WEBVTT

00:00:00.397 --> 00:00:06.840
JACK: Sometimes you read the news and the story sticks with you forever. One such news story I

00:00:06.840 --> 00:00:11.880
saw was some security news I heard and I’ll always remember it. It was when I first saw

00:00:11.880 --> 00:00:19.320
a presentation about the NSA ANT catalogue. Have you seen this? It’s mind-bending. [MUSIC] Okay,

00:00:19.320 --> 00:00:24.840
here’s what happened. Someone with access to NSA documents took the ANT catalogue and gave it to

00:00:24.840 --> 00:00:30.120
journalists at Der Spiegel and then they published it. At first, we thought it was Snowden who leaked

00:00:30.120 --> 00:00:35.400
these documents but we’re not sure if it was him or a second leaker. I asked Snowden on Twitter if

00:00:35.400 --> 00:00:42.360
it was him, but he didn’t respond. So, what’s NSA’s ANT catalogue? ANT stands for Advanced

00:00:42.360 --> 00:00:48.720
Network Technology and in this catalogue are a list of hacks, exploits, and cyber-surveillance

00:00:48.720 --> 00:00:54.660
devices that the NSA can use for certain missions. If you work at the NSA and you need an exploit,

00:00:54.660 --> 00:01:00.000
you look through this catalogue and then request to get one of these devices or pieces of software.

00:01:00.000 --> 00:01:06.120
When you look through it, it looks like the work of science fiction but these are all real devices.

00:01:06.120 --> 00:01:13.080
Let me point out a few to you; the NSA has created a device codenamed COTTONMOUTH. It looks like a

00:01:13.080 --> 00:01:18.300
typical USB plug; one you’d see on a mouse or a keyboard but it’s actually capturing all the

00:01:18.300 --> 00:01:23.700
data going through it and wirelessly transmitting that data. It listens for mouse clicks, keyboard

00:01:23.700 --> 00:01:28.380
strokes, or any other data going through it. Now, the receiver has to be close by; I don’t know,

00:01:28.380 --> 00:01:32.460
twenty feet maybe, and with a strong antenna and nothing in the way could probably transmit

00:01:32.460 --> 00:01:38.220
much further. Someone could be listening maybe in the room next door to everything that your

00:01:38.220 --> 00:01:44.880
USB connector is seeing. This is some next-level technology that the NSA developed in 2008 which

00:01:44.880 --> 00:01:51.780
still isn’t even available commercially today. The ANT catalogue even lists a price for this; $20,000

00:01:51.780 --> 00:01:58.560
per USB implant. Jeez, that’s a lot. The NSA ANT catalogue has loads of other hacks and implants.

00:01:58.560 --> 00:02:04.080
There’s DROPOUTJEEP which is a piece of software that if you can get it onto an iPhone, it’ll give

00:02:04.080 --> 00:02:09.900
you all the text messages, contacts, voicemail, it’ll hot mic or open the video-camera, and get a

00:02:09.900 --> 00:02:15.600
geo-location of that phone. There’s Firewalk which is a pretty amazing network sniffer.

00:02:15.600 --> 00:02:21.180
There’s JETPLOW which is a firmware that gives the NSA backdoor access to a Cisco firewall. Then,

00:02:21.180 --> 00:02:26.160
there’s DEITYBOUNCE which is an implant that goes onto a Dell server which can get them backdoor

00:02:26.160 --> 00:02:31.560
access to that, but one of my favorites is called RAGEMASTER. This is a little device that taps into

00:02:31.560 --> 00:02:37.320
any VGA port. This is the connector that goes from your computer to your monitor. With this,

00:02:37.320 --> 00:02:42.600
it can wirelessly transmit everything that VGA connector sees, essentially cloning that

00:02:42.600 --> 00:02:48.360
monitor to be seen by someone else at a distance. Let’s imagine how these hacks might take place;

00:02:48.360 --> 00:02:53.160
the NSA might intercept a Cisco firewall being delivered somewhere and they’ll open

00:02:53.160 --> 00:02:58.500
the box carefully, put their firmware on it, and then seal the box back up.

00:02:58.500 --> 00:03:03.900
This will give them permanent backdoor access into that firewall whenever they want, or if they

00:03:03.900 --> 00:03:07.680
know their target is going to stay at a hotel, they can get a room next door to their target,

00:03:07.680 --> 00:03:13.020
break into their target’s room, install COTTONMOUTH or RAGEMASTER and then listen

00:03:13.020 --> 00:03:19.080
in the other room for the wireless signal to see everything that person was typing and seeing. Even

00:03:19.080 --> 00:03:24.840
if that person wasn’t connected to the wireless or any network at all, this is possible and

00:03:24.840 --> 00:03:32.760
it’s insanely impressive. Yes, fifty items in this catalogue were leaked to the public in 2013 but we

00:03:32.760 --> 00:03:39.120
only saw descriptions of these devices; no actual devices were seen. Now, upon closer inspection,

00:03:39.120 --> 00:03:46.320
we see that these items were intended to be used by TAO. TAO stands for Tailored Access Operations,

00:03:46.320 --> 00:03:52.620
TAO. It’s a unit within NSA that has a primary objective to gather intelligence on computer

00:03:52.620 --> 00:03:59.040
systems. The people within TAO have access to the most sophisticated hacking tools ever created.

00:03:59.040 --> 00:04:03.720
They have the budget and ability to spend years on research and development to make

00:04:03.720 --> 00:04:09.960
insane tools and then use them whenever they need. TAO is NSA’s elite hacking force and

00:04:09.960 --> 00:04:13.380
they’ve actually changed their name to Computer Network Operations now but for this story,

00:04:13.380 --> 00:04:18.900
I’m gonna just keep calling them TAO. When security companies research hacking campaigns,

00:04:18.900 --> 00:04:24.060
they can’t tell for sure who did it, so they give hackers a unique codename. Fancy Bear is

00:04:24.060 --> 00:04:29.100
what’s given to the Russian hackers. Charming Kitten is given to Iran and so on. But security

00:04:29.100 --> 00:04:34.920
companies have investigated certain malware that’s come from the NSA. A hacking name was

00:04:34.920 --> 00:04:41.760
given to the NSA. The name they were given is the Equation Group and it’s believed

00:04:41.760 --> 00:04:47.220
that whoever is doing work for the Equation Group is specifically TAO within the NSA.

00:04:47.220 --> 00:04:58.440
JACK (INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet.

00:04:58.440 --> 00:05:09.180
I’m Jack Rhysider. [00:05:00] This is Darknet Diaries. [INTRO MUSIC ENDS]

00:05:09.180 --> 00:05:21.180
JACK: Okay, today we’re talking with someone who I really wanted to talk to for a long time;

00:05:21.180 --> 00:05:24.840
someone who knows a lot about security and has been doing this for decades.

00:05:24.840 --> 00:05:29.220
When you’re battling hackers for that long, you surely have some interesting stories.

00:05:29.220 --> 00:05:34.620
JAKE: My name’s Jake Williams. I’m the founder of Rendition InfoSec.

00:05:34.620 --> 00:05:39.840
I think right now I’m an InfoSec dumpster fire putter-outer, basically. All over the board,

00:05:39.840 --> 00:05:42.720
when it comes to InfoSec, incidence response, Red Team, SOC, whatever.

00:05:42.720 --> 00:05:45.240
JACK: What does Rendition Security do?

00:05:45.240 --> 00:05:49.080
JAKE: Well, we’re on a managed security operation center, so I manage SOC,

00:05:49.080 --> 00:05:55.080
or vSOC as some people call it. We do that 24/7 here in the US to actually manage out of Augusta,

00:05:55.080 --> 00:06:02.160
Georgia. Separately, worldwide, we do Red Team and incident response. We have folks actually in

00:06:02.160 --> 00:06:09.180
several countries and do a lot of international work as well as domestic work as well.

00:06:09.180 --> 00:06:13.320
Basically, Red Team incident response is a big piece for digital forensics.

00:06:13.320 --> 00:06:17.400
Some security architecture work and then of course, the vSOC.

