at who might be Shadow Brokers at that point?
00:13:06
JAKE: I think at that point it was
a little too early for me to really
00:13:11
develop much of a theory beyond the wow.
It was quite a dump so I think at the time,
00:13:22
we did a lot of internal discussion and
analysis. Rendition, we did quite a bit of that.
00:13:32
I think for us, we were kind of split between
either this is legit; they’re dumping this to
00:13:39
show that they have legit other stuff to sell.
‘Cause remember, that was part of the offer,
00:13:45
right? Was that they would release the keys to
decrypt these other awesome, as of yet unknown,
00:13:51
even what – quantity and quality, these
other zero-days. We’re gonna release all
00:13:56
this stuff. This is the preview or the teaser,
as it were, to get people’s appetites whet.
00:14:04
I think about half of us, the group, kind of
looked and said yeah, that’s probably what it is.
00:14:10
There was another group that was – another
[00:15:00] contingent that was like yeah, no,
00:14:14
this has nothing to do with money, absolutely
nothing to do with money. This is full-on,
00:14:18
regardless of what else they have, this
is full-on an information operation.
00:14:23
I think I kind of flip-flopped
between the two. I gravitate to
00:14:26
information operation but I could see
the other argument being legit as well,
00:14:32
that some insider perhaps had walked out
with stuff and was motivated by money.
00:14:37
JACK: The news was now spreading all over the
internet that the Shadow Brokers had leaked NSA
00:14:42
hacking tools. The Guardian was posting about it,
Ars Technica, Engadget, The Atlantic, Wired, even
00:14:48
the New York Times. This was a really big deal and
had the attention of the world. How much did the
00:14:55
auction get to? Well, in the first twenty-four
hours after the dump, the auction only received
00:14:59
$937 which I think was quite a disappointment for
the Shadow Brokers. People everywhere were trying
00:15:06
to guess how they got these exploits. Did someone
hack the NSA? Maybe the NSA hacked them but then
00:15:13
left their hacker tools behind. Because if the NSA
is going to hack something, they need to put their
00:15:18
exploit there first and then execute it. Maybe
they just left their exploits behind or maybe
00:15:24
someone from the NSA grabbed this stuff and walked
out with it. Nobody knew for sure but these Shadow
00:15:30
Brokers had captured the attention of the world.
Two months later, Joe Biden was on NBC’s Meet the
00:15:37
Press. The two were talking about Russia possibly
hacking the elections and they had this to say.
00:15:42
CHUCK: I talked with Ambassador – former Russian
Ambassador Mike McFaul. We talked about the idea
00:15:48
that everyone’s – you gotta respond when
they’re hacking. You gotta do something.
00:15:53
He described it as a high hard one, maybe
just like in baseball; you throw a high,
00:15:58
hard one to send a message. But
we sent a message, yeah, to Putin.
00:16:02
JOE: We’re sending a message. We have
the capacity to do it. The message…
00:16:10
CHUCK: They’ll know it?
00:16:11
JOE: …he’ll know it. It’ll be at
the time of our choosing and under
00:16:14
the circumstances that had the greatest impact.
00:16:17
CHUCK: A message is going to be
sent? Will the public know it?
00:16:23
JOE: I hope not.
00:16:25
CHUCK: Mr. Vice President, I’ll
leave it there. Thank you, sir.
00:16:29
JOE: Thank you.
00:16:30
JACK: Two weeks after that, Shadow Brokers
published their second dump. First,
00:16:35
they say this right away, quote, [MUSIC] “Why is
dirty grandpa threatening CIA’s cyber-war with
00:16:41
Russia?” End quote. Now, I believe they’re calling
Biden dirty grandpa here because of what he said
00:16:47
just a few weeks earlier which is a really, really
weird thing to say, but okay. The contents of this
00:16:55
second dump was just a big list of IP addresses
and the Shadow Brokers claimed that this was a
00:16:59
list of servers in the world that the NSA had
infected or was using as a server to launch
00:17:04
exploits from. This wasn’t quite that big of a
dump; the message was more like telling the NSA
00:17:09
that the Shadow Brokers weren’t going away and
this is a reminder that they’re still a threat.
00:17:13
JAKE: I think the second dump was really
interesting because the second dump, given all
00:17:19
the IP addresses that were there, became a really
interesting data set for researchers who had a lot
00:17:25
of net flow data. We did, indeed – and I think
just like anybody else, right, went back through
00:17:32
net flow data for our clients and said okay, do
we see IP addresses from this list connecting to
00:17:39
any client anything? Because obviously if they
are, that could be an indicator of compromise.
