Home Open Sauce Who leaked NSA exploits to Shadow Brokers? Ah, it's Russians again!

Author's Opinion

The views in this column are those of the author and do not necessarily reflect the views of iTWire.

Have your say and comment below.

More "evidence" has emerged this week, once again from a security company, this one based in Washington DC, that appears to point the finger at Russian involvement in the leaking of NSA exploits on the Web last year.

The leaks were by a group that calls itself the Shadow Brokers. The company that provided the "evidence", InGuardians, used the website Krebs on Security, run by former Washington Post employee Brian Krebs, as its conduit.

Krebs used the material provided by InGuardians to write a speculative piece about the identity of the person who leaked the data to the Shadow Brokers. Curiously, he buried the fact that the data came from InGuardians in the 30th paragraph of his story.

Well-known blogger Marcy Wheeler raised some doubts about Krebs' story to which he replied with what she described as "a really snotty tweet". Her analysis of Krebs' article is well worth a read.

InGuardians claimed to have had found metadata in documents among the leaked exploits — which are now freely available on the Internet — relating to three people. Two of them had Western names – Nathan S. Heidbreder and Michael A. Pecoraro. The third had a Russian name — Gennadiy Sidelnikov — and therefore Krebs came to the conclusion that this was one reason why he could be someone likely to have leaked the material.

A little history here: the first person to leak material recently from the NSA was Edward Snowden in 2013. Following that, three others have been known to leak: one, Harold Martin, was arrested last year after having taken a massive trove of NSA data home.

Another, an unnamed software developer, who has been said to be a Vietnamese American, was taken into custody in 2015 after taking hacking tools home and reportedly having them leak from his PC to hackers in Russia. And a third, a woman named Reality Winner, was arrested after leaking a single NSA document to The Intercept this year.

shadow brokers big

Exploits for sale, exploits for sale, peoples is not wanting Shadow Brokers' exploits that are for sale.

Krebs makes a major error in his article with regard to the three people who are under investigation: he cites an article from The New York Times as stating that one is "a still publicly unidentified software developer secretly arrested after taking hacking tools home in 2015, only to have Russian hackers lift them from his home computer".

The NYT, however, plainly states that this individual was also a member of the NSA's Tailored Access Operations group, the elite unit that actually crafts such exploits and carried out operations against foreign enemies of the US.

Its article states: "The agency has active investigations into at least three former NSA employees or contractors. Two had worked for TAO: a still publicly unidentified software developer secretly arrested after taking hacking tools home in 2015, only to have Russian hackers lift them from his home computer; and Harold Martin, a contractor arrested last year when FBI agents found his home, garden shed and car stuffed with sensitive agency documents and storage devices he had taken over many years when a work-at-home habit got out of control, his lawyers say."

But then, if Krebs had admitted that the unidentified software developer was a member of TAO, he would not have been able to bring in the name of someone else and posit that that person was the source for the leaks to the Shadow Brokers.

The NSA tools are claimed to have leaked to the Russians through the unnamed developer's use of Kaspersky anti-virus software; like any A-V solution, the software uploads suspicious files to a server for later analysis and when it encountered the NSA files on this man's machine, it did the same. How the Russians obtained these exploits has never been made clear with the obvious implication being that after they reached Kaspersky's Moscow offices, they were handed over to government hackers. Kaspersky has denied handing over any files. Ah, the power of insinuation!

Krebs' conclusion that Sidelnikov was the most likely source from whom the Shadow Brokers obtained the exploits was based on circumstantial evidence. One was that since Sidelnikov had a Russian name, he was the most likely of the three people cited by InGuardians to be using Kaspersky software.

Then Sidelnikov was found to have obtained a degree from an university in Moldova, a former part of the old Soviet Union. His interests, listed on a LinkedIn profile, included Microsoft and the NSA. Based on the skills listed on this profile, Krebs concluded, based on hints from InGuardians, that he was a database administrator, and not a senior consultant as the man himself claimed. Therefore, Krebs concluded, based again on conclusions from InGuardians, the presence of his name on any document connected to the leak was an aberration as he was not a member of the TAO.

Sidelnikov had listed himself as being affiliated with a company named Independent Software. Krebs claims to have called and emailed this organisation but received no reply. Of course, if Sidelnikov had been arrested — as the headline on Krebs' article claims — it is not surprising that Krebs' queries went unanswered.

The good folk at InGuardians had more "proof" for Krebs. One was that Sidelnikov, who was now assumed to be a database programmer, would not normally have access to exploits of the kind that were leaked. The two others whose names were found in the metadata of the leaked files were claimed to be employees of the TAO.

Whoever the Shadow Brokers are, it is clear that they have detailed access to information about former TAO staff. This was made abundantly clear when they leaked details about Jake Williams, a former TAO member, after he wrote an article about them in April this year.

So, it looks like, once again, based on considerable speculation, much of it unfounded, a Russian has been claimed to be the link to the mysterious leak of NSA exploits. Exactly what Krebs' agenda is remains unknown; Wheeler hinted that he had one: "There’s more I won’t say publicly about Krebs’ project, what he really seems to be up to."

She ended her analysis with this: "..the reason I went through the trouble of pointing out the errors (in Krebs' article) is precisely because Krebs went so far out of his way to find a Russian to blame for … something.

"We’ve been seeing Russian metadata in documents for 17 months. Every time such Russian metadata is found, everyone says, Aha! Russians! That, in spite of the fact that the Iron Felix metadata was obviously placed there intentionally, and further analysis showed that some of the other Russian metadata was put there intentionally, too.

"At some point, we might begin to wonder why we’re finding so much metadata screaming 'Russia'?"

This, one would think, should be a point that strikes a journalist right between the eyes. Strangely, it does not seem to have occurred to Krebs.

Update, 4 December: Following the arrest of a Vietnamese American over taking NSA documents home, Krebs has now issued the following statement: "This author published a story earlier in the week that examined information in the metadata of Microsoft Office documents stolen from the NSA by The Shadow Brokers and leaked online.

"That story identified several individuals whose names were in the metadata from those documents. After the guilty plea entered this week and described above, KrebsOnSecurity has unpublished that earlier story."

The statement is published at the end of another post and is given nothing like the prominence that the original post (archived version here) was. There is no admission that the story could have been wrong.

Krebs has disallowed comments on the article where his faux pas is mentioned, presumably so that nobody can point out his error.

FREE SEMINAR

Site24x7 Seminars

Deliver Better User Experience in Today's Era of Digital Transformation

Some IT problems are better solved from the cloud

Join us as we discuss how DevOps in combination with AIOps can assure a seamless user experience, and assist you in monitoring all your individual IT components—including your websites, services, network infrastructure, and private or public clouds—from a single, cloud-based dashboard.

Sydney 7th May 2019

Melbourne 09 May 2019

Don’t miss out! Register Today!

REGISTER HERE!

LEARN HOW TO REDUCE YOUR RISK OF A CYBER ATTACK

Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips

DOWNLOAD NOW!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the sitecame into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

 

Popular News

 

Telecommunications

 

Guest Opinion

 

Sponsored News

 

 

 

 

Connect