00:06:17.400 --> 00:06:23.100
JACK: For you Twitter folks out there, this is @MalwareJake on Twitter. I say that because he

00:06:23.100 --> 00:06:26.820
has fifty thousand followers on Twitter and he’s pretty well-known. Besides being

00:06:26.820 --> 00:06:31.860
the founder of Rendition Security, he also teaches SANS courses. These are information

00:06:31.860 --> 00:06:36.660
security courses and specifically he teaches courses on threat intelligence, forensics,

00:06:36.660 --> 00:06:40.620
penetration testing, and even threat detection. SANS courses are usually

00:06:40.620 --> 00:06:44.820
fantastic and extremely informative and have some of the best teachers. For this story,

00:06:44.820 --> 00:06:50.460
we’re gonna go back to August 2016. [MUSIC] Jake was working for Rendition Security then and his

00:06:50.460 --> 00:06:55.320
client had a specific security issue that was so big they needed Jake to go on-site to help.

00:06:55.320 --> 00:07:00.960
This was an incident response; the client was hit with something serious so Jake and

00:07:00.960 --> 00:07:06.060
his team went to the client location and took over a conference room to begin doing triage.

00:07:06.060 --> 00:07:10.680
JAKE: We already had a War Room per se right there for the incident response.

00:07:10.680 --> 00:07:15.060
JACK: Jake had been at this client site for a few days now trying to help resolve this

00:07:15.060 --> 00:07:20.520
security incident. Back at the home office of Rendition Security, they have a full-on SOC,

00:07:20.520 --> 00:07:25.440
a Security Operations Center. While a few people were on-site helping the client,

00:07:25.440 --> 00:07:30.840
there were many more people back in the office helping out, too. A SOC is usually quite a sight

00:07:30.840 --> 00:07:36.000
to see. They have lots of technicians or analysts sitting in desks with three or four monitors each,

00:07:36.000 --> 00:07:41.820
analyzing alerts. But on the wall in the front of the SOC will be all kinds of big screen monitors;

00:07:41.820 --> 00:07:47.460
world maps, attack maps, rosters, news feeds. On one of the monitors in this

00:07:47.460 --> 00:07:53.700
SOC was a Twitter feed. Now, in the early morning of August 13th, 2016, one of the

00:07:53.700 --> 00:07:58.740
people in the SOC saw something on that Twitter feed and they knew they needed to tell Jake.

00:07:58.740 --> 00:08:01.740
JAKE: Maybe 6:30 or 7:00 in the morning,

00:08:01.740 --> 00:08:05.820
something like that. I remember we were just rolling out. If I remember correctly,

00:08:05.820 --> 00:08:10.620
I think the Sonic for breakfast; grabbing some of those breakfast burritos they have.

00:08:10.620 --> 00:08:16.920
JACK: The tweet that Jake read was posted by someone with the name Shadow Brokerss with two

00:08:16.920 --> 00:08:23.520
s’s at the end. Tweet said, quote, “We follow Equation Group traffic. We find Equation Group

00:08:23.520 --> 00:08:31.080
source range. We hack Equation Group. We find many Equation Group cyber-weapons. You see picture? We

00:08:31.080 --> 00:08:37.320
give you some Equation Group files free. You see? This is good proof. No, you enjoy. You

00:08:37.320 --> 00:08:43.140
break many things, you find many intrusions, you write many bad words but not all. We are auction

00:08:43.140 --> 00:08:48.600
the best files.” End quote. That is hard to understand. Sounds like whoever wrote that,

00:08:48.600 --> 00:08:53.160
English was not their first language. But it basically said this group, Shadow Brokers,

00:08:53.160 --> 00:08:59.880
have stolen some cyber-weapons from the NSA, specifically TAO within the NSA which is what

00:08:59.880 --> 00:09:05.880
Equation Group is, and that they’re giving away one of these exploits for free to everyone now,

00:09:05.880 --> 00:09:12.043
and auctioning the rest off. The Rendition SOC saw this, thought it was important.

00:09:12.043 --> 00:09:17.100
JAKE: [00:10:00] We got alerted from one of them and said hey, are you seeing this?

00:09:17.100 --> 00:09:20.700
Up to that point, the answer is no, we haven’t seen this. Then,

00:09:20.700 --> 00:09:23.760
we’re popping up on Twitter and going out to GitHub and saying okay,

00:09:23.760 --> 00:09:29.700
hey, first it was the download the stuff from GitHub and then it was a oh snap, this is real.

00:09:29.700 --> 00:09:33.900
This isn’t a hoax. This is real stuff. JACK: Even though Jake is the President

00:09:33.900 --> 00:09:37.800
of Rendition Security and even though he was on a client’s site at the time,

00:09:37.800 --> 00:09:42.900
he felt this was so important that he took time out of his day to download these files and to

00:09:42.900 --> 00:09:48.840
look at this malware that the Shadow Brokers had released. The malware was a specific exploit for

00:09:48.840 --> 00:09:53.760
Cisco and Fortinet firewalls. This malware would allow the attacker to send an exploit

00:09:53.760 --> 00:09:59.460
to a fully-patched firewall and allow the hacker to take full control of that firewall.

00:09:59.460 --> 00:10:07.200
JAKE: Well, I downloaded some files that, we’ll say for sake of argument, looked legit.

00:10:07.200 --> 00:10:15.900
JACK: Hm, Jake says it looks legit. Let’s consider what that means for a moment;

00:10:15.900 --> 00:10:20.220
someone calling themselves Shadow Brokers has claimed that they got one of TAO’s

00:10:20.220 --> 00:10:25.440
secret exploits and publically dumped it for the world to see, an exploit that Cisco and

00:10:25.440 --> 00:10:31.260
Fortinet did not know existed. This exploit does in fact work on a fully-updated firewall,

00:10:31.260 --> 00:10:37.920
meaning it was previously unknown to the world and now Jake is saying it looks legit.

00:10:37.920 --> 00:10:42.900
JAKE: Yeah, I mean, I think that’s as far as I can go directly without

00:10:42.900 --> 00:10:46.920
confirming or denying. We’ll say looked like legitimate threats.

00:10:46.920 --> 00:10:52.680
JACK: I feel like Jake might know something more about this than he’s leading on. I mean,

00:10:52.680 --> 00:10:58.380
what president of a security company is going to take time out to download a potential NSA exploit,

00:10:58.380 --> 00:11:02.640
test it, and then come out and say it looks legit? After this,

00:11:02.640 --> 00:11:06.120
he went into the client office to continue doing work for them.

00:11:06.120 --> 00:11:15.720
JAKE: Actually, it was a Cisco customer who had a lot of Legacy Cisco equipment. Having some of

00:11:15.720 --> 00:11:23.400
that Legacy Cisco equipment with the – basically, we’ll just say it was equipment that was itself

00:11:23.400 --> 00:11:27.900
vulnerable in some of the configuration. Some of the stuff they had, actually, was vulnerable

00:11:27.900 --> 00:11:34.020
to some of the stuff that was released which is obviously not a best-case kind of scenario there.

00:11:34.020 --> 00:11:40.200
Yeah, definitely was doing some digging into what’s in the dump and what kind of

00:11:40.200 --> 00:11:45.300
exposure does that leave not just them that we’re on-site with but obviously other clients as well.

00:11:45.300 --> 00:11:49.860
JACK: Both Cisco and Fortinet confirmed this was a vulnerability they were not aware of

00:11:49.860 --> 00:11:55.980
and issued a patch right away but this barely fixed the issue. The issue now is who are these

00:11:55.980 --> 00:12:01.560
Shadow Brokers? How many exploits do they have? [MUSIC] How did they get these? Not to mention,

00:12:01.560 --> 00:12:05.700
they’re selling even more of these to the highest bidder. They even went on to say if

00:12:05.700 --> 00:12:10.080
they can get one million Bitcoin, they’ll dump everything to the public for everyone to see.

00:12:10.080 --> 00:12:16.110
But the immediate problem is realizing that this top-secret exploit is now in the enemy’s hands.