00:17:44
It’s definitely an indicator of concern but yeah,
I mean other than analyzing what they wrote,
00:17:50
the Shadow Brokers themselves wrote and posted.
I think they were on Steemit still at the time;
00:17:54
yeah, Steemit. Basically, beyond looking at what
they wrote, it wasn’t really a – that next drop
00:18:01
wasn’t earth-shattering. There was nothing really
in there besides the IP addresses but it was more
00:18:05
actionable than the first one, to be honest,
for the majority of InfoSec professionals.
00:18:08
JACK: The reason why this was actionable for
some InfoSec professionals is because we got a
00:18:14
list of IP addresses that the NSA is possibly
hacking from. If you can cross-reference that
00:18:20
with the IP addresses that are coming into
your network like hits to your website,
00:18:24
logins to your VPN, that kind of thing, you might
be able to notice if the NSA was hacking you; or,
00:18:33
at least in theory, that’s what
you could possibly check for.
00:18:37
Stay with us because after the break, the
world is about to change. [00:20:00] Now,
00:18:42
something huge happened in the world just after
this second dump. The US had a presidential
00:18:48
election and Donald Trump took the election.
There was a lot of rhetoric at the time that
00:18:53
the Russians meddled with the election and just
as people were starting to talk about that,
00:18:57
in January of 2017, the Shadow Brokers
made another post, this one saying goodbye.
00:19:04
The post said that they did not get the Bitcoin
they were hoping for so they were just going to
00:19:08
release more hacking tools for free for anyone.
[MUSIC] They posted sixty-one Windows executables,
00:19:13
link libraries, and drivers, claiming each
one was developed by the Equation Group,
00:19:18
TAO within the NSA, and can be used
to hack Windows computers. Again,
00:19:23
these did check out and they were new exploits
not previously seen and they looked legit again,
00:19:28
as in they were probably created by the TAO
in NSA. The Shadow Brokers then signed off,
00:19:35
saying goodbye, claiming they’re going to go
dark because they didn’t get enough Bitcoins.
00:19:40
JAKE: Sixty-seven or something files. The
actual files themselves also get sent out.
00:19:46
That was a pretty big deal for us because in their
directorial listing it says something like Event
00:19:55
Log Edit or Edit Event Log, something,
and there’s multiple references to it.
00:20:00
In the InfoSec community, and the forensics,
their deeper community, a lot of folks take those
00:20:04
event logs to be sacred, right? There are whole
textbooks written about how you can basically
00:20:13
clear an event log but you can’t surgically edit
one. Now, those of us in incident response have
00:20:17
known that’s been not true for some period of
time but we don’t have – most of us don’t have
00:20:26
publically available tools that we can point
to and say no, no, look, here’s the capability.
00:20:30
The capability definitely exists; here’s where
it’s at. Again, anybody who’s in this business
00:20:35
knows that it’s a capability. We even know who
had it up to that point but suddenly overnight,
00:20:40
everybody had it. It changed the game on
incident response and having seen that,
00:20:47
we wanted to go ahead and basically, that was one
of the first major posts that I wrote about it,
00:20:52
was to say hey look, this is a game-changer
for incident response. It’s a game-changer
00:20:58
for a lot of stuff but specifically for IR,
this is a full-on game-changer; pay attention.
00:21:02
JACK: Hm, yeah. The exploit they dumped means
a hacker can edit an event log in Windows.
00:21:08
This was previously not a capability. Well, not a
capability except for the TAO unit within the NSA,
00:21:15
but now the whole world has this capability. This
could have a big impact. Jake continued to analyze
00:21:21
what the Shadow Brokers were dumping. Yeah, he was
blogging about it, talking about what he thinks of
00:21:27
this and what the important takeaways are from
these dumps. But this wasn’t the last we heard
00:21:32
from Shadow Brokers; about three months later,
in the first week of April, they showed back up.
00:21:37
They made another post, dumping more stolen
hacking tools. In this post, they even had
00:21:42
a message for the president. [MUSIC] Quote, “The
Shadow Brokers voted for you. The Shadow Brokers
00:21:48
supports you. The Shadow Brokers is losing
faith in you, Mr. Trump. It’s appearing you
00:21:54
are abandoning your base, the movement, and the
peoples who getting you elected.” End quote. Huh,
00:22:01
does this mean the Shadow Brokers are part of the
far-right? Or is this some kind of smoke screen?
00:22:07
Well, again, Jake saw this dump, analyzed it, made
sense of it, and then made a blog post about it.
