Who Stole the NSA's Top Secret Hacking Tools?🎙Darknet Diaries Ep. 53: Shadow Brokers

00:50:04
https://www.youtube.com/watch?v=Zje2Pqmh-I0

Summary

TLDRThe podcast episode centers around the controversial leak of the NSA's ANT catalogue by a mysterious group known as the Shadow Brokers. This catalogue contained sophisticated hacking tools designed for cyber-surveillance, such as COTTONMOUTH, and the leak exposed several exploits like EternalBlue that significantly impacted global cybersecurity. Allegedly, the Shadow Brokers obtained these tools, potentially from an NSA insider, and released them to the public in a series of dumps. Former NSA member Jake Williams was targeted publically by the Shadow Brokers due to his analysis and commentary on the leaks. Despite the leaks, there has been no resolution or indictments regarding the Shadow Brokers, leaving an ongoing concern about the security and use of such advanced cyber weapons.

Takeaways

  • 🕵️‍♂️ The NSA's ANT catalogue contains advanced hacking tools and exploits.
  • 🔓 The Shadow Brokers leaked NSA tools, causing a major cybersecurity impact.
  • 💻 COTTONMOUTH is a covert USB tool for data capture, developed by the NSA.
  • 📉 Jake Williams was targeted for his statements on Shadow Brokers' leaks.
  • 🚨 EternalBlue, a critical exploit, was part of the leaked NSA tools.
  • 🌐 The leak's attribution is uncertain, possibly linked to Russia.
  • 🎯 The NSA's offensive approach may have backfired through these leaks.
  • 🤔 The leaks provoke questions about ethical hacking and government surveillance.
  • 🇺🇸 No US indictments have occurred regarding this significant leak.
  • ⚠️ The leak underscores the value of understanding and defending against advanced threats.

Timeline

  • 00:00:00 - 00:05:00

    In this video, Jack discusses the NSA's ANT Catalogue, a document revealed to the public through leaks that details advanced hacking tools used by the NSA, including devices and software for cyber-surveillance. The catalogue lists items like the COTTONMOUTH USB implant for capturing data and transmitting it wirelessly, as well as DROPOUTJEEP for exploiting iPhones. Jack highlights the sophistication and implications of such tools, stressing their resemblance to science fiction and their real-world implications. This revelation challenges the perception of digital security and showcases the vast capabilities of government surveillance.

  • 00:05:00 - 00:10:00

    In this section, Jack introduces Jake Williams, a seasoned security expert and founder of Rendition InfoSec. Jake provides security management, incident response, and red team services, in addition to teaching SANS courses. The discussion centers on an incident occurring in August 2016 when the Shadow Brokers, a mysterious group, leaked NSA hacking tools. The release included exploits for Cisco and Fortinet firewalls, catching the attention of Jake and his team who realized the gravity of the situation. The SOC at Rendition InfoSec spotted this activity early, prompting Jake to investigate the legitimacy of the leaks, which they found to be genuine.

  • 00:10:00 - 00:15:00

    Jake affirms the authenticity of the Shadow Brokers’ leaked NSA tools, specifically pointing out the impact of these tools on fully updated systems. While teaching at Rendition Security, Jake analyzes the dump, highlighting the serious implications of such sophisticated tools being available publicly. The leak suggests a potential massive security risk. Jake mentions the internal discussions and analysis at Rendition to interpret the motives of the Shadow Brokers, considering whether financial gain or a broader information operation was their goal. For now, the security community is left to deal with the fallout of these incredibly potent hacking tools becoming public knowledge.

  • 00:15:00 - 00:20:00

    As Jack notes, the Shadow Brokers' leaks received widespread media attention for exposing top-secret NSA exploits. Jake speculates that the exploit they released seemed credible, indicating a serious breach of security. At the time, it was unclear if the Shadow Brokers had more information to release. Jake recounts how the event triggered Rendition InfoSec to conduct thorough checks for potential exposures faced by their clients. Meanwhile, major companies like Cisco and Fortinet scrambled to issue patches. The incident raised concerns about who the bad actors behind Shadow Brokers could be—whether they were insiders, hackers, or a nation-state entity.

  • 00:20:00 - 00:25:00

    In a twist, Jake is personally targeted by the Shadow Brokers in a tweet, revealing his past involvement with the NSA’s hacking division. This revelation comes amid ongoing dumps of NSA tools by the Shadow Brokers, suggesting knowledge of past NSA operations and further complicating Jake’s situation. He expresses concerns about the unpredictability of government and public reactions, uncertain about the consequences of being linked to such a high-profile security breach. Jake’s experience highlights the broader implications for individuals previously associated with intelligence operations during such leaks.

  • 00:25:00 - 00:30:00

    The discussion shifts to the political implications of the Shadow Brokers' dumps, which correspond with times when Russian activities are in the spotlight, suggesting a possible motive to divert attention. Jack discusses how Jake’s analysis of these events, shared on his widely-followed blog, gains significant attention. The Shadow Brokers publicly accuse Jake of being an ex-NSA hacker, sparking concern about the potential backlash, both from the government and in his personal life. This threat changes Jake's personal threat model and influences decisions regarding travel and public statements.

  • 00:30:00 - 00:35:00

    Jake's fear of international travel grows amidst potential leaks of NSA operational data by the Shadow Brokers. The uncertainty surrounding the motivations behind their actions adds to his anxiety. Shadow Brokers mentioned various operations linked to Jake, though he refrains from commenting due to security concerns. Jake emphasizes the risk associated with other nations possibly learning about past NSA missions and the threat of becoming a target for retribution. This personal risk also extends to his professional life and his role in educating future cybersecurity professionals.

  • 00:35:00 - 00:40:00

    Jack delves into the potential origins of the Shadow Brokers and the high-stakes arena of international cyber espionage. Considering the Shadow Brokers' capabilities and their apparent impact on global security, there's widespread speculation of Russian involvement, given their targeting of the NSA and timing of leaks during political tensions. The FBI has not made any public indictments, leaving the attackers' identities a mystery. Harold Martin III's arrest for stealing NSA data complicates the narrative, illustrating the challenges in deciding if this data aligns with what the Shadow Brokers leaked.

  • 00:40:00 - 00:50:04

    Jack concludes by contemplating the implications of the Shadow Brokers' actions, questioning the ethics and strategies of the NSA concerning their offensive cyber operations. The releases highlight that the NSA could be storing vulnerabilities for global cyber espionage, provoking criticisms about their approach to national security. For cybersecurity experts and professional responders, the leaks serve as an urgent call to analyze and understand these tools to better protect systems from similar vulnerabilities. The Shadow Brokers’ legacy continues to prompt discussions on the balance between national security and ethical responsibility in cyber operations.

Show more

Mind Map

Video Q&A

  • What is the NSA ANT catalogue?

    It is a catalog of advanced hacking tools, exploits, and cyber-surveillance devices developed by the NSA for secure operations.

  • Who leaked the NSA ANT catalogue?

    The catalogue was leaked by an individual with access to NSA documents, possibly associated with the whistleblower Snowden or another unknown leaker.

  • Who are the Shadow Brokers?

    The Shadow Brokers are a group that publicly dumped NSA hacking tools, claiming to have stolen them from the NSA.

  • What is COTTONMOUTH?

    COTTONMOUTH is an NSA device that looks like a USB plug but can capture and transmit data, such as keystrokes, wirelessly.

  • What impact did the Shadow Brokers have on cybersecurity?

    They released several highly sophisticated NSA hacking tools, including EternalBlue, which significantly affected cybersecurity worldwide.

  • Did the NSA admit to losing control of their hacking tools?

    The NSA has neither confirmed nor denied the creation or loss of these tools.

  • How did the Shadow Brokers release more NSA tools to the public?

    After initially attempting to auction them, Shadow Brokers released several more hacking tools for free online when their auction did not succeed.

