
Shadow brokers dump more NSA data - yakir-mydro
https://medium.com/@shadowbrokerss/message-5-trick-or-treat-e43f946f93e6#.hj0bgclwv
======
cuonic
Here is the full file tree:
[http://pastebin.com/HWf43kav](http://pastebin.com/HWf43kav)

Any idea what this is ?

Edit: this article [1] provides more information stating that the list is the
NSA's list of staging servers, compromised machines that they use to launch
attacks from. Apparently the list is 9 years old.

[1]:
[http://www.networkworld.com/article/3137065/security/shadow-...](http://www.networkworld.com/article/3137065/security/shadow-
brokers-leak-list-of-nsa-targets-and-compromised-servers.html)

~~~
speeder
Seemly this is a list of several NSA "zombies" used for cyberwarfare.

After googling parts of the file, I found a news report that claims they
actually put some of the addresses there in SHODAN and actually did get into
machines actually infected with NSA cyberwarfare software.

~~~
benmcnelly
They can't really get in and scrub these, because people are watching them
now, so upside, some poor sap isn't having to go in and do a ton of cleanup
work, downside is there are a lot of potential honeypots now.

~~~
wcummings
Scrubbing is the least of their issues. This list will make retroactively
attributing attacks to the US a lot easier.

Assuming it's real, and not someone "framing" the US by releasing a list of
their own relays.

------
redwards510
Go back and read SB other messages[1]. After the first message, it seemed like
a PR stunt by a foreign intelligence agency, with this impossible auction
designed to throw people off, but all of their messages since have been
designed to explain the auction process more thoroughly.

Try imagining yourself as a young sysadmin who stumbled across an entire dump
of Equation Group while investigating an infection. You realize the value of
such a thing, but have no underground contacts to use to fence it. You can't
walk into a Chinese embassy and try to sell it, they might kill or report you.
So now you have to try to get rid of the thing and maximize your return while
not sacrificing complete anonymity. You don't want NSA on your ass for the
rest of your life. How would you proceed?

The messages are getting a bit more desperate. They went from the
$1,000,000BTC in the first message (which SB says was interpreted
incorrectly), to a public release if 10,000BTC was crowdfunded, and now they
want a cool $million.

One of the Q&A questions answers the "why trust us to deliver?" argument. They
say this is about reputation. No delivery=no reputation. Imagine the kind of
deals SB could make in the future with SB PGP key signing stuff if they
delivered on this transaction. You would catapult yourself to the worlds most
famous cyber arms dealer in one day.

Reminds me a bit of Trainspotters or the guy in Neuromancer who steals the
mechanical talking head and fences it to The Finn. People who come across
extremely valuable items with no way to easily sell. It rarely ends well.

Of course this could be all misdirection, but I'm leaning towards the much
more interesting notion that this is legit. I just hope we hear about how it
ends. It would be pretty boring if they quietly sold the data to some foreign
service and we never learned anything more about one of the most interesting
chapters in recent cyber warfare history.

[1] [https://medium.com/@shadowbrokerss/](https://medium.com/@shadowbrokerss/)

~~~
XaYdEk
The language is intentionally crap. Attribution is always difficult.

~~~
cloudjacker
There's some software to intentionally mess up your writing style for easier
anonymity

It is really hard to do that manually

~~~
XaYdEk
You mean this:
[https://github.com/psal/anonymouth](https://github.com/psal/anonymouth)

Yes, it apparently is, we have a lot of personal tells.

------
jack9
> On November 8th, instead of not voting, maybe be stopping the vote all
> together?