00:12:16.110 --> 00:12:20.940
JAKE: Well, everybody’s hands, right? At the time, bear in mind, it’s one zip file and it is a – it’s

00:12:20.940 --> 00:12:31.200
one zip file and there’s no evidence at this point that they have anything else

00:12:31.200 --> 00:12:38.100
specifically. I know they claimed to but in their initial post, it’s all gibberish anyway.

00:12:38.100 --> 00:12:46.620
I’m kind of looking at it going, it’s one file. Without giving the specifics, let’s just say that

00:12:46.620 --> 00:12:52.800
it is the kind of thing that I could see somebody having without having everything else.

00:12:52.800 --> 00:12:59.160
There are plausible scenarios in which one could have that specific thing and not have

00:12:59.160 --> 00:13:00.360
everything else that they dump later.

00:13:00.360 --> 00:13:01.734
JACK: Okay. JAKE: Yeah.

00:13:01.734 --> 00:13:06.960
JACK: Did you think – did you have a guess at who might be Shadow Brokers at that point?

00:13:06.960 --> 00:13:11.640
JAKE: I think at that point it was a little too early for me to really

00:13:11.640 --> 00:13:22.020
develop much of a theory beyond the wow. It was quite a dump so I think at the time,

00:13:22.020 --> 00:13:32.340
we did a lot of internal discussion and analysis. Rendition, we did quite a bit of that.

00:13:32.340 --> 00:13:39.120
I think for us, we were kind of split between either this is legit; they’re dumping this to

00:13:39.120 --> 00:13:45.000
show that they have legit other stuff to sell. ‘Cause remember, that was part of the offer,

00:13:45.000 --> 00:13:51.540
right? Was that they would release the keys to decrypt these other awesome, as of yet unknown,

00:13:51.540 --> 00:13:56.460
even what – quantity and quality, these other zero-days. We’re gonna release all

00:13:56.460 --> 00:14:04.380
this stuff. This is the preview or the teaser, as it were, to get people’s appetites whet.

00:14:04.380 --> 00:14:10.380
I think about half of us, the group, kind of looked and said yeah, that’s probably what it is.

00:14:10.380 --> 00:14:14.460
There was another group that was – another [00:15:00] contingent that was like yeah, no,

00:14:14.460 --> 00:14:18.420
this has nothing to do with money, absolutely nothing to do with money. This is full-on,

00:14:18.420 --> 00:14:23.640
regardless of what else they have, this is full-on an information operation.

00:14:23.640 --> 00:14:26.760
I think I kind of flip-flopped between the two. I gravitate to

00:14:26.760 --> 00:14:32.220
information operation but I could see the other argument being legit as well,

00:14:32.220 --> 00:14:37.320
that some insider perhaps had walked out with stuff and was motivated by money.

00:14:37.320 --> 00:14:42.420
JACK: The news was now spreading all over the internet that the Shadow Brokers had leaked NSA

00:14:42.420 --> 00:14:48.780
hacking tools. The Guardian was posting about it, Ars Technica, Engadget, The Atlantic, Wired, even

00:14:48.780 --> 00:14:55.500
the New York Times. This was a really big deal and had the attention of the world. How much did the

00:14:55.500 --> 00:14:59.340
auction get to? Well, in the first twenty-four hours after the dump, the auction only received

00:14:59.340 --> 00:15:06.900
$937 which I think was quite a disappointment for the Shadow Brokers. People everywhere were trying

00:15:06.900 --> 00:15:13.440
to guess how they got these exploits. Did someone hack the NSA? Maybe the NSA hacked them but then

00:15:13.440 --> 00:15:18.660
left their hacker tools behind. Because if the NSA is going to hack something, they need to put their

00:15:18.660 --> 00:15:24.960
exploit there first and then execute it. Maybe they just left their exploits behind or maybe

00:15:24.960 --> 00:15:30.780
someone from the NSA grabbed this stuff and walked out with it. Nobody knew for sure but these Shadow

00:15:30.780 --> 00:15:37.560
Brokers had captured the attention of the world. Two months later, Joe Biden was on NBC’s Meet the

00:15:37.560 --> 00:15:42.960
Press. The two were talking about Russia possibly hacking the elections and they had this to say.

00:15:42.960 --> 00:15:48.000
CHUCK: I talked with Ambassador – former Russian Ambassador Mike McFaul. We talked about the idea

00:15:48.000 --> 00:15:53.340
that everyone’s – you gotta respond when they’re hacking. You gotta do something.

00:15:53.340 --> 00:15:58.440
He described it as a high hard one, maybe just like in baseball; you throw a high,

00:15:58.440 --> 00:16:02.160
hard one to send a message. But we sent a message, yeah, to Putin.

00:16:02.160 --> 00:16:10.500
JOE: We’re sending a message. We have the capacity to do it. The message…

00:16:10.500 --> 00:16:11.160
CHUCK: They’ll know it?

00:16:11.160 --> 00:16:14.880
JOE: …he’ll know it. It’ll be at the time of our choosing and under

00:16:14.880 --> 00:16:17.820
the circumstances that had the greatest impact.

00:16:17.820 --> 00:16:23.880
CHUCK: A message is going to be sent? Will the public know it?

00:16:23.880 --> 00:16:25.260
JOE: I hope not.

00:16:25.260 --> 00:16:29.820
CHUCK: Mr. Vice President, I’ll leave it there. Thank you, sir.

00:16:29.820 --> 00:16:30.360
JOE: Thank you.

00:16:30.360 --> 00:16:35.820
JACK: Two weeks after that, Shadow Brokers published their second dump. First,

00:16:35.820 --> 00:16:41.460
they say this right away, quote, [MUSIC] “Why is dirty grandpa threatening CIA’s cyber-war with

00:16:41.460 --> 00:16:47.940
Russia?” End quote. Now, I believe they’re calling Biden dirty grandpa here because of what he said

00:16:47.940 --> 00:16:55.620
just a few weeks earlier which is a really, really weird thing to say, but okay. The contents of this

00:16:55.620 --> 00:16:59.580
second dump was just a big list of IP addresses and the Shadow Brokers claimed that this was a

00:16:59.580 --> 00:17:04.260
list of servers in the world that the NSA had infected or was using as a server to launch

00:17:04.260 --> 00:17:09.660
exploits from. This wasn’t quite that big of a dump; the message was more like telling the NSA

00:17:09.660 --> 00:17:13.800
that the Shadow Brokers weren’t going away and this is a reminder that they’re still a threat.

00:17:13.800 --> 00:17:19.080
JAKE: I think the second dump was really interesting because the second dump, given all

00:17:19.080 --> 00:17:25.680
the IP addresses that were there, became a really interesting data set for researchers who had a lot

00:17:25.680 --> 00:17:32.760
of net flow data. We did, indeed – and I think just like anybody else, right, went back through

00:17:32.760 --> 00:17:39.840
net flow data for our clients and said okay, do we see IP addresses from this list connecting to

00:17:39.840 --> 00:17:44.700
any client anything? Because obviously if they are, that could be an indicator of compromise.

00:17:44.700 --> 00:17:50.580
It’s definitely an indicator of concern but yeah, I mean other than analyzing what they wrote,

00:17:50.580 --> 00:17:54.240
the Shadow Brokers themselves wrote and posted. I think they were on Steemit still at the time;

00:17:54.240 --> 00:18:01.320
yeah, Steemit. Basically, beyond looking at what they wrote, it wasn’t really a – that next drop

00:18:01.320 --> 00:18:05.100
wasn’t earth-shattering. There was nothing really in there besides the IP addresses but it was more

00:18:05.100 --> 00:18:08.640
actionable than the first one, to be honest, for the majority of InfoSec professionals.

00:18:08.640 --> 00:18:14.340
JACK: The reason why this was actionable for some InfoSec professionals is because we got a

00:18:14.340 --> 00:18:20.580
list of IP addresses that the NSA is possibly hacking from. If you can cross-reference that

00:18:20.580 --> 00:18:24.840
with the IP addresses that are coming into your network like hits to your website,

00:18:24.840 --> 00:18:33.420
logins to your VPN, that kind of thing, you might be able to notice if the NSA was hacking you; or,

00:18:33.420 --> 00:18:37.200
at least in theory, that’s what you could possibly check for.