  • Why did the Shadow Brokers attack Jake Williams online?

    They tweeted accusing him of being a former Equation Group member, likely due to his public comments and blog posts about the Shadow Brokers.

  • What is EternalBlue?

    EternalBlue is a potent exploit targeting Windows machines, released by Shadow Brokers and widely used in subsequent cyberattacks.

  • Has there been any resolution or justice regarding the Shadow Brokers?

    There have been no FBI indictments or conclusive public statements pinpointing the identity of the Shadow Brokers.

View more video summaries

Get instant access to free YouTube video summaries powered by AI!
Subtitles
en-US
Auto Scroll:
  • 00:00:00
    JACK: Sometimes you read the news and the story  sticks with you forever. One such news story I
  • 00:00:06
    saw was some security news I heard and I’ll  always remember it. It was when I first saw
  • 00:00:11
    a presentation about the NSA ANT catalogue. Have  you seen this? It’s mind-bending. [MUSIC] Okay,
  • 00:00:19
    here’s what happened. Someone with access to NSA  documents took the ANT catalogue and gave it to
  • 00:00:24
    journalists at Der Spiegel and then they published  it. At first, we thought it was Snowden who leaked
  • 00:00:30
    these documents but we’re not sure if it was him  or a second leaker. I asked Snowden on Twitter if
  • 00:00:35
    it was him, but he didn’t respond. So, what’s  NSA’s ANT catalogue? ANT stands for Advanced
  • 00:00:42
    Network Technology and in this catalogue are a  list of hacks, exploits, and cyber-surveillance
  • 00:00:48
    devices that the NSA can use for certain missions.  If you work at the NSA and you need an exploit,
  • 00:00:54
    you look through this catalogue and then request  to get one of these devices or pieces of software.
  • 00:01:00
    When you look through it, it looks like the work  of science fiction but these are all real devices.
  • 00:01:06
    Let me point out a few to you; the NSA has created  a device codenamed COTTONMOUTH. It looks like a
  • 00:01:13
    typical USB plug; one you’d see on a mouse or  a keyboard but it’s actually capturing all the
  • 00:01:18
    data going through it and wirelessly transmitting  that data. It listens for mouse clicks, keyboard
  • 00:01:23
    strokes, or any other data going through it. Now,  the receiver has to be close by; I don’t know,
  • 00:01:28
    twenty feet maybe, and with a strong antenna  and nothing in the way could probably transmit
  • 00:01:32
    much further. Someone could be listening maybe  in the room next door to everything that your
  • 00:01:38
    USB connector is seeing. This is some next-level  technology that the NSA developed in 2008 which
  • 00:01:44
    still isn’t even available commercially today. The  ANT catalogue even lists a price for this; $20,000
  • 00:01:51
    per USB implant. Jeez, that’s a lot. The NSA ANT  catalogue has loads of other hacks and implants.
  • 00:01:58
    There’s DROPOUTJEEP which is a piece of software  that if you can get it onto an iPhone, it’ll give
  • 00:02:04
    you all the text messages, contacts, voicemail,  it’ll hot mic or open the video-camera, and get a
  • 00:02:09
    geo-location of that phone. There’s Firewalk  which is a pretty amazing network sniffer.
  • 00:02:15
    There’s JETPLOW which is a firmware that gives  the NSA backdoor access to a Cisco firewall. Then,
  • 00:02:21
    there’s DEITYBOUNCE which is an implant that goes  onto a Dell server which can get them backdoor
  • 00:02:26
    access to that, but one of my favorites is called  RAGEMASTER. This is a little device that taps into
  • 00:02:31
    any VGA port. This is the connector that goes  from your computer to your monitor. With this,
  • 00:02:37
    it can wirelessly transmit everything that  VGA connector sees, essentially cloning that
  • 00:02:42
    monitor to be seen by someone else at a distance.  Let’s imagine how these hacks might take place;
  • 00:02:48
    the NSA might intercept a Cisco firewall  being delivered somewhere and they’ll open
  • 00:02:53
    the box carefully, put their firmware  on it, and then seal the box back up.
  • 00:02:58
    This will give them permanent backdoor access  into that firewall whenever they want, or if they
  • 00:03:03
    know their target is going to stay at a hotel,  they can get a room next door to their target,
  • 00:03:07
    break into their target’s room, install  COTTONMOUTH or RAGEMASTER and then listen
  • 00:03:13
    in the other room for the wireless signal to see  everything that person was typing and seeing. Even
  • 00:03:19
    if that person wasn’t connected to the wireless  or any network at all, this is possible and
  • 00:03:24
    it’s insanely impressive. Yes, fifty items in this  catalogue were leaked to the public in 2013 but we
  • 00:03:32
    only saw descriptions of these devices; no actual  devices were seen. Now, upon closer inspection,
  • 00:03:39
    we see that these items were intended to be used  by TAO. TAO stands for Tailored Access Operations,
  • 00:03:46
    TAO. It’s a unit within NSA that has a primary  objective to gather intelligence on computer
  • 00:03:52
    systems. The people within TAO have access to the  most sophisticated hacking tools ever created.
  • 00:03:59
    They have the budget and ability to spend  years on research and development to make
  • 00:04:03
    insane tools and then use them whenever they  need. TAO is NSA’s elite hacking force and
  • 00:04:09
    they’ve actually changed their name to Computer  Network Operations now but for this story,
  • 00:04:13
    I’m gonna just keep calling them TAO. When  security companies research hacking campaigns,
  • 00:04:18
    they can’t tell for sure who did it, so they  give hackers a unique codename. Fancy Bear is
  • 00:04:24
    what’s given to the Russian hackers. Charming  Kitten is given to Iran and so on. But security
  • 00:04:29
    companies have investigated certain malware  that’s come from the NSA. A hacking name was
  • 00:04:34
    given to the NSA. The name they were given  is the Equation Group and it’s believed
  • 00:04:41
    that whoever is doing work for the Equation  Group is specifically TAO within the NSA.
  • 00:04:47
    JACK (INTRO): [INTRO MUSIC] These are true  stories from the dark side of the internet.
  • 00:04:58
    I’m Jack Rhysider. [00:05:00] This is  Darknet Diaries. [INTRO MUSIC ENDS]
  • 00:05:09
    JACK: Okay, today we’re talking with someone  who I really wanted to talk to for a long time;
  • 00:05:21
    someone who knows a lot about security  and has been doing this for decades.
  • 00:05:24
    When you’re battling hackers for that long,  you surely have some interesting stories.
  • 00:05:29
    JAKE: My name’s Jake Williams. I’m  the founder of Rendition InfoSec.
  • 00:05:34
    I think right now I’m an InfoSec dumpster fire  putter-outer, basically. All over the board,
  • 00:05:39
    when it comes to InfoSec, incidence  response, Red Team, SOC, whatever.
  • 00:05:42
    JACK: What does Rendition Security do?
  • 00:05:45
    JAKE: Well, we’re on a managed security  operation center, so I manage SOC,
  • 00:05:49
    or vSOC as some people call it. We do that 24/7  here in the US to actually manage out of Augusta,
  • 00:05:55
    Georgia. Separately, worldwide, we do Red Team  and incident response. We have folks actually in
  • 00:06:02
    several countries and do a lot of international  work as well as domestic work as well.
  • 00:06:09
    Basically, Red Team incident response  is a big piece for digital forensics.
  • 00:06:13
    Some security architecture work  and then of course, the vSOC.
  • 00:06:17
    JACK: For you Twitter folks out there, this is  @MalwareJake on Twitter. I say that because he
  • 00:06:23
    has fifty thousand followers on Twitter  and he’s pretty well-known. Besides being
  • 00:06:26
    the founder of Rendition Security, he also  teaches SANS courses. These are information
  • 00:06:31
    security courses and specifically he teaches  courses on threat intelligence, forensics,
  • 00:06:36
    penetration testing, and even threat  detection. SANS courses are usually
  • 00:06:40