00:22:14
JAKE: I said look, if you track the
dumps and you track some of the rhetoric,
00:22:18
the timing of the dumps is very conveniently
aligned around times that Russia is being
00:22:27
called out in the press for hacking. Literally
what they’re doing is, I hypothesized and I said
00:22:33
basically, I can’t say for sure that the timing is
coincidental or circumstantial, whatever. We can
00:22:40
say that the Shadow Brokers’ dumps, the timing of
these definitely lines up with times that Russian
00:22:47
hacking is in the news and in the tech space
which is largely where that’s being covered,
00:22:53
them dumping these – creating these dumps
is completely taking the focus away from
00:22:59
Russian hacking and putting it on oh my gosh,
NSA lost tools, allegedly. Check box, right?
00:23:07
JACK: It’s always weird when hacking stories get
political for me ‘cause I don’t think us security
00:23:12
people even cautiously [00:25:00] realize when
it does get political. We just see some shadowy
00:23:16
group of people dumping hacking tools which is
a real impact on the networks we’re trying to
00:23:21
secure. But if you lean into the story, you start
seeing things like Biden and Russia and elections,
00:23:28
and Donald Trump. Phew. These were
some of the observations that Jake
00:23:33
saw and he was starting to post this to
his blog. Now keep in mind, Jake here is
00:23:38
known as @MalwareJake on Twitter where he has
50,000 followers. When he posts a blog post,
00:23:43
it gets considerable eyes on it. This particular
blog post got retweeted and started spreading.
00:23:49
JAKE: Well yeah, not just retweeted but that
actually took the content and basically wrote
00:23:55
stories around the content saying oh,
Jake Williams of Rendition says that
00:24:01
he believes this is, if not a Russian
operation, in the interests of Russia,
00:24:06
kind of thing. Folks wrote stories
about the analysis, kind of deal.
00:24:10
JACK: It’s kind of exciting to have a
blog post of yours gain some traction
00:24:13
like that. It feels good that you
have something helpful to say about
00:24:16
the conversation and people appreciate
your thoughts. But then, the next day…
00:24:21
JAKE: Gosh, I was in Orlando teaching at a
SANS event. I was actually sick at the time to,
00:24:25
on top—I was running an actual fever on top of
everything else. But I was actually teaching
00:24:30
exploit development at the time, advanced exploit
dev in Orlando. I wake up, phone alarm goes off,
00:24:38
whatever. [MUSIC] I wake up and I check
Twitter notifications and at the time,
00:24:43
I saw all my notifications go
into the phone, what have you.
00:24:46
I just do a little drag-down and it’s like,
99+. 99’s where it stops counting. It’s like,
00:24:48
99+ notifications. I’m like ugh, either something
really good has, you know, like a blog post has
00:24:57
gone viral or something – I’m like, my first
thought is I tweeted something that really
00:25:04
pissed a bunch of people off and I’ve got some
whatever it is, the gang-up kind of thing going,
00:25:10
or dogpiling or something. Then my blood ran
cold when I saw what had actually happened.
00:25:18
JACK: Shadow Brokers, the secret hackers who had
the attention of the entire InfoSec community and
00:25:25
so many more people, had tweeted directly at Jake.
The tweet said, quote, “@MalwareJake, you having a
00:25:34
big mouth for former Equation Group member. Shadow
Brokers is not in habit of outing Equation Group
00:25:41
members but had to make exception for big mouth.”
End quote. The English was rubbish but the message
00:25:48
was clear. Whoever these Shadow Brokers were
had just stated publically for everyone in the
00:25:52
world to know that Jake was a former member
of NSA’s TAO, a.k.a, the Equation Group.
00:25:59
JAKE: Yes, yep.
00:26:01
JACK: The thing is, it’s true. Jake had spent
almost two decades working in the information
00:26:05
community for the government and about five
years in TAO. But Jake had kept this a secret,
00:26:11
almost just to himself even though he was a
public figure with tons of Twitter followers,
00:26:15
a speaker at events, a SANS instructor.
Nobody outside his close friends and
00:26:20
family and ex-co-workers knew
he was a former member of TAO.
00:26:24
JAKE: No, I certainly wasn’t tweeting that
– I mean, I had a hole in my – obviously, if
00:26:30
you go to my LinkedIn, you can see I work for the
DoD, right. There’s no question there but I mean,
00:26:35
in our space, there’s a lot of people in InfoSec
that worked at some time for the DoD. I was former
00:26:41
army and I felt like that was all – yeah, again,
it was DoD but yeah, to get in and say NSA – and
00:26:49
really on top of that, to say NSA hacker, is a
whole different level of – yeah, that, I guess.