My idiot buzzer went off at the start, but by this time it had melted the
resin casing. There's nothing of value in that blog post, not even analysis or
interesting ideas.

~~~
linkregister
I don't think you should pay attention to the prose except to be amused by it;
the prose is just there to half-assedly fulfill this "anarchist hacker" role
that the Shadowbrokers persona represents.

------
EvanAnderson
I did a quick summary of the data to show OS exposure. It's mostly Solaris on
SPARC, but there's a smattering of Linux and other stuff in there too
(including some DEC OSF, HPUX, Irix, and SCO!).

[http://pastebin.com/CsKKLKit](http://pastebin.com/CsKKLKit)

~~~
jlgaddis
Some of the timestamps I saw (I only looked at a few of the files) were as far
back as 2001. Linux servers are obviously extremely popular on the Internet
nowadays but I can remember "back in the day" when Solaris/SunOS was the
popular platform (and, to a lesser extent, the others mentioned) and one of
the primary targets. There were lots of exploits for {sendmail, BIND, the NFS
server, ...} running on Solaris -- which was a PITA to keep up-to-date.

------
AdmiralAsshat
Hard to tell whether the broken English in the post is real or intentional.

~~~
Bartweiss
General consensus from the last round holds that it's intentional.

They may not actually _be_ native English speakers, but it would be hard to
tell because the affected, consciously bad English overrides unconsciously bad
English. I suppose maybe a linguist could comb through it all for subtler
stuff like sentence structure.

"Amerikanskis" alone is a pretty serious tip-off. "amerìkānskī" comes up as a
Cyrillic adjective for American-style, but I can't find any non-parody
instances of people converting it into a pseudo-English noun.

~~~
atemerev
I am Russian, and I am a native speaker of bad Russian English. :) This is not
it.

A Russian wouldn't use "Amerikanski" as a pejorative, we have "pindosy" for
that. And we'd never use "SCOTUS", for variety of reasons.

This styling looks intentional to me, and doesn't seem to be Russian.

~~~
zzzcpan
The post uses "Amerikanskis" (with the "s" at the end) and it's a big tell.
Only people who do not understand any Cyrillic language could come up with
something like that.

~~~
Bartweiss
That was my thought exactly. Someone took a Cyrillic _adjective_ , treated as
an English _noun_ , and then applied an English pluralization to it.

It's not the first use of the word, but all of the other examples I can find
are very similar English-language jokes/insults.

~~~
dsl
> Someone took a Cyrillic adjective, treated as an English noun, and then
> applied an English pluralization to it.

So a Russian with a deep background in linguistics intentionally bastardized
something so it looks like an English speaker trying to sound Russian. Clever.

An actual English speaker wouldn't even know the root word existed.

~~~
grkvlt
Not necessarily, you're overthinking this. It's just what anyone with basic
vernacular knowledge of English but no actual Russian language skills would do
to generate 'pseudo-Russian'. It's a pretty common idiom to make an English
adjective into a Russian _sounding_ one by adding '-ski' to the end of the
word, and then to pluralise it, add -s to that, as in normal English.

So, for many small Russian cats, we have the following:

    
    
        'Kitten' -> 'Kittenski' -> 'Kittenskis'
    

The definition of the '-ski' [1] suffix has some other examples. This advert
[2] for yoghurt (and yes, it _was_ for Ski unfortunately, and somehow they
spent GBP 8.5 _million_ on it...) from 2003 also used the same formulation.
See also 'Eye Dialect' [3] used to show foreign or regional speakers in
literature, or the use of a backwards 'R' character to create a faux cyrillic,
Russian feel; as seen in the Tetris logo.

    
    
        1. https://en.wiktionary.org/wiki/-ski
        2. http://www.campaignlive.co.uk/article/170244/nestle-comes-faux-russian-relaunches-ski
        3. https://en.wikipedia.org/wiki/Eye_dialect

~~~
Bartweiss
I'm delighted that this whole thing led me to a discussion of 'eye dialect'.
I've been fascinated by that sort of writing for years, and I never knew it
had an actual name.

------
ryanlol
./intonation/ns.huawei.com.cn___202.96.135.140/jackladder

Heh, must be fun to be able to own any auto-updating Huawei device.

~~~
cairo_x
Oh shit! Dear Equation group: Any incriminating information found in my gmail
account was planted there by PUTIN. PS: Being a Huawei device, expect Gyna to
have the initiative on said info.