    fantastic and extremely informative and have  some of the best teachers. For this story,
  • 00:06:44
    we’re gonna go back to August 2016. [MUSIC] Jake  was working for Rendition Security then and his
  • 00:06:50
    client had a specific security issue that was  so big they needed Jake to go on-site to help.
  • 00:06:55
    This was an incident response; the client  was hit with something serious so Jake and
  • 00:07:00
    his team went to the client location and took  over a conference room to begin doing triage.
  • 00:07:06
    JAKE: We already had a War Room per se  right there for the incident response.
  • 00:07:10
    JACK: Jake had been at this client site for  a few days now trying to help resolve this
  • 00:07:15
    security incident. Back at the home office of  Rendition Security, they have a full-on SOC,
  • 00:07:20
    a Security Operations Center. While a few  people were on-site helping the client,
  • 00:07:25
    there were many more people back in the office  helping out, too. A SOC is usually quite a sight
  • 00:07:30
    to see. They have lots of technicians or analysts  sitting in desks with three or four monitors each,
  • 00:07:36
    analyzing alerts. But on the wall in the front of  the SOC will be all kinds of big screen monitors;
  • 00:07:41
    world maps, attack maps, rosters, news  feeds. On one of the monitors in this
  • 00:07:47
    SOC was a Twitter feed. Now, in the early  morning of August 13th, 2016, one of the
  • 00:07:53
    people in the SOC saw something on that Twitter  feed and they knew they needed to tell Jake.
  • 00:07:58
    JAKE: Maybe 6:30 or 7:00 in the morning,
  • 00:08:01
    something like that. I remember we were  just rolling out. If I remember correctly,
  • 00:08:05
    I think the Sonic for breakfast; grabbing  some of those breakfast burritos they have.
  • 00:08:10
    JACK: The tweet that Jake read was posted by  someone with the name Shadow Brokerss with two
  • 00:08:16
    s’s at the end. Tweet said, quote, “We follow  Equation Group traffic. We find Equation Group
  • 00:08:23
    source range. We hack Equation Group. We find many  Equation Group cyber-weapons. You see picture? We
  • 00:08:31
    give you some Equation Group files free. You  see? This is good proof. No, you enjoy. You
  • 00:08:37
    break many things, you find many intrusions, you  write many bad words but not all. We are auction
  • 00:08:43
    the best files.” End quote. That is hard to  understand. Sounds like whoever wrote that,
  • 00:08:48
    English was not their first language. But it  basically said this group, Shadow Brokers,
  • 00:08:53
    have stolen some cyber-weapons from the NSA,  specifically TAO within the NSA which is what
  • 00:08:59
    Equation Group is, and that they’re giving away  one of these exploits for free to everyone now,
  • 00:09:05
    and auctioning the rest off. The Rendition  SOC saw this, thought it was important.
  • 00:09:12
    JAKE: [00:10:00] We got alerted from one  of them and said hey, are you seeing this?
  • 00:09:17
    Up to that point, the answer is  no, we haven’t seen this. Then,
  • 00:09:20
    we’re popping up on Twitter and  going out to GitHub and saying okay,
  • 00:09:23
    hey, first it was the download the stuff from  GitHub and then it was a oh snap, this is real.
  • 00:09:29
    This isn’t a hoax. This is real stuff. JACK: Even though Jake is the President
  • 00:09:33
    of Rendition Security and even though  he was on a client’s site at the time,
  • 00:09:37
    he felt this was so important that he took time  out of his day to download these files and to
  • 00:09:42
    look at this malware that the Shadow Brokers had  released. The malware was a specific exploit for
  • 00:09:48
    Cisco and Fortinet firewalls. This malware  would allow the attacker to send an exploit
  • 00:09:53
    to a fully-patched firewall and allow the  hacker to take full control of that firewall.
  • 00:09:59
    JAKE: Well, I downloaded some files that,  we’ll say for sake of argument, looked legit.
  • 00:10:07
    JACK: Hm, Jake says it looks legit. Let’s  consider what that means for a moment;
  • 00:10:15
    someone calling themselves Shadow Brokers  has claimed that they got one of TAO’s
  • 00:10:20
    secret exploits and publically dumped it for  the world to see, an exploit that Cisco and
  • 00:10:25
    Fortinet did not know existed. This exploit  does in fact work on a fully-updated firewall,
  • 00:10:31
    meaning it was previously unknown to the  world and now Jake is saying it looks legit.
  • 00:10:37
    JAKE: Yeah, I mean, I think that’s  as far as I can go directly without
  • 00:10:42
    confirming or denying. We’ll say  looked like legitimate threats.
  • 00:10:46
    JACK: I feel like Jake might know something  more about this than he’s leading on. I mean,
  • 00:10:52
    what president of a security company is going to  take time out to download a potential NSA exploit,
  • 00:10:58
    test it, and then come out and  say it looks legit? After this,
  • 00:11:02
    he went into the client office  to continue doing work for them.
  • 00:11:06
    JAKE: Actually, it was a Cisco customer who had  a lot of Legacy Cisco equipment. Having some of
  • 00:11:15
    that Legacy Cisco equipment with the – basically,  we’ll just say it was equipment that was itself
  • 00:11:23
    vulnerable in some of the configuration. Some  of the stuff they had, actually, was vulnerable
  • 00:11:27
    to some of the stuff that was released which is  obviously not a best-case kind of scenario there.
  • 00:11:34
    Yeah, definitely was doing some digging  into what’s in the dump and what kind of
  • 00:11:40
    exposure does that leave not just them that we’re  on-site with but obviously other clients as well.
  • 00:11:45
    JACK: Both Cisco and Fortinet confirmed this  was a vulnerability they were not aware of
  • 00:11:49
    and issued a patch right away but this barely  fixed the issue. The issue now is who are these
  • 00:11:55
    Shadow Brokers? How many exploits do they have?  [MUSIC] How did they get these? Not to mention,
  • 00:12:01
    they’re selling even more of these to the  highest bidder. They even went on to say if
  • 00:12:05
    they can get one million Bitcoin, they’ll dump  everything to the public for everyone to see.
  • 00:12:10
    But the immediate problem is realizing that this  top-secret exploit is now in the enemy’s hands.
  • 00:12:16
    JAKE: Well, everybody’s hands, right? At the time,  bear in mind, it’s one zip file and it is a – it’s
  • 00:12:20
    one zip file and there’s no evidence at  this point that they have anything else
  • 00:12:31
    specifically. I know they claimed to but in  their initial post, it’s all gibberish anyway.
  • 00:12:38
    I’m kind of looking at it going, it’s one file.  Without giving the specifics, let’s just say that
  • 00:12:46
    it is the kind of thing that I could see  somebody having without having everything else.
  • 00:12:52
    There are plausible scenarios in which one  could have that specific thing and not have
  • 00:12:59
    everything else that they dump later.
  • 00:13:00
    JACK: Okay.
  • 00:13:01
    JAKE: Yeah.
  • 00:13:01
    JACK: Did you think – did you have a guess  at who might be Shadow Brokers at that point?
  • 00:13:06
    JAKE: I think at that point it was  a little too early for me to really
  • 00:13:11
    develop much of a theory beyond the wow.  It was quite a dump so I think at the time,
  • 00:13:22
    we did a lot of internal discussion and  analysis. Rendition, we did quite a bit of that.
  • 00:13:32
    I think for us, we were kind of split between  either this is legit; they’re dumping this to
  • 00:13:39
    show that they have legit other stuff to sell.  ‘Cause remember, that was part of the offer,
  • 00:13:45
    right? Was that they would release the keys to  decrypt these other awesome, as of yet unknown,
  • 00:13:51
    even what – quantity and quality, these  other zero-days. We’re gonna release all
  • 00:13:56
    this stuff. This is the preview or the teaser,  as it were, to get people’s appetites whet.
  • 00:14:04
    I think about half of us, the group, kind of  looked and said yeah, that’s probably what it is.