00:18:37.200 --> 00:18:42.960
Stay with us because after the break, the world is about to change. [00:20:00] Now,

00:18:42.960 --> 00:18:48.360
something huge happened in the world just after this second dump. The US had a presidential

00:18:48.360 --> 00:18:53.220
election and Donald Trump took the election. There was a lot of rhetoric at the time that

00:18:53.220 --> 00:18:57.300
the Russians meddled with the election and just as people were starting to talk about that,

00:18:57.300 --> 00:19:04.080
in January of 2017, the Shadow Brokers made another post, this one saying goodbye.

00:19:04.080 --> 00:19:08.160
The post said that they did not get the Bitcoin they were hoping for so they were just going to

00:19:08.160 --> 00:19:13.560
release more hacking tools for free for anyone. [MUSIC] They posted sixty-one Windows executables,

00:19:13.560 --> 00:19:18.180
link libraries, and drivers, claiming each one was developed by the Equation Group,

00:19:18.180 --> 00:19:23.220
TAO within the NSA, and can be used to hack Windows computers. Again,

00:19:23.220 --> 00:19:28.980
these did check out and they were new exploits not previously seen and they looked legit again,

00:19:28.980 --> 00:19:35.880
as in they were probably created by the TAO in NSA. The Shadow Brokers then signed off,

00:19:35.880 --> 00:19:40.320
saying goodbye, claiming they’re going to go dark because they didn’t get enough Bitcoins.

00:19:40.320 --> 00:19:46.740
JAKE: Sixty-seven or something files. The actual files themselves also get sent out.

00:19:46.740 --> 00:19:55.440
That was a pretty big deal for us because in their directorial listing it says something like Event

00:19:55.440 --> 00:20:00.420
Log Edit or Edit Event Log, something, and there’s multiple references to it.

00:20:00.420 --> 00:20:04.980
In the InfoSec community, and the forensics, their deeper community, a lot of folks take those

00:20:04.980 --> 00:20:13.620
event logs to be sacred, right? There are whole textbooks written about how you can basically

00:20:13.620 --> 00:20:17.880
clear an event log but you can’t surgically edit one. Now, those of us in incident response have

00:20:17.880 --> 00:20:26.040
known that’s been not true for some period of time but we don’t have – most of us don’t have

00:20:26.040 --> 00:20:30.780
publically available tools that we can point to and say no, no, look, here’s the capability.

00:20:30.780 --> 00:20:35.880
The capability definitely exists; here’s where it’s at. Again, anybody who’s in this business

00:20:35.880 --> 00:20:40.800
knows that it’s a capability. We even know who had it up to that point but suddenly overnight,

00:20:40.800 --> 00:20:47.280
everybody had it. It changed the game on incident response and having seen that,

00:20:47.280 --> 00:20:52.860
we wanted to go ahead and basically, that was one of the first major posts that I wrote about it,

00:20:52.860 --> 00:20:58.320
was to say hey look, this is a game-changer for incident response. It’s a game-changer

00:20:58.320 --> 00:21:02.700
for a lot of stuff but specifically for IR, this is a full-on game-changer; pay attention.

00:21:02.700 --> 00:21:08.400
JACK: Hm, yeah. The exploit they dumped means a hacker can edit an event log in Windows.

00:21:08.400 --> 00:21:15.180
This was previously not a capability. Well, not a capability except for the TAO unit within the NSA,

00:21:15.180 --> 00:21:21.720
but now the whole world has this capability. This could have a big impact. Jake continued to analyze

00:21:21.720 --> 00:21:27.360
what the Shadow Brokers were dumping. Yeah, he was blogging about it, talking about what he thinks of

00:21:27.360 --> 00:21:32.160
this and what the important takeaways are from these dumps. But this wasn’t the last we heard

00:21:32.160 --> 00:21:37.080
from Shadow Brokers; about three months later, in the first week of April, they showed back up.

00:21:37.080 --> 00:21:42.720
They made another post, dumping more stolen hacking tools. In this post, they even had

00:21:42.720 --> 00:21:48.660
a message for the president. [MUSIC] Quote, “The Shadow Brokers voted for you. The Shadow Brokers

00:21:48.660 --> 00:21:54.240
supports you. The Shadow Brokers is losing faith in you, Mr. Trump. It’s appearing you

00:21:54.240 --> 00:22:01.800
are abandoning your base, the movement, and the peoples who getting you elected.” End quote. Huh,

00:22:01.800 --> 00:22:07.560
does this mean the Shadow Brokers are part of the far-right? Or is this some kind of smoke screen?

00:22:07.560 --> 00:22:14.100
Well, again, Jake saw this dump, analyzed it, made sense of it, and then made a blog post about it.

00:22:14.100 --> 00:22:18.720
JAKE: I said look, if you track the dumps and you track some of the rhetoric,

00:22:18.720 --> 00:22:27.660
the timing of the dumps is very conveniently aligned around times that Russia is being

00:22:27.660 --> 00:22:33.420
called out in the press for hacking. Literally what they’re doing is, I hypothesized and I said

00:22:33.420 --> 00:22:40.500
basically, I can’t say for sure that the timing is coincidental or circumstantial, whatever. We can

00:22:40.500 --> 00:22:47.700
say that the Shadow Brokers’ dumps, the timing of these definitely lines up with times that Russian

00:22:47.700 --> 00:22:53.400
hacking is in the news and in the tech space which is largely where that’s being covered,

00:22:53.400 --> 00:22:59.880
them dumping these – creating these dumps is completely taking the focus away from

00:22:59.880 --> 00:23:07.080
Russian hacking and putting it on oh my gosh, NSA lost tools, allegedly. Check box, right?

00:23:07.080 --> 00:23:12.300
JACK: It’s always weird when hacking stories get political for me ‘cause I don’t think us security

00:23:12.300 --> 00:23:16.980
people even cautiously [00:25:00] realize when it does get political. We just see some shadowy

00:23:16.980 --> 00:23:21.600
group of people dumping hacking tools which is a real impact on the networks we’re trying to

00:23:21.600 --> 00:23:28.320
secure. But if you lean into the story, you start seeing things like Biden and Russia and elections,

00:23:28.320 --> 00:23:33.840
and Donald Trump. Phew. These were some of the observations that Jake

00:23:33.840 --> 00:23:38.340
saw and he was starting to post this to his blog. Now keep in mind, Jake here is

00:23:38.340 --> 00:23:43.740
known as @MalwareJake on Twitter where he has 50,000 followers. When he posts a blog post,

00:23:43.740 --> 00:23:49.620
it gets considerable eyes on it. This particular blog post got retweeted and started spreading.

00:23:49.620 --> 00:23:55.560
JAKE: Well yeah, not just retweeted but that actually took the content and basically wrote

00:23:55.560 --> 00:24:01.080
stories around the content saying oh, Jake Williams of Rendition says that

00:24:01.080 --> 00:24:06.060
he believes this is, if not a Russian operation, in the interests of Russia,

00:24:06.060 --> 00:24:10.020
kind of thing. Folks wrote stories about the analysis, kind of deal.

00:24:10.020 --> 00:24:13.380
JACK: It’s kind of exciting to have a blog post of yours gain some traction

00:24:13.380 --> 00:24:16.800
like that. It feels good that you have something helpful to say about

00:24:16.800 --> 00:24:21.780
the conversation and people appreciate your thoughts. But then, the next day…

00:24:21.780 --> 00:24:25.680
JAKE: Gosh, I was in Orlando teaching at a SANS event. I was actually sick at the time to,

00:24:25.680 --> 00:24:30.720
on top—I was running an actual fever on top of everything else. But I was actually teaching

00:24:30.720 --> 00:24:38.400
exploit development at the time, advanced exploit dev in Orlando. I wake up, phone alarm goes off,

00:24:38.400 --> 00:24:43.020
whatever. [MUSIC] I wake up and I check Twitter notifications and at the time,

00:24:43.020 --> 00:24:46.560
I saw all my notifications go into the phone, what have you.