00:26:59
It wasn’t something that I really was planning to
start talking about out there, but whatever. Yeah.
00:27:06
JACK: What’s your initial
reaction when you saw that?
00:27:08
JAKE: Well, I’ll be honest
and say it was unprecedented
00:27:12
and I didn’t really have a good feel for how the
government was gonna handle this. A lot of people
00:27:19
have chatted about this with some of their folks.
Over the last couple of years, what I didn’t know
00:27:25
at the time, the thing that most concerned
me was the complete lack of predictability
00:27:30
for what the US government was gonna do. I
didn’t know if the FBI was gonna sweep in
00:27:35
and be holy goodness, this is Russia. I just
don’t know. There is, even at that time,
00:27:42
a thought that it’s Russia. The community,
they’re definitely – you mentioned before,
00:27:48
some of the Trump rhetoric – I didn’t know if – it
wasn’t just what was the US government gonna do,
00:27:55
but how were ordinary people gonna react to this?
It was a very challenging time because of that,
00:28:01
I think, more than anything else, was just the
unpredictability. Yeah. It’s unprecedented.
00:28:07
JACK: That must have ruined your whole day.
00:28:09
JAKE: Like I said, I was already sick.
I’ll be honest and tell you that [00:30:00]
00:28:14
I can’t picture a better place to have to deal
with that than teaching a SANS class and it’s what
00:28:21
we call boot camp class that runs from nine in the
morning ‘til seven p.m. I feel like that night,
00:28:27
I know we had some other event that I was staffing
there, so I literally worked from nine to nine
00:28:33
despite being sick and I cannot fathom
a better way to have dealt with that.
00:28:37
JACK: Why?
00:28:39
JAKE: It was forced distraction. I
didn’t have time to mull over it as
00:28:44
much as just go do your thing.
I think that was helpful to me.
00:28:49
JACK: Yeah, so I was just wondering
kind of the overall message; do you
00:28:52
think they were guessing at who you were or…?
00:28:54
JAKE: No, not a bit. I can say with
confidence that – with high confidence
00:29:03
that they 100% were not guessing at who I was.
I say that with high confidence. I can’t get
00:29:09
into the why but I will say for sure they were
not guessing at who I was. They had that dead
00:29:16
to rights. They knew; it wasn’t a guess. Based on
some other stuff that they’ve written, I’m fairly
00:29:22
certain they had that, yeah. But what the message
was is another thing entirely, right? It could be,
00:29:31
and I’ve put a lot of thought
into this, the message could be
00:29:35
purely that they didn’t like what I was writing
and wanted me to shut up and wanted that blog post
00:29:40
down. My business partner at the time reacted
exactly that way and took the blog post down.
00:29:47
Even with links to it, right, he basically
rewrote it as a one-paragraph nothing;
00:29:53
no real content to it, no real meat to it.
There wasn’t a 404 on the website but he took
00:29:58
that down and if they were trying to accomplish
that goal, that they did. They definitely did.
00:30:07
It could have also been that if somebody else
was out there that hadn’t yet been identified,
00:30:14
that they were trying to say hey, if you do
what this guy does, we’re going to out you
00:30:19
too. I don’t know, I would expect that if anybody
else were thinking about commenting on – former
00:30:25
NSA folks were thinking about commenting on the
Shadow Brokers, I would expect that would be a
00:30:31
deterrent as well. But again, as far as their
motivation, it’s really hard to nail down.
00:30:36
JACK: [MUSIC] What a weird and
surreal thing to happen to Jake;
00:30:43
to be outed publically by this mysterious hacker
crew. It’s like he was doxed by them. The tweet
00:30:51
didn’t just stop there. It went on to say how
the Shadow Brokers know about some top-secret
00:30:55
weird missions and I’m gonna assume classified
things that Jake was involved in while at TAO.
00:31:02
The Shadow Brokers’ tweets started, or
their messages, were saying things like
00:31:08
connecting you to things like odd jobs, CCI,
Windows BITS persistence, and the Q Group.
00:31:14
JAKE: Mm-hm.
00:31:16
JACK: Do you have any comment about that?
00:31:18
JAKE: There’s no safe comment
that I can make on any of that.