  • 00:14:10
    There was another group that was – another  [00:15:00] contingent that was like yeah, no,
  • 00:14:14
    this has nothing to do with money, absolutely  nothing to do with money. This is full-on,
  • 00:14:18
    regardless of what else they have, this  is full-on an information operation.
  • 00:14:23
    I think I kind of flip-flopped  between the two. I gravitate to
  • 00:14:26
    information operation but I could see  the other argument being legit as well,
  • 00:14:32
    that some insider perhaps had walked out  with stuff and was motivated by money.
  • 00:14:37
    JACK: The news was now spreading all over the  internet that the Shadow Brokers had leaked NSA
  • 00:14:42
    hacking tools. The Guardian was posting about it,  Ars Technica, Engadget, The Atlantic, Wired, even
  • 00:14:48
    the New York Times. This was a really big deal and  had the attention of the world. How much did the
  • 00:14:55
    auction get to? Well, in the first twenty-four  hours after the dump, the auction only received
  • 00:14:59
    $937 which I think was quite a disappointment for  the Shadow Brokers. People everywhere were trying
  • 00:15:06
    to guess how they got these exploits. Did someone  hack the NSA? Maybe the NSA hacked them but then
  • 00:15:13
    left their hacker tools behind. Because if the NSA  is going to hack something, they need to put their
  • 00:15:18
    exploit there first and then execute it. Maybe  they just left their exploits behind or maybe
  • 00:15:24
    someone from the NSA grabbed this stuff and walked  out with it. Nobody knew for sure but these Shadow
  • 00:15:30
    Brokers had captured the attention of the world.  Two months later, Joe Biden was on NBC’s Meet the
  • 00:15:37
    Press. The two were talking about Russia possibly  hacking the elections and they had this to say.
  • 00:15:42
    CHUCK: I talked with Ambassador – former Russian  Ambassador Mike McFaul. We talked about the idea
  • 00:15:48
    that everyone’s – you gotta respond when  they’re hacking. You gotta do something.
  • 00:15:53
    He described it as a high hard one, maybe  just like in baseball; you throw a high,
  • 00:15:58
    hard one to send a message. But  we sent a message, yeah, to Putin.
  • 00:16:02
    JOE: We’re sending a message. We have  the capacity to do it. The message…
  • 00:16:10
    CHUCK: They’ll know it?
  • 00:16:11
    JOE: …he’ll know it. It’ll be at  the time of our choosing and under
  • 00:16:14
    the circumstances that had the greatest impact.
  • 00:16:17
    CHUCK: A message is going to be  sent? Will the public know it?
  • 00:16:23
    JOE: I hope not.
  • 00:16:25
    CHUCK: Mr. Vice President, I’ll  leave it there. Thank you, sir.
  • 00:16:29
    JOE: Thank you.
  • 00:16:30
    JACK: Two weeks after that, Shadow Brokers  published their second dump. First,
  • 00:16:35
    they say this right away, quote, [MUSIC] “Why is  dirty grandpa threatening CIA’s cyber-war with
  • 00:16:41
    Russia?” End quote. Now, I believe they’re calling  Biden dirty grandpa here because of what he said
  • 00:16:47
    just a few weeks earlier which is a really, really  weird thing to say, but okay. The contents of this
  • 00:16:55
    second dump was just a big list of IP addresses  and the Shadow Brokers claimed that this was a
  • 00:16:59
    list of servers in the world that the NSA had  infected or was using as a server to launch
  • 00:17:04
    exploits from. This wasn’t quite that big of a  dump; the message was more like telling the NSA
  • 00:17:09
    that the Shadow Brokers weren’t going away and  this is a reminder that they’re still a threat.
  • 00:17:13
    JAKE: I think the second dump was really  interesting because the second dump, given all
  • 00:17:19
    the IP addresses that were there, became a really  interesting data set for researchers who had a lot
  • 00:17:25
    of net flow data. We did, indeed – and I think  just like anybody else, right, went back through
  • 00:17:32
    net flow data for our clients and said okay, do  we see IP addresses from this list connecting to
  • 00:17:39
    any client anything? Because obviously if they  are, that could be an indicator of compromise.
  • 00:17:44
    It’s definitely an indicator of concern but yeah,  I mean other than analyzing what they wrote,
  • 00:17:50
    the Shadow Brokers themselves wrote and posted.  I think they were on Steemit still at the time;
  • 00:17:54
    yeah, Steemit. Basically, beyond looking at what  they wrote, it wasn’t really a – that next drop
  • 00:18:01
    wasn’t earth-shattering. There was nothing really  in there besides the IP addresses but it was more
  • 00:18:05
    actionable than the first one, to be honest,  for the majority of InfoSec professionals.
  • 00:18:08
    JACK: The reason why this was actionable for  some InfoSec professionals is because we got a
  • 00:18:14
    list of IP addresses that the NSA is possibly  hacking from. If you can cross-reference that
  • 00:18:20
    with the IP addresses that are coming into  your network like hits to your website,
  • 00:18:24
    logins to your VPN, that kind of thing, you might  be able to notice if the NSA was hacking you; or,
  • 00:18:33
    at least in theory, that’s what  you could possibly check for.
  • 00:18:37
    Stay with us because after the break, the  world is about to change. [00:20:00] Now,
  • 00:18:42
    something huge happened in the world just after  this second dump. The US had a presidential
  • 00:18:48
    election and Donald Trump took the election.  There was a lot of rhetoric at the time that
  • 00:18:53
    the Russians meddled with the election and just  as people were starting to talk about that,
  • 00:18:57
    in January of 2017, the Shadow Brokers  made another post, this one saying goodbye.
  • 00:19:04
    The post said that they did not get the Bitcoin  they were hoping for so they were just going to
  • 00:19:08
    release more hacking tools for free for anyone.  [MUSIC] They posted sixty-one Windows executables,
  • 00:19:13
    link libraries, and drivers, claiming each  one was developed by the Equation Group,
  • 00:19:18
    TAO within the NSA, and can be used  to hack Windows computers. Again,
  • 00:19:23
    these did check out and they were new exploits  not previously seen and they looked legit again,
  • 00:19:28
    as in they were probably created by the TAO  in NSA. The Shadow Brokers then signed off,
  • 00:19:35
    saying goodbye, claiming they’re going to go  dark because they didn’t get enough Bitcoins.
  • 00:19:40
    JAKE: Sixty-seven or something files. The  actual files themselves also get sent out.
  • 00:19:46
    That was a pretty big deal for us because in their  directorial listing it says something like Event
  • 00:19:55
    Log Edit or Edit Event Log, something,  and there’s multiple references to it.
  • 00:20:00
    In the InfoSec community, and the forensics,  their deeper community, a lot of folks take those
  • 00:20:04
    event logs to be sacred, right? There are whole  textbooks written about how you can basically
  • 00:20:13
    clear an event log but you can’t surgically edit  one. Now, those of us in incident response have
  • 00:20:17
    known that’s been not true for some period of  time but we don’t have – most of us don’t have
  • 00:20:26
    publically available tools that we can point  to and say no, no, look, here’s the capability.
  • 00:20:30
    The capability definitely exists; here’s where  it’s at. Again, anybody who’s in this business
  • 00:20:35
    knows that it’s a capability. We even know who  had it up to that point but suddenly overnight,
  • 00:20:40
    everybody had it. It changed the game on  incident response and having seen that,
  • 00:20:47
    we wanted to go ahead and basically, that was one  of the first major posts that I wrote about it,
  • 00:20:52
    was to say hey look, this is a game-changer  for incident response. It’s a game-changer
  • 00:20:58
    for a lot of stuff but specifically for IR,  this is a full-on game-changer; pay attention.
  • 00:21:02
    JACK: Hm, yeah. The exploit they dumped means  a hacker can edit an event log in Windows.