------
cairo_x
If this was accidentally 'found', what are the chances of 'zi Russians'
deliberately stumbling across something by accident? More likely to be lowest
common denominator? Attribution is difficult, but it seems people who should
know better are running with the Russian hypothesis.

eg: toddandclair Premise connection is deemed obviously a misdirect, yet
Guccifer 2.0's blatantly Soviet era metadata and Cyrillic type is not? I mean,
if anything, at least with the Premise connection, they made it 'seem' like a
mistake.

And the phishing email in Podesta's inbox, when multiple people already had
his password/access to his inbox. So the conclusion is it was the Russians
that leaked? Wouldn't it make sense to use Podesta's emails to increase the
attack surface size for more targets?? Why would you want to relinquish that
access when there was a good chance Hillary would get into power? And then all
these other people with access, why couldn't they have leaked it? Hillary's
campaign's attrition rate and cynicism was high even within ring of closest
advisers. All you have to do is read the human side of the emails to know
there are many, many, many, much more likely sources for the leak.

~~~
jlgaddis
It doesn't seem far-fetched to stumble across this "by accident".

Imagine you're working in IT or InfoSec for the Russian (or any other
state/national) government. You see attacks coming in from IP addresses in
another country -- maybe they were successful and you're investigating a
compromised host. You find these IP addresses in the logs, do some
investigating and find the host that attacked you is running a vulnerable
version of sendmail (for example). So you compromise the host as well and,
once you get in, you find the previously released exploits and such sitting in
a user's home directory.

I don't think this scenario is that outlandish.

~~~
cairo_x
OK, hyperbola aside, stumbling, as in finding the tools still there, and yes,
what you said is one of the many possible examples certain people are pushing.
Looking at the addresses of all those command and control servers, however, it
literally could have been anyone else from any country in the world,
regardless of who they were attacking. What are the chances the one with the
bad clean-up job is the one found by Russian govt specifically. Esp since they
were targeting routers, presumably any response team/curious admin, or one of
the million scaning haxors could have either followed the crumbs, or simply
stumbled upon the doors left open at the cc end.

Or there's this hypothesis: [http://arstechnica.com/security/2016/08/hints-
suggest-an-ins...](http://arstechnica.com/security/2016/08/hints-suggest-an-
insider-helped-the-nsa-equation-group-hacking-tools-leak/)

Which makes a hell of a lot more sense than assuming any of the aforementioned
(not least any of the smaller subset of said unlikely scenarios leading to
PUTIN).

~~~
jlgaddis
Oh, I completely agree with you that what I described is not very likely to be
what happened here. There are a number of other theories that are much more
likely (including things like you described), I just don't think that "my
scenario" can be completely ruled out. Stranger things have happened.

------
mzw_mzw
It's weird how it's never Chinese or Russian data that gets dumped all over
the Internet by these self-proclaimed hacker vigilantes, just American data.
Yeah, that's what it is. Weird.

~~~
Bartweiss
Isn't the consensus that this is a thin veneer of "hacker vigilante" that
isn't even meant to be convincing?

Most of the discussion seems to follow the track of "this is a state actor
burning old TAO information to embarrass and send a message to the US". The
ludicrous aspects of it ('Shadow Brokers', fake accent, scam auction) amount
to some plausible deniability and not much else. So there might be the pattern
you're mentioning, but it hardly applies in this case because this isn't even
meant to pass as real vigilantism.

~~~
linkregister
Agreed, if it was too convincing then the message might be lost by the U.S.
government.

~~~
Bartweiss
It's like the kid who trips someone on the playground and goes "it was an
accident, I swear!" Making it look like an _actual_ accident defeats the
point, you just want enough ambiguity that no one could prove in court (or the
principal's office) that you're guilty.

~~~
nikanj
See also the ongoing investigation of the MH17 incident.

------
strictnein
This entire things reads like Teddy KGB (John Malkovich's character in
Rounders) wrote it.

------
tue31muffin
My God, it's full of nameservers and mail exchangers! Many at our nominal
allies.