00:31:24
JACK: A few days after that, the Shadow Brokers
released yet another set of stolen exploits. This
00:31:31
one would make a huge splash in the world. This
dump contained EternalBlue and EternalRomance,
00:31:38
among others. Now, what’s so important about
EternalBlue is that this is an exploit that can be
00:31:44
used to remotely access Windows computers running
SMB which was something that was installed by
00:31:49
default on all Windows machines, making millions
and millions and millions of Windows computers
00:31:54
vulnerable to this exploit. EternalBlue was huge.
This was the biggest of all their exploits and
00:32:01
it just landed in the hands of the general
public for any hacker in the world to use.
00:32:05
EternalBlue might go down as one of the
most successful hacking tools in history.
00:32:09
It’s really effective for letting hackers into
Windows machines but here’s the strange thing;
00:32:14
just about a month before Shadow Brokers dropped
this on the world, Microsoft had patched it. Yeah,
00:32:20
they fixed it right before it was unleashed.
Rumor has it that that NSA gave Microsoft
00:32:25
a very quiet heads up that this might be in an
upcoming dump so they can work on patching it
00:32:32
before it hits the streets. Now, of course, this
too was a really big deal for Jake. He knew that
00:32:39
EternalBlue could have far-reaching
effects on many of his customers but
00:32:43
he was still coming to grips with
the earlier tweet that called him
00:32:46
out. That single tweet which outed Jake as an
Equation Group member really changed his life.
00:32:52
JAKE: It definitely changed my threat
modeling, no question about that.
00:32:59
At the time, and again, in hindsight, a lot of
people I think, will say overreact, whatever,
00:33:06
but – that I might have been overreacting but
at the time we just didn’t know. We didn’t know
00:33:12
what – [00:35:00] not just what they were gonna
do but what anybody was gonna do in response.
00:33:18
Our own government included private citizens
who were pro-Trump, anti-Trump. They had
00:33:22
taken a Trump stance, whatever that
program – English language thing was.
00:33:28
We just didn’t know. I guess the short
of it is, from a media concern, I mean,
00:33:32
I had to call my ex and say hey, here’s the
situation. My ex, by the way, never having served,
00:33:39
doesn’t really track with all this, and
I’m having to give her this crash course;
00:33:43
we think this is Russia, here’s the crash
course on Russian intelligence services.
00:33:48
We don’t think we have to worry about them
but who knows? I’m more worried about people
00:33:53
believing that it’s Russia and believing that
we’re somehow cahooting with them and the short
00:33:57
of it is do you want me to see my kid kind of
thing, or I’ll totally understand if you say no,
00:34:02
kind of deal. For several weeks, that’s the way we
played it, was that me and my kid were on hangouts
00:34:08
like you and I are now and not seeing each other
in person because again, we just didn’t have a
00:34:13
good handle on how or if or whatever people
were going to react to this. Yeah, as far
00:34:19
as changed my life, I mean, immediately. There
are some immediate impacts that sucked. Yeah.
00:34:26
JACK: Now, you’ve probably heard of the FBI’s
Most Wanted list but did you know there’s also
00:34:30
an FBI’s Cyber’s Most Wanted list, too? Criminal
hackers that the FBI is looking for. When the FBI
00:34:37
has enough evidence that a hacker has committed
a crime, they will indict the hacker and if it’s
00:34:41
severe enough, they’ll stick them on this list.
Sometimes the FBI indicts nation state hackers,
00:34:46
too. Like for instance, the Cyber’s Most Wanted
has eleven hackers who work for the Russian
00:34:52
government and they were involved in interfering
with the 2016 elections. There’s also four Iranian
00:34:59
hackers indicted for conducting espionage against
the US. If any of these hackers on the Cyber’s
00:35:04
Most Wanted list were to travel to the US or even
a country that has an extradition treaty with the
00:35:09
US, they will probably be arrested and brought
to court but so far no hackers have been indicted
00:35:15
for whoever was behind these Shadow Brokers
dumps. Was there any travel that you cancelled?
00:35:21
JAKE: Definitely, no question. They poked back
up in July, I think. It was either late June
00:35:28
or early July and I canceled a trip to Singapore.
Yeah. One of the issues that came down was – and a
00:35:36
lot of people forget about this in the dumps, but
in the April dump where they dumped EternalBlue,
00:35:43
they also dumped operational data involving
SWIFT banks and some other stuff, or SWIFT
00:35:48
transfers with some banks. That said, to me at
least, without confirming the data’s authentic,
00:35:58
said to me that it’s not this tooling
they have; they have operations data.
00:36:01
JACK: This means the Shadow
Brokers are claiming to have
00:36:04
seen some of the stuff the NSA has actually done.