  • 00:21:08
    This was previously not a capability. Well, not a  capability except for the TAO unit within the NSA,
  • 00:21:15
    but now the whole world has this capability. This  could have a big impact. Jake continued to analyze
  • 00:21:21
    what the Shadow Brokers were dumping. Yeah, he was  blogging about it, talking about what he thinks of
  • 00:21:27
    this and what the important takeaways are from  these dumps. But this wasn’t the last we heard
  • 00:21:32
    from Shadow Brokers; about three months later,  in the first week of April, they showed back up.
  • 00:21:37
    They made another post, dumping more stolen  hacking tools. In this post, they even had
  • 00:21:42
    a message for the president. [MUSIC] Quote, “The  Shadow Brokers voted for you. The Shadow Brokers
  • 00:21:48
    supports you. The Shadow Brokers is losing  faith in you, Mr. Trump. It’s appearing you
  • 00:21:54
    are abandoning your base, the movement, and the  peoples who getting you elected.” End quote. Huh,
  • 00:22:01
    does this mean the Shadow Brokers are part of the  far-right? Or is this some kind of smoke screen?
  • 00:22:07
    Well, again, Jake saw this dump, analyzed it, made  sense of it, and then made a blog post about it.
  • 00:22:14
    JAKE: I said look, if you track the  dumps and you track some of the rhetoric,
  • 00:22:18
    the timing of the dumps is very conveniently  aligned around times that Russia is being
  • 00:22:27
    called out in the press for hacking. Literally  what they’re doing is, I hypothesized and I said
  • 00:22:33
    basically, I can’t say for sure that the timing is  coincidental or circumstantial, whatever. We can
  • 00:22:40
    say that the Shadow Brokers’ dumps, the timing of  these definitely lines up with times that Russian
  • 00:22:47
    hacking is in the news and in the tech space  which is largely where that’s being covered,
  • 00:22:53
    them dumping these – creating these dumps  is completely taking the focus away from
  • 00:22:59
    Russian hacking and putting it on oh my gosh,  NSA lost tools, allegedly. Check box, right?
  • 00:23:07
    JACK: It’s always weird when hacking stories get  political for me ‘cause I don’t think us security
  • 00:23:12
    people even cautiously [00:25:00] realize when  it does get political. We just see some shadowy
  • 00:23:16
    group of people dumping hacking tools which is  a real impact on the networks we’re trying to
  • 00:23:21
    secure. But if you lean into the story, you start  seeing things like Biden and Russia and elections,
  • 00:23:28
    and Donald Trump. Phew. These were  some of the observations that Jake
  • 00:23:33
    saw and he was starting to post this to  his blog. Now keep in mind, Jake here is
  • 00:23:38
    known as @MalwareJake on Twitter where he has  50,000 followers. When he posts a blog post,
  • 00:23:43
    it gets considerable eyes on it. This particular  blog post got retweeted and started spreading.
  • 00:23:49
    JAKE: Well yeah, not just retweeted but that  actually took the content and basically wrote
  • 00:23:55
    stories around the content saying oh,  Jake Williams of Rendition says that
  • 00:24:01
    he believes this is, if not a Russian  operation, in the interests of Russia,
  • 00:24:06
    kind of thing. Folks wrote stories  about the analysis, kind of deal.
  • 00:24:10
    JACK: It’s kind of exciting to have a  blog post of yours gain some traction
  • 00:24:13
    like that. It feels good that you  have something helpful to say about
  • 00:24:16
    the conversation and people appreciate  your thoughts. But then, the next day…
  • 00:24:21
    JAKE: Gosh, I was in Orlando teaching at a  SANS event. I was actually sick at the time to,
  • 00:24:25
    on top—I was running an actual fever on top of  everything else. But I was actually teaching
  • 00:24:30
    exploit development at the time, advanced exploit  dev in Orlando. I wake up, phone alarm goes off,
  • 00:24:38
    whatever. [MUSIC] I wake up and I check  Twitter notifications and at the time,
  • 00:24:43
    I saw all my notifications go  into the phone, what have you.
  • 00:24:46
    I just do a little drag-down and it’s like,  99+. 99’s where it stops counting. It’s like,
  • 00:24:48
    99+ notifications. I’m like ugh, either something  really good has, you know, like a blog post has
  • 00:24:57
    gone viral or something – I’m like, my first  thought is I tweeted something that really
  • 00:25:04
    pissed a bunch of people off and I’ve got some  whatever it is, the gang-up kind of thing going,
  • 00:25:10
    or dogpiling or something. Then my blood ran  cold when I saw what had actually happened.
  • 00:25:18
    JACK: Shadow Brokers, the secret hackers who had  the attention of the entire InfoSec community and
  • 00:25:25
    so many more people, had tweeted directly at Jake.  The tweet said, quote, “@MalwareJake, you having a
  • 00:25:34
    big mouth for former Equation Group member. Shadow  Brokers is not in habit of outing Equation Group
  • 00:25:41
    members but had to make exception for big mouth.”  End quote. The English was rubbish but the message
  • 00:25:48
    was clear. Whoever these Shadow Brokers were  had just stated publically for everyone in the
  • 00:25:52
    world to know that Jake was a former member  of NSA’s TAO, a.k.a, the Equation Group.
  • 00:25:59
    JAKE: Yes, yep.
  • 00:26:01
    JACK: The thing is, it’s true. Jake had spent  almost two decades working in the information
  • 00:26:05
    community for the government and about five  years in TAO. But Jake had kept this a secret,
  • 00:26:11
    almost just to himself even though he was a  public figure with tons of Twitter followers,
  • 00:26:15
    a speaker at events, a SANS instructor.  Nobody outside his close friends and
  • 00:26:20
    family and ex-co-workers knew  he was a former member of TAO.
  • 00:26:24
    JAKE: No, I certainly wasn’t tweeting that  – I mean, I had a hole in my – obviously, if
  • 00:26:30
    you go to my LinkedIn, you can see I work for the  DoD, right. There’s no question there but I mean,
  • 00:26:35
    in our space, there’s a lot of people in InfoSec  that worked at some time for the DoD. I was former
  • 00:26:41
    army and I felt like that was all – yeah, again,  it was DoD but yeah, to get in and say NSA – and
  • 00:26:49
    really on top of that, to say NSA hacker, is a  whole different level of – yeah, that, I guess.
  • 00:26:59
    It wasn’t something that I really was planning to  start talking about out there, but whatever. Yeah.
  • 00:27:06
    JACK: What’s your initial  reaction when you saw that?
  • 00:27:08
    JAKE: Well, I’ll be honest  and say it was unprecedented
  • 00:27:12
    and I didn’t really have a good feel for how the  government was gonna handle this. A lot of people
  • 00:27:19
    have chatted about this with some of their folks.  Over the last couple of years, what I didn’t know
  • 00:27:25
    at the time, the thing that most concerned  me was the complete lack of predictability
  • 00:27:30
    for what the US government was gonna do. I  didn’t know if the FBI was gonna sweep in
  • 00:27:35
    and be holy goodness, this is Russia. I just  don’t know. There is, even at that time,
  • 00:27:42
    a thought that it’s Russia. The community,  they’re definitely – you mentioned before,
  • 00:27:48
    some of the Trump rhetoric – I didn’t know if – it  wasn’t just what was the US government gonna do,
  • 00:27:55
    but how were ordinary people gonna react to this?  It was a very challenging time because of that,
  • 00:28:01
    I think, more than anything else, was just the  unpredictability. Yeah. It’s unprecedented.
  • 00:28:07
    JACK: That must have ruined your whole day.
  • 00:28:09
    JAKE: Like I said, I was already sick.  I’ll be honest and tell you that [00:30:00]
  • 00:28:14
    I can’t picture a better place to have to deal  with that than teaching a SANS class and it’s what
  • 00:28:21
    we call boot camp class that runs from nine in the  morning ‘til seven p.m. I feel like that night,
  • 00:28:27
    I know we had some other event that I was staffing  there, so I literally worked from nine to nine
