Very Dark Shadows

So, not only are the hacker collective known as the Shadow Brokers taking responsibility for last week's WannaCry ransomware chaos (gosh, I was correct about who was behind that), they are now promising a monthly attack unless they are paid handsomely. Lawfare's Nick Weaver:

Yesterday I was interviewed by NPR about the Shadow Brokers and their relationship to WannaCry. Overall I think it went well, especially since NPR is very comfortable with answers that start with “we don’t know” and then set out the evidence we do know. But I may have been wrong on one significant thing: I thought the Windows tools were the most damaging the Shadow Brokers have to offer. Today, with the announcement of the Shadow Broker’s Data Dump of the Month club, I may need to eat some crow. 

Recall that the Shadow Brokers are an unidentified actor or group of actors who appears to have penetrated the NSA and then released the stolen information. They have conducted four releases so far: of a 3 year old collection of router exploits that nonetheless included a Cisco zero-day, a similar collection of mailserver exploits, a collection of Windows exploits, and the apparent internal working directory of an NSA operation aimed at gathering intelligence about SWIFT bank transactions in the Middle East. All indications point to this data being legitimate. 

I’m pretty sure that these releases do not derive from a single source. Both the mailserver and router exploits seem to be active working directories because they include notes and other information that should identify the actual source. The SWIFT release, on the other hand, is most likely the internal, Internet-connected workstation of a Texas NSA analyst because it consists entirely of operational notes and an in-progress slide deck detailing the operation. The only release which didn’t include massive pointers enabling the NSA to find the particular source is the Windows exploits. 

And now the Shadow Brokers are back with yet another missive. Although this could be a hoax, assuming it is legitimate, it should raise serious alarm bells. Although I still believe the auction & payment demands are very much theater designed to attract attention, the Shadow Brokers have earned a reputation for honesty about what they’ve obtained. 

Part of their statement is effectively a disclaimer of responsibility for WannaCry. They note that their published directory listing in January resulted in the NSA notifying Microsoft, which in turn released a patch. So by the time the Shadow Brokers released the Windows tools they were no longer zero-days. This disclaimer is fair: All systems exploited were either unpatched or running an obsolete, unsupported version of Windows. 

But the Shadow Brokers’ threat to launch a “dump of the month” service if they aren’t paid is ominous. Again, I think the Bitcoin payment demand is little more than a bit of theater intentionally paired with the amusingly awful English, but what are they threatening to release? It could be, according to them: 

• web browser, router, handset exploits and tools
• select items from newer Ops Disks, including newer exploits for Windows 10
• compromised network data from more SWIFT providers and Central banks
• compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs

Given the Shadow Brokers’ demonstrated willingness to reveal incredibly sensitive NSA material—including tools that even Wikileaks would hesitate to publish because of the damage to benefit ratio—we have to take this threat seriously.

And given the evidence that our good friends the Russians are bankrolling the Shadow Broker operation, I wouldn't hold your breath on seeing that "compromised Russian network data".  The whole problem with the notion that Russia was hardest hit by WannaCry is that the people reporting that are 1) the Russian government and 2) Kaspersky Labs, the anti-virus lab headed by Eugene Kaspersky, former GRU agent and Putin protege.

Ahh but the most successful of Putin's operations was of course our friend Eddie Snowden, who is very busy attacking the NSA these days, and that led to WikiLeaks and now the Shadow Brokers running loose and causing damage.

I'll tell you what, Putin has done more to harm the US than any nuclear weapon could so far.  Expect more of this as the months go by.