00:24:46.560 --> 00:24:48.240
I just do a little drag-down and it’s like, 99+. 99’s where it stops counting. It’s like,

00:24:48.240 --> 00:24:57.960
99+ notifications. I’m like ugh, either something really good has, you know, like a blog post has

00:24:57.960 --> 00:25:04.740
gone viral or something – I’m like, my first thought is I tweeted something that really

00:25:04.740 --> 00:25:10.620
pissed a bunch of people off and I’ve got some whatever it is, the gang-up kind of thing going,

00:25:10.620 --> 00:25:18.420
or dogpiling or something. Then my blood ran cold when I saw what had actually happened.

00:25:18.420 --> 00:25:25.440
JACK: Shadow Brokers, the secret hackers who had the attention of the entire InfoSec community and

00:25:25.440 --> 00:25:34.140
so many more people, had tweeted directly at Jake. The tweet said, quote, “@MalwareJake, you having a

00:25:34.140 --> 00:25:41.340
big mouth for former Equation Group member. Shadow Brokers is not in habit of outing Equation Group

00:25:41.340 --> 00:25:48.000
members but had to make exception for big mouth.” End quote. The English was rubbish but the message

00:25:48.000 --> 00:25:52.920
was clear. Whoever these Shadow Brokers were had just stated publically for everyone in the

00:25:52.920 --> 00:25:59.460
world to know that Jake was a former member of NSA’s TAO, a.k.a, the Equation Group.

00:25:59.460 --> 00:26:01.140
JAKE: Yes, yep.

00:26:01.140 --> 00:26:05.760
JACK: The thing is, it’s true. Jake had spent almost two decades working in the information

00:26:05.760 --> 00:26:11.700
community for the government and about five years in TAO. But Jake had kept this a secret,

00:26:11.700 --> 00:26:15.900
almost just to himself even though he was a public figure with tons of Twitter followers,

00:26:15.900 --> 00:26:20.760
a speaker at events, a SANS instructor. Nobody outside his close friends and

00:26:20.760 --> 00:26:24.720
family and ex-co-workers knew he was a former member of TAO.

00:26:24.720 --> 00:26:30.180
JAKE: No, I certainly wasn’t tweeting that – I mean, I had a hole in my – obviously, if

00:26:30.180 --> 00:26:35.700
you go to my LinkedIn, you can see I work for the DoD, right. There’s no question there but I mean,

00:26:35.700 --> 00:26:41.760
in our space, there’s a lot of people in InfoSec that worked at some time for the DoD. I was former

00:26:41.760 --> 00:26:49.980
army and I felt like that was all – yeah, again, it was DoD but yeah, to get in and say NSA – and

00:26:49.980 --> 00:26:59.100
really on top of that, to say NSA hacker, is a whole different level of – yeah, that, I guess.

00:26:59.100 --> 00:27:06.000
It wasn’t something that I really was planning to start talking about out there, but whatever. Yeah.

00:27:06.000 --> 00:27:08.460
JACK: What’s your initial reaction when you saw that?

00:27:08.460 --> 00:27:12.600
JAKE: Well, I’ll be honest and say it was unprecedented

00:27:12.600 --> 00:27:19.140
and I didn’t really have a good feel for how the government was gonna handle this. A lot of people

00:27:19.140 --> 00:27:25.560
have chatted about this with some of their folks. Over the last couple of years, what I didn’t know

00:27:25.560 --> 00:27:30.120
at the time, the thing that most concerned me was the complete lack of predictability

00:27:30.120 --> 00:27:35.340
for what the US government was gonna do. I didn’t know if the FBI was gonna sweep in

00:27:35.340 --> 00:27:42.060
and be holy goodness, this is Russia. I just don’t know. There is, even at that time,

00:27:42.060 --> 00:27:48.600
a thought that it’s Russia. The community, they’re definitely – you mentioned before,

00:27:48.600 --> 00:27:55.500
some of the Trump rhetoric – I didn’t know if – it wasn’t just what was the US government gonna do,

00:27:55.500 --> 00:28:01.740
but how were ordinary people gonna react to this? It was a very challenging time because of that,

00:28:01.740 --> 00:28:07.320
I think, more than anything else, was just the unpredictability. Yeah. It’s unprecedented.

00:28:07.320 --> 00:28:09.540
JACK: That must have ruined your whole day.

00:28:09.540 --> 00:28:14.040
JAKE: Like I said, I was already sick. I’ll be honest and tell you that [00:30:00]

00:28:14.040 --> 00:28:21.300
I can’t picture a better place to have to deal with that than teaching a SANS class and it’s what

00:28:21.300 --> 00:28:27.900
we call boot camp class that runs from nine in the morning ‘til seven p.m. I feel like that night,

00:28:27.900 --> 00:28:33.660
I know we had some other event that I was staffing there, so I literally worked from nine to nine

00:28:33.660 --> 00:28:37.500
despite being sick and I cannot fathom a better way to have dealt with that.

00:28:37.500 --> 00:28:39.300
JACK: Why?

00:28:39.300 --> 00:28:44.040
JAKE: It was forced distraction. I didn’t have time to mull over it as

00:28:44.040 --> 00:28:49.680
much as just go do your thing. I think that was helpful to me.

00:28:49.680 --> 00:28:52.080
JACK: Yeah, so I was just wondering kind of the overall message; do you

00:28:52.080 --> 00:28:54.300
think they were guessing at who you were or…?

00:28:54.300 --> 00:29:03.180
JAKE: No, not a bit. I can say with confidence that – with high confidence

00:29:03.180 --> 00:29:09.480
that they 100% were not guessing at who I was. I say that with high confidence. I can’t get

00:29:09.480 --> 00:29:16.320
into the why but I will say for sure they were not guessing at who I was. They had that dead

00:29:16.320 --> 00:29:22.680
to rights. They knew; it wasn’t a guess. Based on some other stuff that they’ve written, I’m fairly

00:29:22.680 --> 00:29:31.260
certain they had that, yeah. But what the message was is another thing entirely, right? It could be,

00:29:31.260 --> 00:29:35.160
and I’ve put a lot of thought into this, the message could be

00:29:35.160 --> 00:29:40.620
purely that they didn’t like what I was writing and wanted me to shut up and wanted that blog post

00:29:40.620 --> 00:29:47.820
down. My business partner at the time reacted exactly that way and took the blog post down.

00:29:47.820 --> 00:29:53.640
Even with links to it, right, he basically rewrote it as a one-paragraph nothing;

00:29:53.640 --> 00:29:58.800
no real content to it, no real meat to it. There wasn’t a 404 on the website but he took

00:29:58.800 --> 00:30:07.020
that down and if they were trying to accomplish that goal, that they did. They definitely did.

00:30:07.020 --> 00:30:14.100
It could have also been that if somebody else was out there that hadn’t yet been identified,

00:30:14.100 --> 00:30:19.440
that they were trying to say hey, if you do what this guy does, we’re going to out you

00:30:19.440 --> 00:30:25.380
too. I don’t know, I would expect that if anybody else were thinking about commenting on – former

00:30:25.380 --> 00:30:31.320
NSA folks were thinking about commenting on the Shadow Brokers, I would expect that would be a

00:30:31.320 --> 00:30:36.240
deterrent as well. But again, as far as their motivation, it’s really hard to nail down.

00:30:36.240 --> 00:30:43.440
JACK: [MUSIC] What a weird and surreal thing to happen to Jake;

00:30:43.440 --> 00:30:51.420
to be outed publically by this mysterious hacker crew. It’s like he was doxed by them. The tweet

00:30:51.420 --> 00:30:55.800
didn’t just stop there. It went on to say how the Shadow Brokers know about some top-secret

00:30:55.800 --> 00:31:02.700
weird missions and I’m gonna assume classified things that Jake was involved in while at TAO.

00:31:02.700 --> 00:31:08.280
The Shadow Brokers’ tweets started, or their messages, were saying things like

00:31:08.280 --> 00:31:14.400
connecting you to things like odd jobs, CCI, Windows BITS persistence, and the Q Group.

00:31:14.400 --> 00:31:16.560
JAKE: Mm-hm.