  • 00:28:33
    despite being sick and I cannot fathom  a better way to have dealt with that.
  • 00:28:37
    JACK: Why?
  • 00:28:39
    JAKE: It was forced distraction. I  didn’t have time to mull over it as
  • 00:28:44
    much as just go do your thing.  I think that was helpful to me.
  • 00:28:49
    JACK: Yeah, so I was just wondering  kind of the overall message; do you
  • 00:28:52
    think they were guessing at who you were or…?
  • 00:28:54
    JAKE: No, not a bit. I can say with  confidence that – with high confidence
  • 00:29:03
    that they 100% were not guessing at who I was.  I say that with high confidence. I can’t get
  • 00:29:09
    into the why but I will say for sure they were  not guessing at who I was. They had that dead
  • 00:29:16
    to rights. They knew; it wasn’t a guess. Based on  some other stuff that they’ve written, I’m fairly
  • 00:29:22
    certain they had that, yeah. But what the message  was is another thing entirely, right? It could be,
  • 00:29:31
    and I’ve put a lot of thought  into this, the message could be
  • 00:29:35
    purely that they didn’t like what I was writing  and wanted me to shut up and wanted that blog post
  • 00:29:40
    down. My business partner at the time reacted  exactly that way and took the blog post down.
  • 00:29:47
    Even with links to it, right, he basically  rewrote it as a one-paragraph nothing;
  • 00:29:53
    no real content to it, no real meat to it.  There wasn’t a 404 on the website but he took
  • 00:29:58
    that down and if they were trying to accomplish  that goal, that they did. They definitely did.
  • 00:30:07
    It could have also been that if somebody else  was out there that hadn’t yet been identified,
  • 00:30:14
    that they were trying to say hey, if you do  what this guy does, we’re going to out you
  • 00:30:19
    too. I don’t know, I would expect that if anybody  else were thinking about commenting on – former
  • 00:30:25
    NSA folks were thinking about commenting on the  Shadow Brokers, I would expect that would be a
  • 00:30:31
    deterrent as well. But again, as far as their  motivation, it’s really hard to nail down.
  • 00:30:36
    JACK: [MUSIC] What a weird and  surreal thing to happen to Jake;
  • 00:30:43
    to be outed publically by this mysterious hacker  crew. It’s like he was doxed by them. The tweet
  • 00:30:51
    didn’t just stop there. It went on to say how  the Shadow Brokers know about some top-secret
  • 00:30:55
    weird missions and I’m gonna assume classified  things that Jake was involved in while at TAO.
  • 00:31:02
    The Shadow Brokers’ tweets started, or  their messages, were saying things like
  • 00:31:08
    connecting you to things like odd jobs, CCI,  Windows BITS persistence, and the Q Group.
  • 00:31:14
    JAKE: Mm-hm.
  • 00:31:16
    JACK: Do you have any comment about that?
  • 00:31:18
    JAKE: There’s no safe comment  that I can make on any of that.
  • 00:31:24
    JACK: A few days after that, the Shadow Brokers  released yet another set of stolen exploits. This
  • 00:31:31
    one would make a huge splash in the world. This  dump contained EternalBlue and EternalRomance,
  • 00:31:38
    among others. Now, what’s so important about  EternalBlue is that this is an exploit that can be
  • 00:31:44
    used to remotely access Windows computers running  SMB which was something that was installed by
  • 00:31:49
    default on all Windows machines, making millions  and millions and millions of Windows computers
  • 00:31:54
    vulnerable to this exploit. EternalBlue was huge.  This was the biggest of all their exploits and
  • 00:32:01
    it just landed in the hands of the general  public for any hacker in the world to use.
  • 00:32:05
    EternalBlue might go down as one of the  most successful hacking tools in history.
  • 00:32:09
    It’s really effective for letting hackers into  Windows machines but here’s the strange thing;
  • 00:32:14
    just about a month before Shadow Brokers dropped  this on the world, Microsoft had patched it. Yeah,
  • 00:32:20
    they fixed it right before it was unleashed.  Rumor has it that that NSA gave Microsoft
  • 00:32:25
    a very quiet heads up that this might be in an  upcoming dump so they can work on patching it
  • 00:32:32
    before it hits the streets. Now, of course, this  too was a really big deal for Jake. He knew that
  • 00:32:39
    EternalBlue could have far-reaching  effects on many of his customers but
  • 00:32:43
    he was still coming to grips with  the earlier tweet that called him
  • 00:32:46
    out. That single tweet which outed Jake as an  Equation Group member really changed his life.
  • 00:32:52
    JAKE: It definitely changed my threat  modeling, no question about that.
  • 00:32:59
    At the time, and again, in hindsight, a lot of  people I think, will say overreact, whatever,
  • 00:33:06
    but – that I might have been overreacting but  at the time we just didn’t know. We didn’t know
  • 00:33:12
    what – [00:35:00] not just what they were gonna  do but what anybody was gonna do in response.
  • 00:33:18
    Our own government included private citizens  who were pro-Trump, anti-Trump. They had
  • 00:33:22
    taken a Trump stance, whatever that  program – English language thing was.
  • 00:33:28
    We just didn’t know. I guess the short  of it is, from a media concern, I mean,
  • 00:33:32
    I had to call my ex and say hey, here’s the  situation. My ex, by the way, never having served,
  • 00:33:39
    doesn’t really track with all this, and  I’m having to give her this crash course;
  • 00:33:43
    we think this is Russia, here’s the crash  course on Russian intelligence services.
  • 00:33:48
    We don’t think we have to worry about them  but who knows? I’m more worried about people
  • 00:33:53
    believing that it’s Russia and believing that  we’re somehow cahooting with them and the short
  • 00:33:57
    of it is do you want me to see my kid kind of  thing, or I’ll totally understand if you say no,
  • 00:34:02
    kind of deal. For several weeks, that’s the way we  played it, was that me and my kid were on hangouts
  • 00:34:08
    like you and I are now and not seeing each other  in person because again, we just didn’t have a
  • 00:34:13
    good handle on how or if or whatever people  were going to react to this. Yeah, as far
  • 00:34:19
    as changed my life, I mean, immediately. There  are some immediate impacts that sucked. Yeah.
  • 00:34:26
    JACK: Now, you’ve probably heard of the FBI’s  Most Wanted list but did you know there’s also
  • 00:34:30
    an FBI’s Cyber’s Most Wanted list, too? Criminal  hackers that the FBI is looking for. When the FBI
  • 00:34:37
    has enough evidence that a hacker has committed  a crime, they will indict the hacker and if it’s
  • 00:34:41
    severe enough, they’ll stick them on this list.  Sometimes the FBI indicts nation state hackers,
  • 00:34:46
    too. Like for instance, the Cyber’s Most Wanted  has eleven hackers who work for the Russian
  • 00:34:52
    government and they were involved in interfering  with the 2016 elections. There’s also four Iranian
  • 00:34:59
    hackers indicted for conducting espionage against  the US. If any of these hackers on the Cyber’s
  • 00:35:04
    Most Wanted list were to travel to the US or even  a country that has an extradition treaty with the
  • 00:35:09
    US, they will probably be arrested and brought  to court but so far no hackers have been indicted
  • 00:35:15
    for whoever was behind these Shadow Brokers  dumps. Was there any travel that you cancelled?
  • 00:35:21
    JAKE: Definitely, no question. They poked back  up in July, I think. It was either late June
  • 00:35:28
    or early July and I canceled a trip to Singapore.  Yeah. One of the issues that came down was – and a
  • 00:35:36
    lot of people forget about this in the dumps, but  in the April dump where they dumped EternalBlue,
  • 00:35:43
    they also dumped operational data involving  SWIFT banks and some other stuff, or SWIFT
  • 00:35:48
    transfers with some banks. That said, to me at  least, without confirming the data’s authentic,
  • 00:35:58
