Close
  • Français
  • English

2017/10/26Shadow Brokers, the fog of war in the cyberspace (Rafael Ponce, CEIS)

A mysterious actor revealed itself to the public on August 2016 when they started to publicly dump tools and operational notes allegedly belonging to the Tailored Access Operations unit at the National Security Agency of the U.S., also called “The Equation Group”. This new actor referred to itself as The Shadow Brokers, and quickly became reputed for its ambiguity, intrigue, and for the information it claimed to have taken from the NSA. Oscillating between communicating political messages and trying to make a profit, the Shadow Brokers’ self-created image became the perfect subject of speculation and countless theories and hypothesis. The Shadow Brokers may have become a symbol of a new kind of cyber warfare, exposing the limits of defense and the capacity for manipulation, exploiting the greatest power of cyber: anonymity and the difficulty of attribution.

It seems a consensus was reached regarding several characteristics of the Shadow Brokers. First, it is commonly accepted that the information the group or individual claims to be in possession are authentic NSA exploits and tool kits. The lack of a denial from the agency and the damage caused by the ransomware epidemic using EternalBlue, an exploit leaked by the Shadow Brokers, supports this assumption. Then, it is commonly agreed that the group or individual has good knowledge of English, U.S. expressions, and cultural references. The messages published by the Shadow Brokers seem to be written in faux-English, disguising writing styles to avoid investigation. This was even expressed by the Shadow Brokers themselves in one of their messages.[1] Finally, it is generally accepted that the remaining information concerning the Shadow brokers is still unknown. Most of the information available is revealed by the Shadow Brokers themselves through their messages on social media and platforms.

If taken for truth, we would have reason to believe that the Shadow Brokers are former US government agents, perhaps even former NSA, who are both making a profit and hoping to bring down the establishment (“deep state”) of the United States government.[2] These domestic dissidents would have voted for and still support Donald Trump and his isolationist, anti-liberal, nationalist, anti-foreign war, anti-Wall Street, pro-transparency, and pro-Russian rhetoric. Their nemesis would be the Tailored Access Group, what they see as the incarnation of the “deep state” threatening the values of the United States, and would in the end only hope to be bought for their silence.[3] Of course, this could all be part of an image they intend to fabricate.

Only a few pieces of the puzzle can be taken from available metadata. The Shadow Brokers, according to researchers using a Tweets analyzer, use Twitter in English and within the Pacific Time zone (US & Canada time zone). It was also identified that the trend for posting of the Shadow Brokers was during the weekend at improbable hours, with peaks of activity followed by prolonged periods of silence. In addition, the account was created the same day of the first leak, on August 13, 2016. The Shadow Brokers also systemically uses the web client of Twitter. Metadata regarding their PGP ID was also recovered, and seemed to show the PGP ID was created two weeks before the first publication.[4] This indicates a level of planning carried out prior to the beginning of publications, and support the hypothesis that the group’s members (or the individual) have perfect knowledge of English, write false mistakes to mask different writings and to throw off investigators, and even that they may be located on the West Coast of the United States. It could also not be the case, if the metadata can be modified.

And this is at the core of the power of the fifth dimension: anything is possible. As many unknowns and variables persist, attackers have freedom of movement and the upper-hand in decision making over the target. Potential enemies are propped up, potential motives diffused, and the trust and communication of the defense is severely limited. The fog of war had never been so easily exploitable.

The Shadow Brokers continue to offer a subscription plan as a way to sell the stolen NSA information, and until now they publish a message once per month. It would be rash to deny that they want to both gain a profit, and oppose the traditional forces within the United States.

With the exception of the United States, the Shadow Brokers are an indirect threat. What the world fears is the information at the disposal of the Shadow Brokers and all those who gain access to it. The potential for nuisance is great, as cybercriminals and state sponsored groups may take advantage of these secrets to develop new tools, use or sell these tools for profit, or utilize these for espionage and even the commercialization of information. One can only hope the NSA has knowledge of which information was compromised, and that third parties have been informed of used vulnerabilities.

Cyber has often been presented as the new field of battle of modern warfare, the fifth dimension as American military doctrine calls it, which combines computer network operations, psychological operations, and military diversions. To the United States, the Shadow Brokers represent a threat embodying the essence of the fifth dimension. To the world, they illustrate the potential use of this fifth dimension.

Since the beginning, the Shadow Brokers have controlled the information released to the public, showing what they want and seeking all possible attention. As they carried out what could be considered as marketing to sell their products, the group interacted with the reactions of cyber-security circles, the media, and the government, to deny theories, augment the level of doubt, and even communicate political messages. It has profited from its anonymity to throw off investigators, profit from their computer operations (even if it was not the Shadow Brokers who directly obtained the information), while confusing authorities as to the responsible party. The signs indicating the group is within the United States only adds to the psychological damage within the U.S. intelligence community and armed forces.[5] Whether it is the work of a foreign power or domestic dissidents, their underlying objective is being achieved: U.S. research and development is being destroyed, authorities remain incapable of retaliation, and enemies to the U.S. are being empowered.

What remain to be seen are the extent of the damage that can be done, both to the U.S. and to the world, and the temporality of the attacker’s immunity. As long as attribution remains impossible, the U.S. response shall be limited to investigation, damage-control, and political instrumenting of the situation.

[1] https://steemit.com/shadowbrokers/@theshadowbrokers/grammer-critics-information-vs-knowledge

[2] https://steemit.com/shadowbrokers/@theshadowbrokers/don-t-forget-your-base and https://steemit.com/shadowbrokers/@theshadowbrokers/lost-in-translation

[3] https://steemit.com/shadowbrokers/@theshadowbrokers/oh-lordy-comey-wanna-cry-edition

[4] @x0rz, « Shadow Brokers : Courtier ou agent d’influence ? » MISC, N. 93, septembre/octobre 2013.

[5] According to the Washington Post, morale has previously been low within the ranks of the NSA, https://www.washingtonpost.com/world/national-security/pentagon-and-intelligence-community-chiefs-have-urged-obama-to-remove-the-head-of-the-nsa/2016/11/19/44de6ea6-adff-11e6-977a-1030f822fc35_story.html?utm_term=.33cc4ba4be80