00:31:16.560 --> 00:31:18.780
JACK: Do you have any comment about that?

00:31:18.780 --> 00:31:24.320
JAKE: There’s no safe comment that I can make on any of that.

00:31:24.320 --> 00:31:31.380
JACK: A few days after that, the Shadow Brokers released yet another set of stolen exploits. This

00:31:31.380 --> 00:31:38.760
one would make a huge splash in the world. This dump contained EternalBlue and EternalRomance,

00:31:38.760 --> 00:31:44.520
among others. Now, what’s so important about EternalBlue is that this is an exploit that can be

00:31:44.520 --> 00:31:49.680
used to remotely access Windows computers running SMB which was something that was installed by

00:31:49.680 --> 00:31:54.720
default on all Windows machines, making millions and millions and millions of Windows computers

00:31:54.720 --> 00:32:01.020
vulnerable to this exploit. EternalBlue was huge. This was the biggest of all their exploits and

00:32:01.020 --> 00:32:05.760
it just landed in the hands of the general public for any hacker in the world to use.

00:32:05.760 --> 00:32:09.540
EternalBlue might go down as one of the most successful hacking tools in history.

00:32:09.540 --> 00:32:14.160
It’s really effective for letting hackers into Windows machines but here’s the strange thing;

00:32:14.160 --> 00:32:20.640
just about a month before Shadow Brokers dropped this on the world, Microsoft had patched it. Yeah,

00:32:20.640 --> 00:32:25.260
they fixed it right before it was unleashed. Rumor has it that that NSA gave Microsoft

00:32:25.260 --> 00:32:32.220
a very quiet heads up that this might be in an upcoming dump so they can work on patching it

00:32:32.220 --> 00:32:39.060
before it hits the streets. Now, of course, this too was a really big deal for Jake. He knew that

00:32:39.060 --> 00:32:43.080
EternalBlue could have far-reaching effects on many of his customers but

00:32:43.080 --> 00:32:46.380
he was still coming to grips with the earlier tweet that called him

00:32:46.380 --> 00:32:52.680
out. That single tweet which outed Jake as an Equation Group member really changed his life.

00:32:52.680 --> 00:32:59.640
JAKE: It definitely changed my threat modeling, no question about that.

00:32:59.640 --> 00:33:06.480
At the time, and again, in hindsight, a lot of people I think, will say overreact, whatever,

00:33:06.480 --> 00:33:12.720
but – that I might have been overreacting but at the time we just didn’t know. We didn’t know

00:33:12.720 --> 00:33:18.600
what – [00:35:00] not just what they were gonna do but what anybody was gonna do in response.

00:33:18.600 --> 00:33:22.800
Our own government included private citizens who were pro-Trump, anti-Trump. They had

00:33:22.800 --> 00:33:28.560
taken a Trump stance, whatever that program – English language thing was.

00:33:28.560 --> 00:33:32.760
We just didn’t know. I guess the short of it is, from a media concern, I mean,

00:33:32.760 --> 00:33:39.720
I had to call my ex and say hey, here’s the situation. My ex, by the way, never having served,

00:33:39.720 --> 00:33:43.680
doesn’t really track with all this, and I’m having to give her this crash course;

00:33:43.680 --> 00:33:48.000
we think this is Russia, here’s the crash course on Russian intelligence services.

00:33:48.000 --> 00:33:53.460
We don’t think we have to worry about them but who knows? I’m more worried about people

00:33:53.460 --> 00:33:57.060
believing that it’s Russia and believing that we’re somehow cahooting with them and the short

00:33:57.060 --> 00:34:02.160
of it is do you want me to see my kid kind of thing, or I’ll totally understand if you say no,

00:34:02.160 --> 00:34:08.100
kind of deal. For several weeks, that’s the way we played it, was that me and my kid were on hangouts

00:34:08.100 --> 00:34:13.620
like you and I are now and not seeing each other in person because again, we just didn’t have a

00:34:13.620 --> 00:34:19.320
good handle on how or if or whatever people were going to react to this. Yeah, as far

00:34:19.320 --> 00:34:26.340
as changed my life, I mean, immediately. There are some immediate impacts that sucked. Yeah.

00:34:26.340 --> 00:34:30.600
JACK: Now, you’ve probably heard of the FBI’s Most Wanted list but did you know there’s also

00:34:30.600 --> 00:34:37.140
an FBI’s Cyber’s Most Wanted list, too? Criminal hackers that the FBI is looking for. When the FBI

00:34:37.140 --> 00:34:41.820
has enough evidence that a hacker has committed a crime, they will indict the hacker and if it’s

00:34:41.820 --> 00:34:46.860
severe enough, they’ll stick them on this list. Sometimes the FBI indicts nation state hackers,

00:34:46.860 --> 00:34:52.380
too. Like for instance, the Cyber’s Most Wanted has eleven hackers who work for the Russian

00:34:52.380 --> 00:34:59.400
government and they were involved in interfering with the 2016 elections. There’s also four Iranian

00:34:59.400 --> 00:35:04.920
hackers indicted for conducting espionage against the US. If any of these hackers on the Cyber’s

00:35:04.920 --> 00:35:09.720
Most Wanted list were to travel to the US or even a country that has an extradition treaty with the

00:35:09.720 --> 00:35:15.720
US, they will probably be arrested and brought to court but so far no hackers have been indicted

00:35:15.720 --> 00:35:21.840
for whoever was behind these Shadow Brokers dumps. Was there any travel that you cancelled?

00:35:21.840 --> 00:35:28.440
JAKE: Definitely, no question. They poked back up in July, I think. It was either late June

00:35:28.440 --> 00:35:36.960
or early July and I canceled a trip to Singapore. Yeah. One of the issues that came down was – and a

00:35:36.960 --> 00:35:43.740
lot of people forget about this in the dumps, but in the April dump where they dumped EternalBlue,

00:35:43.740 --> 00:35:48.780
they also dumped operational data involving SWIFT banks and some other stuff, or SWIFT

00:35:48.780 --> 00:35:58.200
transfers with some banks. That said, to me at least, without confirming the data’s authentic,

00:35:58.200 --> 00:36:01.980
said to me that it’s not this tooling they have; they have operations data.

00:36:01.980 --> 00:36:04.740
JACK: This means the Shadow Brokers are claiming to have

00:36:04.740 --> 00:36:08.520
seen some of the stuff the NSA has actually done.

00:36:08.520 --> 00:36:13.140
JAKE: At that point, if you are watching the news and you’re watching the US Department

00:36:13.140 --> 00:36:21.240
of Justice indict foreign hackers, you then have to step back and I definitely did this.

00:36:21.240 --> 00:36:27.240
I did a mental inventory of where did I target? Even then, doing risk modeling,

00:36:27.240 --> 00:36:33.060
doesn’t even matter where I targeted. Does it really matter where I targeted specifically or

00:36:33.060 --> 00:36:39.960
is it just because I was involved with that group that targeted X country?

00:36:39.960 --> 00:36:44.460
Basically, if I land, if I touch down here, am I likely to be arrested? It’s not just the question

00:36:44.460 --> 00:36:49.680
of what did they share, but – sorry, what did they share publically, it’s also like we don’t

00:36:49.680 --> 00:36:55.200
know what they’re sharing on the back end and if it is Russian intelligence, or even if it’s not,

00:36:55.200 --> 00:36:59.220
whatever, but what are they, whoever they are, sharing on the back side that we don’t know about?

00:36:59.220 --> 00:37:04.440
That also was a huge unknown and that’s something I continue to play mentally today,

00:37:04.440 --> 00:37:11.220
kind of mentally play through. ‘Cause we saw Canada arrested the Huawei executive on our behalf

00:37:11.220 --> 00:37:17.100
in an airport, for goodness sakes. They never even cleared customs.

00:37:17.100 --> 00:37:22.080
Every time I travel internationally, I’m playing that whole risk modeling not just

00:37:22.080 --> 00:37:29.280
of was I involved with this country but for the country that I was involved with targeting,

00:37:29.280 --> 00:37:36.060
did I – basically, I’m on an extradition in some place. Do they have an extradition policy with

00:37:36.060 --> 00:37:42.120
that other country? Yeah, I canceled travel to Singapore. I had some other opportunities that I

00:37:42.120 --> 00:37:47.420
passed on entirely because I just don’t feel safe traveling to a number of countries as a result.