    said to me that it’s not this tooling  they have; they have operations data.
  • 00:36:01
    JACK: This means the Shadow  Brokers are claiming to have
  • 00:36:04
    seen some of the stuff the NSA has actually done.
  • 00:36:08
    JAKE: At that point, if you are watching the  news and you’re watching the US Department
  • 00:36:13
    of Justice indict foreign hackers, you then  have to step back and I definitely did this.
  • 00:36:21
    I did a mental inventory of where did I  target? Even then, doing risk modeling,
  • 00:36:27
    doesn’t even matter where I targeted. Does it  really matter where I targeted specifically or
  • 00:36:33
    is it just because I was involved with  that group that targeted X country?
  • 00:36:39
    Basically, if I land, if I touch down here, am I  likely to be arrested? It’s not just the question
  • 00:36:44
    of what did they share, but – sorry, what did  they share publically, it’s also like we don’t
  • 00:36:49
    know what they’re sharing on the back end and if  it is Russian intelligence, or even if it’s not,
  • 00:36:55
    whatever, but what are they, whoever they are,  sharing on the back side that we don’t know about?
  • 00:36:59
    That also was a huge unknown and that’s  something I continue to play mentally today,
  • 00:37:04
    kind of mentally play through. ‘Cause we saw  Canada arrested the Huawei executive on our behalf
  • 00:37:11
    in an airport, for goodness sakes.  They never even cleared customs.
  • 00:37:17
    Every time I travel internationally, I’m  playing that whole risk modeling not just
  • 00:37:22
    of was I involved with this country but for  the country that I was involved with targeting,
  • 00:37:29
    did I – basically, I’m on an extradition in some  place. Do they have an extradition policy with
  • 00:37:36
    that other country? Yeah, I canceled travel to  Singapore. I had some other opportunities that I
  • 00:37:42
    passed on entirely because I just don’t feel safe  traveling to a number of countries as a result.
  • 00:37:47
    JACK: Yeah, it almost feels like  you’re at their mercy at this point.
  • 00:37:50
    JAKE: Well, there’s no question. I guess, if  you want to play – I’m gonna try not to play the
  • 00:37:56
    victim here ‘cause, whatever, I made employment  decisions. They were employment decisions. Those
  • 00:38:03
    same decisions are why I’m where I’m at today.  But yeah, there’s no question in my mind that they
  • 00:38:12
    have a lot of [00:40:00] operational data about me  and it’s stuff that could definitely paint it in
  • 00:38:18
    the wrong light. Paint it in the wrong light  would be very bad and would, for me personally,
  • 00:38:26
    and I am definitely at their mercy for what it  is that they choose to release or not release.
  • 00:38:32
    I’ve said repeatedly that, and I stand by this;  so far, we haven’t seen any US hackers indicted,
  • 00:38:40
    nation state hackers indicted, but I am not a  betting man. I would not bet against me being
  • 00:38:46
    the first one, or on the first list. I can’t  fathom that I won’t be involved somehow and
  • 00:38:51
    I hope I’m not. It’s not something I’m  wishing for or asking for. But again,
  • 00:38:55
    just playing the odds. When somebody else finally  – when another country finally pulls a DOJ
  • 00:39:00
    and starts indicting US nation state hackers, it  will surprise me greatly if I’m not on that list.
  • 00:39:09
    JACK: Jeez, I don’t even know what to say  about that. This is life in the shadow of
  • 00:39:16
    the Shadow Brokers. It also makes me think  about him as a SANS instructor. I’ve taken
  • 00:39:21
    a SANS course and it would just blow my mind  if I knew my teacher was wanted in several
  • 00:39:26
    countries for hacking on behalf of the NSA. Is  he a criminal or not? Some countries probably
  • 00:39:32
    think he is but back home, he’s just carrying  out his orders. Now, when I think about it,
  • 00:39:36
    I think it’s actually weird that the FBI  indicts the hackers who were working for
  • 00:39:40
    foreign governments. The hackers were just  carrying out their orders. Why not indict the
  • 00:39:45
    officers or generals or the leader who signed  the executive order? At that point, you might
  • 00:39:50
    as well treat it like an act of hostility  from one nation to another. I don’t know;
  • 00:39:54
    it gets weird and sticky on who to blame for  hacking when it comes to nations hacking nations.
  • 00:39:59
    It’s kind of like when Apple is suing Google  for twenty things and Google is suing Apple for
  • 00:40:03
    twenty things. Yeah, sure, Russians hacked the  US but the US has probably hacked Russia too,
  • 00:40:09
    so now what? Since 2017, we haven’t heard  anything more from the Shadow Brokers. Their
  • 00:40:16
    last tweet mentioned Jake once again but it  wasn’t really saying anything new. Since then,
  • 00:40:21
    it’s been quiet. While we normally  saw them come back every few months,
  • 00:40:24
    they’ve now been quiet for over two years. But  I don’t think that’s the end of Shadow Brokers.
  • 00:40:29
    I still think there’s a huge investigation, a  hunt into who’s behind it. It quite possibly
  • 00:40:35
    could have been an insider, a double agent,  someone who works in the NSA and had access
  • 00:40:40
    to this stuff but was feeding it to another  country like Russia. Yeah, at this point,
  • 00:40:45
    most signs do point to Russia being behind the  Shadow Brokers, but we don’t know for certain.
  • 00:40:50
    But if you think about the intent and capabilities  of this group, their intent is to do battle with
  • 00:40:55
    the most sophisticated hacking group in the world,  the NSA, and then burn some of their expensive
  • 00:41:01
    exploits. Their capabilities are that they  can somehow get these exploits out of the NSA,
  • 00:41:06
    probably one of the most secure places in  the world, and then publish them and then
  • 00:41:10
    get away with it. When you think about all  the intelligence capabilities the NSA has,
  • 00:41:15
    and they don’t have anything on this crew, this  puts Shadow Brokers in a top-tier category for
  • 00:41:20
    what their capabilities are. Then you look at  how much they say about Trump and the ability
  • 00:41:25
    to shift the news cycles when it comes to Russia;  yeah, it just looks like it’s probably Russian.
  • 00:41:30
    But like I was saying, there haven’t been any  FBI indictments about this or public statements
  • 00:41:35
    from the US government about this either,  and especially nothing from the president.
  • 00:41:38
    He typically doesn’t call out Russia for stuff  like this but even if he did blame Russia for
  • 00:41:44
    this, what would that sound like? It would admit  that the NSA somehow lost control of their secret
  • 00:41:50
    hacking tools and that might make the US look bad,  so it’s a complicated issue. [MUSIC] Oh, and I
  • 00:42:00
    should also mention Harold Martin III somewhere  in here, too. There’s this theory that Harold
  • 00:42:05
    is somehow behind this. Harold was a government  contractor working for Booz Allen Hamilton and
  • 00:42:11
    while he was there, he was doing some work for the  NSA and got access to some top-secret information
  • 00:42:15
    within the NSA. Harold decided to steal fifty  terabytes of information from NSA’s servers and
  • 00:42:21
    successfully got it out. We don’t know who Harold  gave these fifty terabytes to or if he gave it to
  • 00:42:26
    anyone. We don’t even know what’s in the data but  he was caught and is currently serving nine years
  • 00:42:32
    in prison for this. The data on the Shadow Broker  dumps could have been something that Harold stole.
  • 00:42:37
    The timestamps do seem to line up with this but  there’s no real good evidence that does connect
  • 00:42:43
    Harold to this whole thing. Alright, let’s  take a step back and try to understand what
  • 00:42:49
    this whole Shadow Brokers thing means. Well, the  NSA has neither confirmed or denied that they’ve
  • 00:42:54
    made these tools. All signs point to these being  actual exploits that the NSA has made and kept to