00:36:08
JAKE: At that point, if you are watching the
news and you’re watching the US Department
00:36:13
of Justice indict foreign hackers, you then
have to step back and I definitely did this.
00:36:21
I did a mental inventory of where did I
target? Even then, doing risk modeling,
00:36:27
doesn’t even matter where I targeted. Does it
really matter where I targeted specifically or
00:36:33
is it just because I was involved with
that group that targeted X country?
00:36:39
Basically, if I land, if I touch down here, am I
likely to be arrested? It’s not just the question
00:36:44
of what did they share, but – sorry, what did
they share publically, it’s also like we don’t
00:36:49
know what they’re sharing on the back end and if
it is Russian intelligence, or even if it’s not,
00:36:55
whatever, but what are they, whoever they are,
sharing on the back side that we don’t know about?
00:36:59
That also was a huge unknown and that’s
something I continue to play mentally today,
00:37:04
kind of mentally play through. ‘Cause we saw
Canada arrested the Huawei executive on our behalf
00:37:11
in an airport, for goodness sakes.
They never even cleared customs.
00:37:17
Every time I travel internationally, I’m
playing that whole risk modeling not just
00:37:22
of was I involved with this country but for
the country that I was involved with targeting,
00:37:29
did I – basically, I’m on an extradition in some
place. Do they have an extradition policy with
00:37:36
that other country? Yeah, I canceled travel to
Singapore. I had some other opportunities that I
00:37:42
passed on entirely because I just don’t feel safe
traveling to a number of countries as a result.
00:37:47
JACK: Yeah, it almost feels like
you’re at their mercy at this point.
00:37:50
JAKE: Well, there’s no question. I guess, if
you want to play – I’m gonna try not to play the
00:37:56
victim here ‘cause, whatever, I made employment
decisions. They were employment decisions. Those
00:38:03
same decisions are why I’m where I’m at today.
But yeah, there’s no question in my mind that they
00:38:12
have a lot of [00:40:00] operational data about me
and it’s stuff that could definitely paint it in
00:38:18
the wrong light. Paint it in the wrong light
would be very bad and would, for me personally,
00:38:26
and I am definitely at their mercy for what it
is that they choose to release or not release.
00:38:32
I’ve said repeatedly that, and I stand by this;
so far, we haven’t seen any US hackers indicted,
00:38:40
nation state hackers indicted, but I am not a
betting man. I would not bet against me being
00:38:46
the first one, or on the first list. I can’t
fathom that I won’t be involved somehow and
00:38:51
I hope I’m not. It’s not something I’m
wishing for or asking for. But again,
00:38:55
just playing the odds. When somebody else finally
– when another country finally pulls a DOJ
00:39:00
and starts indicting US nation state hackers, it
will surprise me greatly if I’m not on that list.
00:39:09
JACK: Jeez, I don’t even know what to say
about that. This is life in the shadow of
00:39:16
the Shadow Brokers. It also makes me think
about him as a SANS instructor. I’ve taken
00:39:21
a SANS course and it would just blow my mind
if I knew my teacher was wanted in several
00:39:26
countries for hacking on behalf of the NSA. Is
he a criminal or not? Some countries probably
00:39:32
think he is but back home, he’s just carrying
out his orders. Now, when I think about it,
00:39:36
I think it’s actually weird that the FBI
indicts the hackers who were working for
00:39:40
foreign governments. The hackers were just
carrying out their orders. Why not indict the
00:39:45
officers or generals or the leader who signed
the executive order? At that point, you might
00:39:50
as well treat it like an act of hostility
from one nation to another. I don’t know;
00:39:54
it gets weird and sticky on who to blame for
hacking when it comes to nations hacking nations.
00:39:59
It’s kind of like when Apple is suing Google
for twenty things and Google is suing Apple for
00:40:03
twenty things. Yeah, sure, Russians hacked the
US but the US has probably hacked Russia too,
00:40:09
so now what? Since 2017, we haven’t heard
anything more from the Shadow Brokers. Their
00:40:16
last tweet mentioned Jake once again but it
wasn’t really saying anything new. Since then,
00:40:21
it’s been quiet. While we normally
saw them come back every few months,
00:40:24
they’ve now been quiet for over two years. But
I don’t think that’s the end of Shadow Brokers.
00:40:29
I still think there’s a huge investigation, a
hunt into who’s behind it. It quite possibly
00:40:35
could have been an insider, a double agent,
someone who works in the NSA and had access
00:40:40
to this stuff but was feeding it to another
country like Russia. Yeah, at this point,
00:40:45
most signs do point to Russia being behind the
Shadow Brokers, but we don’t know for certain.
