Saturday, April 15, 2017

Going After The Spies

It seems that our good friends in Russia are bound and determined to destroy America's counterintelligence capability so that they can continue to pull the strings unopposed, as second-order Snowden fallout has arguably reached its highest level yet.  Nick Weaver at Lawfare Blog:

The Shadow Brokers are back. Back in August, the group released a large number of stolen tools purportedly hacked from “the Equation Group,” which is near-unanimously believed to be the NSA. In addition to the released files, Shadow Brokers announced an “auction” for the sale of an addition batch of NSA tools. At the time, it seemed the auction was more publicity stunt than money-making endeavor and that suspicion was confirmed last week, when they released the password for the auction tools for free.

The “auction” file materials were underwhelming, but today those wiley and sarcastic (and probably Russian) hackers dumped the really amazing stuff: operational notes from the NSA’s active targeting of banks in the Middle East and the NSA’s collection of Microsoft Windows exploitation tools. This may well be the most damaging dump against the NSA to date, and it is without question the most damaging post-Snowden release.

The operational notes on the NSA’s program extracting SWIFT data from Middle Eastern banks appear to date from September 2013, so this represents post-Snowden stolen data. The material is almost certainly legitimate—a spot check of data shows a large amount of consistency. This details exact targets, such as particular systems in eastnets.com to leverage access into the SWIFT systems of client banks, and sql queries designed to extract, in bulk, transactions of interest. Any access NSA maintained is now as good as eliminated, since this provides a detailed roadmap to how the NSA accessed this critical information.

So yes, the NSA's tools to get into Windows machines have now been blown wide open and given to a planet full of hackers to be used against everyone else.  Fun!  Weaver does ask the right question though.

The real mystery here is why the Shadow Brokers released this data. Ordinarily, a hostile intelligence service wouldn’t tip their hand by showing that they had obtained this information but there are some clear strategic benefits to that kind of signalling. Releasing the vulnerabilities themselves goes a step further. It ensures not only that the NSA is unable to use the Windows 0-days against targets, but that you aren’t either. It is a matter of short time before these tools are patched, and thus unavailable to anyone. These are tremendously valuable tools to just burn that way, so it does make one wonder (and worry): what exactly is the intended payoff here? 

The obvious answer is that both Putin and Trump have a massive enemy in the American intel community.  Crippling the NSA's cyber operations like this only helps the Russians, since the NSA are, or were, the top dogs at using cyber exploits like this.  Leveling the playing field through scorched earth only helps everyone who's not the NSA, and it has the added benefit of letting them know what the consequences are of leaking say, plans for North Korea or more info on Trump's Russian connections.

There's no mystery here, this is payback, plain and simple.  My guess is that it's payback for this story.

As Syrian president Bashar al-Assad called videos of last week’s chemical attack a “fabrication,” a piece of propaganda promoted by a Russian cyber operation and bearing the hashtag #SyriaHoax has gained traction in the United States, analysts tell ABC News.

Following the chemical weapons attack that killed dozens of civilians on Tuesday, Al-Masdar News, a pro-Assad website based in Beirut, published claims that "something is not adding up in [the] Idlib chemical weapons attack." Its author cited "holes" in the accounts provided by the "Al-Qaeda affiliated" White Helmets leading to the conclusion that "this is another false chemical attack allegation made against the government."

That hoax story was promoted by a network of Russian social media accounts and ultimately picked up by popular alt-right personalities in the United States, including Mike Cernovich, one of the leading voices in the debunked 'Pizzagate' conspiracy theory. Cernovich popularized its new hashtag -- #SyriaHoax -- and sent it soaring through cyberspace. According to Trends24, within hours of the retaliatory missile strike President Donald Trump launched on Thursday night, #SyriaHoax was the No. 1 trending Twitter topic in the United States.

J.M. Berger of The International Centre for Counter-Terrorism at The Hague, who studies propaganda and social media analytical techniques, said #SyriaHoax is "a clear example of a Russian influence campaign" designed to undermine the credibility of the U.S. government.
"The point of an influence campaign is to get people involved who wouldn't otherwise be involved," Berger said. "A lot of people in the alt-right would not necessarily characterize themselves as being pro-Russian, but they're receiving influence from this campaign."

Hours after the #SyriaHoax story was pinned on Russia, we got the Shadow Broker NSA tools leak.  You do the math.

No comments:

Related Posts with Thumbnails