  • 00:43:00
    themselves as weapons to attack the enemy with.  Let’s think about that; this means the NSA has
  • 00:43:07
    a group of researchers who are actively looking  for vulnerabilities in software like Microsoft
  • 00:43:13
    Windows [00:45:00] and then when they find these  vulnerabilities, they don’t tell Microsoft about
  • 00:43:18
    it. They keep it to themselves. Now, the NSA has  publically said they don’t hoard zero-days or
  • 00:43:24
    exploits that nobody knows about but here’s  evidence that they do. What does that mean?
  • 00:43:29
    Well, it seems the NSA has decided it’s  more important to be on the offensive
  • 00:43:35
    versus being on the defensive. If the NSA  was defensive-minded, they would be working
  • 00:43:41
    with software vendors to find vulnerabilities  and get them fixed. But instead we see this,
  • 00:43:47
    where they secretly find vulnerabilities and not  tell the software vendor about it so that they
  • 00:43:53
    can later use it on an attack against someone  else. Perhaps this was the message that the
  • 00:43:58
    Shadow Brokers was trying to relay, to place the  NSA under extra heat for hoarding zero-days like
  • 00:44:04
    this. That’s certainly what happened. A lot of  people used this as evidence that the NSA does
  • 00:44:09
    not have it in their interest to keep us secure,  but instead they want to keep these exploits to
  • 00:44:15
    themselves so they can be better at doing  espionage and surveillance and hacking into
  • 00:44:21
    other networks which I suppose could be considered  defensive-minded if they’re using that to find
  • 00:44:28
    what an upcoming attack on our country is going  to be. But that’s just hard to believe when we see
  • 00:44:33
    nation states hacking into companies in the US and  creating huge, huge problems for those companies.
  • 00:44:41
    See, here’s the perfect example of when that can  backfire; when the exploits the NSA makes gets
  • 00:44:46
    into the wrong hands or when someone exposes  the capabilities of the NSA. Snowden, the ANT
  • 00:44:52
    catalogue leak, and now the Shadow Brokers give  us a very clear view into what the NSA is doing.
  • 00:45:00
    I think it’s important that we all take full note  of what we see here. [MUSIC] Now, as someone who
  • 00:45:06
    used to defend networks from threats, I want to  take a moment and talk about what we as defenders
  • 00:45:11
    should be doing about the Shadow Brokers. When the  Shadow Brokers dumped all these NSA-grade hacking
  • 00:45:16
    tools, we should be analyzing them and trying  to understand them as best we can. Here’s why;
  • 00:45:22
    let’s take the Windows event log hack that was  dumped as an example. This is a hack that can turn
  • 00:45:27
    Windows logging off and then back on whenever you  want, or it can delete individual event logs from
  • 00:45:33
    Windows. Here’s the thing; historically, it’s been  possible as an admin to turn logging off and on.
  • 00:45:39
    Okay, fine, but when that happens, an event is  created that says logging has been turned off.
  • 00:45:45
    It’s also possible to clear all event logs but  again, there’s a log created that says that all
  • 00:45:50
    the logs have been wiped. That wipes all logs,  not just one or two. But with this hack that
  • 00:45:55
    was dumped, you can disable logging without an  event indicating logging has been turned off.
  • 00:46:02
    You can turn it off, do your dirty work, then  turn it back on and there’s no evidence that the
  • 00:46:07
    logs have been tampered with which is really  scary but important to know. There’s also a
  • 00:46:13
    capability of removing individual events.  This is important for us defenders to know
  • 00:46:18
    because Windows event logs are so important to  us. They tell us the truth of what happened.
  • 00:46:24
    How do we handle this? Now you need to be  looking for what’s not there. For instance,
  • 00:46:29
    event logs are numbered. What if you saw  Event Log 97, 98, no 99, and then 100?
  • 00:46:37
    What happened to Event Log 99, or what happens  when you see a log-out event but not a log-in?
  • 00:46:42
    If you see stuff like this, you can assume you  have a hacker who’s using these Shadow Brokers
  • 00:46:48
    hacks but also isn’t that savvy enough to know  how Windows logging works because this hacker was
  • 00:46:53
    smart enough to delete their log-in event but not  good enough to delete their log-out event. This is
  • 00:46:59
    the kind of stuff that defenders and incident  responders have to learn about from Shadow
  • 00:47:03
    Brokers. But not only that; every sophisticated  hacking team in the world paid serious attention
  • 00:47:08
    to these dumps. I just told you about the logging  one but there’s seventy other exploits they
  • 00:47:14
    dropped. Government hacking teams have probably  done a deep analysis on every single exploit in
  • 00:47:20
    the dumps to learn everything they could about  it; what it does, how to use it most effectively,
  • 00:47:24
    and then throw it in their bag of tools to use it  whenever they want. This is why it’s important for
  • 00:47:30
    the InfoSec community to know this as well. I  mean, if the NSA did create these hacker tools,
  • 00:47:35
    they probably spent millions of dollars  on research and development to make it.
  • 00:47:39
    That was paid by my tax dollars so seeing what  their capabilities are and knowing it’s in the
  • 00:47:44
    hands of every hacker in the world, it’s an  extremely valuable lesson for anyone working
  • 00:47:49
    in InfoSec. It’s simply not every day that we  get to look at tools this sophisticated and
  • 00:47:56
    now any script kitty in the world has them  and is using them. Ever since these dumps,
  • 00:48:02
    digital forensics and incident responder teams  have been seeing a high amount of attacks that
  • 00:48:07
    was using stuff from these dumps. It still  continues to this day. It’s very important
  • 00:48:12
    for us defenders [00:50:00] to understand  this, especially for the exploit called
  • 00:48:17
    EternalBlue. EternalBlue would go on to be a key  component for some of the world’s biggest hacks,
  • 00:48:24
    hacks that were so big, they practically  caused doomsday scenarios for many people.
  • 00:48:30
    Join me in the next episode as we dig into  one of the hacks that used EternalBlue.
  • 00:48:35
    JACK (OUTRO): [OUTRO MUSIC]
  • 00:48:43
    A big thank you to our guest Jake Williams for  taking time to share this incredible story with
  • 00:48:48
    us. You can follow him on Twitter. His name  there is @MalwareJake. Good luck out there,
  • 00:48:53
    Jake. I also want to give a big thanks to Andy  Greenberg from Wired. He just finished writing a
  • 00:48:58
    new book called Sandworm which goes into detail  about this whole Shadow Brokers thing and then
  • 00:49:03
    goes into detail about what EternalBlue went on  to be used for. We’re gonna interview Andy in
  • 00:49:08
    the next episode so if you want to check out  his book, it’s Sandworm. It’s really good.
  • 00:49:13
    Don’t forget to help support this show through  Patreon where you can get some bonus episodes
  • 00:49:17
    exclusive only to Patreon donators, and you  can also get some stickers and an ad-free feed.
  • 00:49:22
    Patreon supporters really do make a huge impact  on keeping this show going and they’re absolutely
  • 00:49:28
    my favorite listeners. This show is made by  me, grizzly masquerade, Jack Rhysider. Sound
  • 00:49:35
    design this episode is by the headphone-wearing  Andrew Meriwether. Editing help this episode by
  • 00:49:40
    the cyber-maiden Damienne. Our theme music  is by the jingling Breakmaster Cylinder.
  • 00:49:46
    Even though webmasters around the world add my IP
  • 00:49:49
    to their blacklist every time I  say it, this is Darknet Diaries.
Tags
  • NSA
  • ANT catalogue
  • Shadow Brokers
  • cybersecurity
  • hacking tools
  • COTTONMOUTH
  • EternalBlue
  • cyber-surveillance
  • Equation Group
  • Jake Williams