00:40:50
But if you think about the intent and capabilities
of this group, their intent is to do battle with
00:40:55
the most sophisticated hacking group in the world,
the NSA, and then burn some of their expensive
00:41:01
exploits. Their capabilities are that they
can somehow get these exploits out of the NSA,
00:41:06
probably one of the most secure places in
the world, and then publish them and then
00:41:10
get away with it. When you think about all
the intelligence capabilities the NSA has,
00:41:15
and they don’t have anything on this crew, this
puts Shadow Brokers in a top-tier category for
00:41:20
what their capabilities are. Then you look at
how much they say about Trump and the ability
00:41:25
to shift the news cycles when it comes to Russia;
yeah, it just looks like it’s probably Russian.
00:41:30
But like I was saying, there haven’t been any
FBI indictments about this or public statements
00:41:35
from the US government about this either,
and especially nothing from the president.
00:41:38
He typically doesn’t call out Russia for stuff
like this but even if he did blame Russia for
00:41:44
this, what would that sound like? It would admit
that the NSA somehow lost control of their secret
00:41:50
hacking tools and that might make the US look bad,
so it’s a complicated issue. [MUSIC] Oh, and I
00:42:00
should also mention Harold Martin III somewhere
in here, too. There’s this theory that Harold
00:42:05
is somehow behind this. Harold was a government
contractor working for Booz Allen Hamilton and
00:42:11
while he was there, he was doing some work for the
NSA and got access to some top-secret information
00:42:15
within the NSA. Harold decided to steal fifty
terabytes of information from NSA’s servers and
00:42:21
successfully got it out. We don’t know who Harold
gave these fifty terabytes to or if he gave it to
00:42:26
anyone. We don’t even know what’s in the data but
he was caught and is currently serving nine years
00:42:32
in prison for this. The data on the Shadow Broker
dumps could have been something that Harold stole.
00:42:37
The timestamps do seem to line up with this but
there’s no real good evidence that does connect
00:42:43
Harold to this whole thing. Alright, let’s
take a step back and try to understand what
00:42:49
this whole Shadow Brokers thing means. Well, the
NSA has neither confirmed or denied that they’ve
00:42:54
made these tools. All signs point to these being
actual exploits that the NSA has made and kept to
00:43:00
themselves as weapons to attack the enemy with.
Let’s think about that; this means the NSA has
00:43:07
a group of researchers who are actively looking
for vulnerabilities in software like Microsoft
00:43:13
Windows [00:45:00] and then when they find these
vulnerabilities, they don’t tell Microsoft about
00:43:18
it. They keep it to themselves. Now, the NSA has
publically said they don’t hoard zero-days or
00:43:24
exploits that nobody knows about but here’s
evidence that they do. What does that mean?
00:43:29
Well, it seems the NSA has decided it’s
more important to be on the offensive
00:43:35
versus being on the defensive. If the NSA
was defensive-minded, they would be working
00:43:41
with software vendors to find vulnerabilities
and get them fixed. But instead we see this,
00:43:47
where they secretly find vulnerabilities and not
tell the software vendor about it so that they
00:43:53
can later use it on an attack against someone
else. Perhaps this was the message that the
00:43:58
Shadow Brokers was trying to relay, to place the
NSA under extra heat for hoarding zero-days like
00:44:04
this. That’s certainly what happened. A lot of
people used this as evidence that the NSA does
00:44:09
not have it in their interest to keep us secure,
but instead they want to keep these exploits to
00:44:15
themselves so they can be better at doing
espionage and surveillance and hacking into
00:44:21
other networks which I suppose could be considered
defensive-minded if they’re using that to find
00:44:28
what an upcoming attack on our country is going
to be. But that’s just hard to believe when we see
00:44:33
nation states hacking into companies in the US and
creating huge, huge problems for those companies.
00:44:41
See, here’s the perfect example of when that can
backfire; when the exploits the NSA makes gets
00:44:46
into the wrong hands or when someone exposes
the capabilities of the NSA. Snowden, the ANT
00:44:52
catalogue leak, and now the Shadow Brokers give
us a very clear view into what the NSA is doing.
00:45:00
I think it’s important that we all take full note
of what we see here. [MUSIC] Now, as someone who
00:45:06
used to defend networks from threats, I want to
take a moment and talk about what we as defenders
00:45:11
should be doing about the Shadow Brokers. When the
Shadow Brokers dumped all these NSA-grade hacking
00:45:16
tools, we should be analyzing them and trying
to understand them as best we can. Here’s why;
00:45:22
let’s take the Windows event log hack that was
dumped as an example. This is a hack that can turn
00:45:27
Windows logging off and then back on whenever you
want, or it can delete individual event logs from
00:45:33
Windows. Here’s the thing; historically, it’s been
possible as an admin to turn logging off and on.