00:37:47.420 --> 00:37:50.880
JACK: Yeah, it almost feels like you’re at their mercy at this point.

00:37:50.880 --> 00:37:56.400
JAKE: Well, there’s no question. I guess, if you want to play – I’m gonna try not to play the

00:37:56.400 --> 00:38:03.840
victim here ‘cause, whatever, I made employment decisions. They were employment decisions. Those

00:38:03.840 --> 00:38:12.420
same decisions are why I’m where I’m at today. But yeah, there’s no question in my mind that they

00:38:12.420 --> 00:38:18.360
have a lot of [00:40:00] operational data about me and it’s stuff that could definitely paint it in

00:38:18.360 --> 00:38:26.280
the wrong light. Paint it in the wrong light would be very bad and would, for me personally,

00:38:26.280 --> 00:38:32.640
and I am definitely at their mercy for what it is that they choose to release or not release.

00:38:32.640 --> 00:38:40.620
I’ve said repeatedly that, and I stand by this; so far, we haven’t seen any US hackers indicted,

00:38:40.620 --> 00:38:46.440
nation state hackers indicted, but I am not a betting man. I would not bet against me being

00:38:46.440 --> 00:38:51.600
the first one, or on the first list. I can’t fathom that I won’t be involved somehow and

00:38:51.600 --> 00:38:55.440
I hope I’m not. It’s not something I’m wishing for or asking for. But again,

00:38:55.440 --> 00:39:00.780
just playing the odds. When somebody else finally – when another country finally pulls a DOJ

00:39:00.780 --> 00:39:09.440
and starts indicting US nation state hackers, it will surprise me greatly if I’m not on that list.

00:39:09.440 --> 00:39:16.560
JACK: Jeez, I don’t even know what to say about that. This is life in the shadow of

00:39:16.560 --> 00:39:21.780
the Shadow Brokers. It also makes me think about him as a SANS instructor. I’ve taken

00:39:21.780 --> 00:39:26.580
a SANS course and it would just blow my mind if I knew my teacher was wanted in several

00:39:26.580 --> 00:39:32.520
countries for hacking on behalf of the NSA. Is he a criminal or not? Some countries probably

00:39:32.520 --> 00:39:36.840
think he is but back home, he’s just carrying out his orders. Now, when I think about it,

00:39:36.840 --> 00:39:40.920
I think it’s actually weird that the FBI indicts the hackers who were working for

00:39:40.920 --> 00:39:45.300
foreign governments. The hackers were just carrying out their orders. Why not indict the

00:39:45.300 --> 00:39:50.340
officers or generals or the leader who signed the executive order? At that point, you might

00:39:50.340 --> 00:39:54.480
as well treat it like an act of hostility from one nation to another. I don’t know;

00:39:54.480 --> 00:39:59.040
it gets weird and sticky on who to blame for hacking when it comes to nations hacking nations.

00:39:59.040 --> 00:40:03.840
It’s kind of like when Apple is suing Google for twenty things and Google is suing Apple for

00:40:03.840 --> 00:40:09.240
twenty things. Yeah, sure, Russians hacked the US but the US has probably hacked Russia too,

00:40:09.240 --> 00:40:16.980
so now what? Since 2017, we haven’t heard anything more from the Shadow Brokers. Their

00:40:16.980 --> 00:40:21.480
last tweet mentioned Jake once again but it wasn’t really saying anything new. Since then,

00:40:21.480 --> 00:40:24.840
it’s been quiet. While we normally saw them come back every few months,

00:40:24.840 --> 00:40:29.880
they’ve now been quiet for over two years. But I don’t think that’s the end of Shadow Brokers.

00:40:29.880 --> 00:40:35.160
I still think there’s a huge investigation, a hunt into who’s behind it. It quite possibly

00:40:35.160 --> 00:40:40.500
could have been an insider, a double agent, someone who works in the NSA and had access

00:40:40.500 --> 00:40:45.540
to this stuff but was feeding it to another country like Russia. Yeah, at this point,

00:40:45.540 --> 00:40:50.220
most signs do point to Russia being behind the Shadow Brokers, but we don’t know for certain.

00:40:50.220 --> 00:40:55.800
But if you think about the intent and capabilities of this group, their intent is to do battle with

00:40:55.800 --> 00:41:01.260
the most sophisticated hacking group in the world, the NSA, and then burn some of their expensive

00:41:01.260 --> 00:41:06.480
exploits. Their capabilities are that they can somehow get these exploits out of the NSA,

00:41:06.480 --> 00:41:10.680
probably one of the most secure places in the world, and then publish them and then

00:41:10.680 --> 00:41:15.060
get away with it. When you think about all the intelligence capabilities the NSA has,

00:41:15.060 --> 00:41:20.520
and they don’t have anything on this crew, this puts Shadow Brokers in a top-tier category for

00:41:20.520 --> 00:41:25.260
what their capabilities are. Then you look at how much they say about Trump and the ability

00:41:25.260 --> 00:41:30.720
to shift the news cycles when it comes to Russia; yeah, it just looks like it’s probably Russian.

00:41:30.720 --> 00:41:35.220
But like I was saying, there haven’t been any FBI indictments about this or public statements

00:41:35.220 --> 00:41:38.760
from the US government about this either, and especially nothing from the president.

00:41:38.760 --> 00:41:44.280
He typically doesn’t call out Russia for stuff like this but even if he did blame Russia for

00:41:44.280 --> 00:41:50.880
this, what would that sound like? It would admit that the NSA somehow lost control of their secret

00:41:50.880 --> 00:42:00.480
hacking tools and that might make the US look bad, so it’s a complicated issue. [MUSIC] Oh, and I

00:42:00.480 --> 00:42:05.700
should also mention Harold Martin III somewhere in here, too. There’s this theory that Harold

00:42:05.700 --> 00:42:11.280
is somehow behind this. Harold was a government contractor working for Booz Allen Hamilton and

00:42:11.280 --> 00:42:15.780
while he was there, he was doing some work for the NSA and got access to some top-secret information

00:42:15.780 --> 00:42:21.780
within the NSA. Harold decided to steal fifty terabytes of information from NSA’s servers and

00:42:21.780 --> 00:42:26.940
successfully got it out. We don’t know who Harold gave these fifty terabytes to or if he gave it to

00:42:26.940 --> 00:42:32.400
anyone. We don’t even know what’s in the data but he was caught and is currently serving nine years

00:42:32.400 --> 00:42:37.680
in prison for this. The data on the Shadow Broker dumps could have been something that Harold stole.

00:42:37.680 --> 00:42:43.140
The timestamps do seem to line up with this but there’s no real good evidence that does connect

00:42:43.140 --> 00:42:49.560
Harold to this whole thing. Alright, let’s take a step back and try to understand what

00:42:49.560 --> 00:42:54.480
this whole Shadow Brokers thing means. Well, the NSA has neither confirmed or denied that they’ve

00:42:54.480 --> 00:43:00.600
made these tools. All signs point to these being actual exploits that the NSA has made and kept to

00:43:00.600 --> 00:43:07.560
themselves as weapons to attack the enemy with. Let’s think about that; this means the NSA has

00:43:07.560 --> 00:43:13.080
a group of researchers who are actively looking for vulnerabilities in software like Microsoft

00:43:13.080 --> 00:43:18.240
Windows [00:45:00] and then when they find these vulnerabilities, they don’t tell Microsoft about

00:43:18.240 --> 00:43:24.360
it. They keep it to themselves. Now, the NSA has publically said they don’t hoard zero-days or

00:43:24.360 --> 00:43:29.880
exploits that nobody knows about but here’s evidence that they do. What does that mean?

00:43:29.880 --> 00:43:35.340
Well, it seems the NSA has decided it’s more important to be on the offensive

00:43:35.340 --> 00:43:41.700
versus being on the defensive. If the NSA was defensive-minded, they would be working

00:43:41.700 --> 00:43:47.340
with software vendors to find vulnerabilities and get them fixed. But instead we see this,

00:43:47.340 --> 00:43:53.280
where they secretly find vulnerabilities and not tell the software vendor about it so that they

00:43:53.280 --> 00:43:58.440
can later use it on an attack against someone else. Perhaps this was the message that the

00:43:58.440 --> 00:44:04.560
Shadow Brokers was trying to relay, to place the NSA under extra heat for hoarding zero-days like

00:44:04.560 --> 00:44:09.900
this. That’s certainly what happened. A lot of people used this as evidence that the NSA does

00:44:09.900 --> 00:44:15.480
not have it in their interest to keep us secure, but instead they want to keep these exploits to

00:44:15.480 --> 00:44:21.120
themselves so they can be better at doing espionage and surveillance and hacking into

00:44:21.120 --> 00:44:28.080
other networks which I suppose could be considered defensive-minded if they’re using that to find

00:44:28.080 --> 00:44:33.480
what an upcoming attack on our country is going to be. But that’s just hard to believe when we see

00:44:33.480 --> 00:44:41.280
nation states hacking into companies in the US and creating huge, huge problems for those companies.

00:44:41.280 --> 00:44:46.260
See, here’s the perfect example of when that can backfire; when the exploits the NSA makes gets

00:44:46.260 --> 00:44:52.560
into the wrong hands or when someone exposes the capabilities of the NSA. Snowden, the ANT

00:44:52.560 --> 00:45:00.120
catalogue leak, and now the Shadow Brokers give us a very clear view into what the NSA is doing.

00:45:00.120 --> 00:45:06.900
I think it’s important that we all take full note of what we see here. [MUSIC] Now, as someone who

00:45:06.900 --> 00:45:11.460
used to defend networks from threats, I want to take a moment and talk about what we as defenders

00:45:11.460 --> 00:45:16.740
should be doing about the Shadow Brokers. When the Shadow Brokers dumped all these NSA-grade hacking

00:45:16.740 --> 00:45:22.140
tools, we should be analyzing them and trying to understand them as best we can. Here’s why;

00:45:22.140 --> 00:45:27.660
let’s take the Windows event log hack that was dumped as an example. This is a hack that can turn

00:45:27.660 --> 00:45:33.720
Windows logging off and then back on whenever you want, or it can delete individual event logs from

00:45:33.720 --> 00:45:39.300
Windows. Here’s the thing; historically, it’s been possible as an admin to turn logging off and on.

00:45:39.300 --> 00:45:45.060
Okay, fine, but when that happens, an event is created that says logging has been turned off.

00:45:45.060 --> 00:45:50.460
It’s also possible to clear all event logs but again, there’s a log created that says that all

00:45:50.460 --> 00:45:55.920
the logs have been wiped. That wipes all logs, not just one or two. But with this hack that

00:45:55.920 --> 00:46:02.040
was dumped, you can disable logging without an event indicating logging has been turned off.

00:46:02.040 --> 00:46:07.380
You can turn it off, do your dirty work, then turn it back on and there’s no evidence that the

00:46:07.380 --> 00:46:13.500
logs have been tampered with which is really scary but important to know. There’s also a

00:46:13.500 --> 00:46:18.180
capability of removing individual events. This is important for us defenders to know

00:46:18.180 --> 00:46:24.180
because Windows event logs are so important to us. They tell us the truth of what happened.

00:46:24.180 --> 00:46:29.580
How do we handle this? Now you need to be looking for what’s not there. For instance,

00:46:29.580 --> 00:46:37.500
event logs are numbered. What if you saw Event Log 97, 98, no 99, and then 100?

00:46:37.500 --> 00:46:42.840
What happened to Event Log 99, or what happens when you see a log-out event but not a log-in?

00:46:42.840 --> 00:46:48.000
If you see stuff like this, you can assume you have a hacker who’s using these Shadow Brokers

00:46:48.000 --> 00:46:53.640
hacks but also isn’t that savvy enough to know how Windows logging works because this hacker was

00:46:53.640 --> 00:46:59.340
smart enough to delete their log-in event but not good enough to delete their log-out event. This is

00:46:59.340 --> 00:47:03.600
the kind of stuff that defenders and incident responders have to learn about from Shadow

00:47:03.600 --> 00:47:08.940
Brokers. But not only that; every sophisticated hacking team in the world paid serious attention

00:47:08.940 --> 00:47:14.460
to these dumps. I just told you about the logging one but there’s seventy other exploits they

00:47:14.460 --> 00:47:20.400
dropped. Government hacking teams have probably done a deep analysis on every single exploit in

00:47:20.400 --> 00:47:24.840
the dumps to learn everything they could about it; what it does, how to use it most effectively,

00:47:24.840 --> 00:47:30.180
and then throw it in their bag of tools to use it whenever they want. This is why it’s important for

00:47:30.180 --> 00:47:35.760
the InfoSec community to know this as well. I mean, if the NSA did create these hacker tools,

00:47:35.760 --> 00:47:39.480
they probably spent millions of dollars on research and development to make it.

00:47:39.480 --> 00:47:44.940
That was paid by my tax dollars so seeing what their capabilities are and knowing it’s in the

00:47:44.940 --> 00:47:49.740
hands of every hacker in the world, it’s an extremely valuable lesson for anyone working

00:47:49.740 --> 00:47:56.400
in InfoSec. It’s simply not every day that we get to look at tools this sophisticated and

00:47:56.400 --> 00:48:02.280
now any script kitty in the world has them and is using them. Ever since these dumps,

00:48:02.280 --> 00:48:07.140
digital forensics and incident responder teams have been seeing a high amount of attacks that

00:48:07.140 --> 00:48:12.420
was using stuff from these dumps. It still continues to this day. It’s very important

00:48:12.420 --> 00:48:17.340
for us defenders [00:50:00] to understand this, especially for the exploit called

00:48:17.340 --> 00:48:24.000
EternalBlue. EternalBlue would go on to be a key component for some of the world’s biggest hacks,

00:48:24.000 --> 00:48:30.660
hacks that were so big, they practically caused doomsday scenarios for many people.

00:48:30.660 --> 00:48:35.130
Join me in the next episode as we dig into one of the hacks that used EternalBlue.

00:48:35.130 --> 00:48:43.680
JACK (OUTRO): [OUTRO MUSIC]

00:48:43.680 --> 00:48:48.480
A big thank you to our guest Jake Williams for taking time to share this incredible story with

00:48:48.480 --> 00:48:53.220
us. You can follow him on Twitter. His name there is @MalwareJake. Good luck out there,

00:48:53.220 --> 00:48:58.560
Jake. I also want to give a big thanks to Andy Greenberg from Wired. He just finished writing a

00:48:58.560 --> 00:49:03.240
new book called Sandworm which goes into detail about this whole Shadow Brokers thing and then

00:49:03.240 --> 00:49:08.940
goes into detail about what EternalBlue went on to be used for. We’re gonna interview Andy in

00:49:08.940 --> 00:49:13.200
the next episode so if you want to check out his book, it’s Sandworm. It’s really good.

00:49:13.200 --> 00:49:17.160
Don’t forget to help support this show through Patreon where you can get some bonus episodes

00:49:17.160 --> 00:49:22.920
exclusive only to Patreon donators, and you can also get some stickers and an ad-free feed.

00:49:22.920 --> 00:49:28.740
Patreon supporters really do make a huge impact on keeping this show going and they’re absolutely

00:49:28.740 --> 00:49:35.100
my favorite listeners. This show is made by me, grizzly masquerade, Jack Rhysider. Sound

00:49:35.100 --> 00:49:40.200
design this episode is by the headphone-wearing Andrew Meriwether. Editing help this episode by

00:49:40.200 --> 00:49:46.200
the cyber-maiden Damienne. Our theme music is by the jingling Breakmaster Cylinder.

00:49:46.200 --> 00:49:49.320
Even though webmasters around the world add my IP

00:49:49.320 --> 00:49:53.820
to their blacklist every time I say it, this is Darknet Diaries.