00:45:39
Okay, fine, but when that happens, an event is
created that says logging has been turned off.
00:45:45
It’s also possible to clear all event logs but
again, there’s a log created that says that all
00:45:50
the logs have been wiped. That wipes all logs,
not just one or two. But with this hack that
00:45:55
was dumped, you can disable logging without an
event indicating logging has been turned off.
00:46:02
You can turn it off, do your dirty work, then
turn it back on and there’s no evidence that the
00:46:07
logs have been tampered with which is really
scary but important to know. There’s also a
00:46:13
capability of removing individual events.
This is important for us defenders to know
00:46:18
because Windows event logs are so important to
us. They tell us the truth of what happened.
00:46:24
How do we handle this? Now you need to be
looking for what’s not there. For instance,
00:46:29
event logs are numbered. What if you saw
Event Log 97, 98, no 99, and then 100?
00:46:37
What happened to Event Log 99, or what happens
when you see a log-out event but not a log-in?
00:46:42
If you see stuff like this, you can assume you
have a hacker who’s using these Shadow Brokers
00:46:48
hacks but also isn’t that savvy enough to know
how Windows logging works because this hacker was
00:46:53
smart enough to delete their log-in event but not
good enough to delete their log-out event. This is
00:46:59
the kind of stuff that defenders and incident
responders have to learn about from Shadow
00:47:03
Brokers. But not only that; every sophisticated
hacking team in the world paid serious attention
00:47:08
to these dumps. I just told you about the logging
one but there’s seventy other exploits they
00:47:14
dropped. Government hacking teams have probably
done a deep analysis on every single exploit in
00:47:20
the dumps to learn everything they could about
it; what it does, how to use it most effectively,
00:47:24
and then throw it in their bag of tools to use it
whenever they want. This is why it’s important for
00:47:30
the InfoSec community to know this as well. I
mean, if the NSA did create these hacker tools,
00:47:35
they probably spent millions of dollars
on research and development to make it.
00:47:39
That was paid by my tax dollars so seeing what
their capabilities are and knowing it’s in the
00:47:44
hands of every hacker in the world, it’s an
extremely valuable lesson for anyone working
00:47:49
in InfoSec. It’s simply not every day that we
get to look at tools this sophisticated and
00:47:56
now any script kitty in the world has them
and is using them. Ever since these dumps,
00:48:02
digital forensics and incident responder teams
have been seeing a high amount of attacks that
00:48:07
was using stuff from these dumps. It still
continues to this day. It’s very important
00:48:12
for us defenders [00:50:00] to understand
this, especially for the exploit called
00:48:17
EternalBlue. EternalBlue would go on to be a key
component for some of the world’s biggest hacks,
00:48:24
hacks that were so big, they practically
caused doomsday scenarios for many people.
00:48:30
Join me in the next episode as we dig into
one of the hacks that used EternalBlue.
00:48:35
JACK (OUTRO): [OUTRO MUSIC]
00:48:43
A big thank you to our guest Jake Williams for
taking time to share this incredible story with
00:48:48
us. You can follow him on Twitter. His name
there is @MalwareJake. Good luck out there,
00:48:53
Jake. I also want to give a big thanks to Andy
Greenberg from Wired. He just finished writing a
00:48:58
new book called Sandworm which goes into detail
about this whole Shadow Brokers thing and then
00:49:03
goes into detail about what EternalBlue went on
to be used for. We’re gonna interview Andy in
00:49:08
the next episode so if you want to check out
his book, it’s Sandworm. It’s really good.
00:49:13
Don’t forget to help support this show through
Patreon where you can get some bonus episodes
00:49:17
exclusive only to Patreon donators, and you
can also get some stickers and an ad-free feed.
00:49:22
Patreon supporters really do make a huge impact
on keeping this show going and they’re absolutely
00:49:28
my favorite listeners. This show is made by
me, grizzly masquerade, Jack Rhysider. Sound
00:49:35
design this episode is by the headphone-wearing
Andrew Meriwether. Editing help this episode by
00:49:40
the cyber-maiden Damienne. Our theme music
is by the jingling Breakmaster Cylinder.
00:49:46
Even though webmasters around the world add my IP
00:49:49
to their blacklist every time I
say it, this is Darknet Diaries.
