Code dumped online came from “Omnipotent” NSA-tied hacking group

Kaspersky Lab analysis means Monday's leak almost certainly came from Equation Group.

Read the whole story

 

[Rene Gollent]

Parts of me want to say "* 2" using shift vs the multiply instruction but it was so long ago I forget the details.

This one isn't so much CPU specific as that it was a generally commonplace optimization before compilers became smart enough to recognize it automatically, since mul and div (particularly the latter) are by far the most expensive math instructions on pretty much every general purpose arch out there, while shift is among the cheapest.

 

[quietnine]

gorgaar[/url]":3bz5hfh5]So the NSA lost its super-hacking toolkit, and maybe all of it at once, this is just great.

That is absolutely not what the article is saying. The NSA didn't lose its toolkit.

The article is saying "some people are auctioning off what appear to be authentic NSA binaries from back in 2013."

This is malware that is likely altered or recrypted at least once a month. The 2013 variants are a shadow of what they're using today.

Lets assume that the NSA has thousands of targets around the world compromised (they do).

Every time an enemy foreign power (Kaspersky + Russian FSB / whoever) develops a good signature or behavioral heuristic for those tools, its a massive operation on NSA's end to either remove or update / recrypt those tools so that the remaining 99% of the compromised targets don't know they've been popped.

In some cases, recovery/update of an implant wouldn't be possible because the target was taken offline or moved somewhere it couldn't connect out from.

Over time (like, say, 3 years later) the world catches up to the signatures and definitions of those tools, and the tools are found. And that's where we are now.

Someone found super old binaries on some long abandoned NSA op. Equation group hacked? No. Evidence that equation group 'was here' and now we have their old stuff? Yes. Equation group operations threatened today because really old tools were found? Probably not. The probably being its possible some of the behaviors between then and now are consistent (maybe they're using the same hooks on certain OS's years later) but its not really a big deal.

 

[Deleted member 192806]

quietnine[/url]":1me5n9q6]

gorgaar[/url]":1me5n9q6]So the NSA lost its super-hacking toolkit, and maybe all of it at once, this is just great.

That is absolutely not what the article is saying. The NSA didn't lose its toolkit.

The article is saying "some people are auctioning off what appear to be authentic NSA binaries from back in 2013."

This is malware that is likely altered or recrypted at least once a month. The 2013 variants are a shadow of what they're using today.

Lets assume that the NSA has thousands of targets around the world compromised (they do).

Every time an enemy foreign power (Kaspersky + Russian FSB / whoever) develops a good signature or behavioral heuristic for those tools, its a massive operation on NSA's end to either remove or update / recrypt those tools so that the remaining 99% of the compromised targets don't know they've been popped.

In some cases, recovery/update of an implant wouldn't be possible because the target was taken offline or moved somewhere it couldn't connect out from.

Over time (like, say, 3 years later) the world catches up to the signatures and definitions of those tools, and the tools are found. And that's where we are now.

Someone found super old binaries on some long abandoned NSA op. Equation group hacked? No. Evidence that equation group 'was here' and now we have their old stuff? Yes. Equation group operations threatened today because really old tools were found? Probably not. The probably being its possible some of the behaviors between then and now are consistent (maybe they're using the same hooks on certain OS's years later) but its not really a big deal.

Kilroy was here.

 

[Sheep Disorder]

Roguish[/url]":11dy6zpn]

Novae DeArx[/url]":11dy6zpn]So to summarize, now that we are reasonably confident that this is data somehow exfiltrated from the NSA, there's only a couple of possible ways this could have been leaked:

1) A TAO insider exfiltrated the data, which doesn't necessarily explain why the data loss stops with the C&C server changes, or
2) Russians or another state-sponsored agency compromised a US TAO C&C server and siphoned off this data over time, ending with the Snowden revelations because the NSA switched C&C servers.

(2) seems more probable right now, but (1) isn't off the table. We'll have to wait and see what other revelations come to light. Anyone want to make popcorn while we wait?

I'm leaning more towards 1, mostly because of the silly language used in the 'sales pitch' for the data. As some people posted in another thread earlier, the broken English explaining the hack demonstrates too good an understanding of the language to be true; it's like how a native English speaker might think a non-native speaker would express themselves.

Given those changes in that while loop conditions, I'm leaning towards Mice:
Old Equation: 44
ShadowBroker: 43
Mice: 42 (yet to be discovered)

 

[Ezzy Black]

Studbolt[/url]":udh0101s]Trying to make sense of the last few months' activities on the part of various actors, combined with watching what's posted on Russia agitprop websites like RT and zerohedge, is giving me an old familiar feeling I remember while being taught to hide under my desk during a nuclear attack. For those who weren't alive during the Cold War, a great deal of this must not seem real.

I've come to the following conclusions:

1. The US is being attacked right now by Russia in a way that goes well beyond what might normally shrug off as the normal tradecraft between nations. My guess is that after a great deal of success in Europe, Russia felt confident enough that they could open up on the US at maybe the level they were using on Ukraine in about the 2001-2004 period.

2. The advanced measures include a great deal of agitprop, being released through a lot of websites. I hear versions being repeated word for word out of the mouths of street people and political candidates and everyone in between, from every corner of the political spectrum. Lots of useful idiots and fellow travelers out there right now.

3. There are probably four or five different narratives being pumped into the US right now, causing a great deal of confusion, agitation, loss of confidence in society and/or the government, loss of confidence in democracy, alienation between social groups, and dysfunction in the US political process.

4. Syria is a weapon to pump refugees into Europe and the USA and destabilize NATO countries.

I'm just beginning to be aware of the scope of everything that's happening, but there are lots of other people more paranoid than I who have been aware of what's going on long before I got there. Generally they're people who study Russian history. Some time, when I feel like I have the time to do so, I'm going to sit down and write out the various narratives, strategic goals, and attack vectors, just for organizational edification. That's about all I can do.

I think what's happening right now is the most serious threat to the United States (and Europe) since WWII. I'm amazed at how effective it's been, and how easily it's happened right under our noses. Europe is being divided, and the United States has been effectively neutered.

You are giving the Russians entirely too much credit here. The Ukrainian and Syrian interventions by Russia are purely geopolitical. All you need is a map.

Facts: (Russia/Ukraine)

1. Russia has no reliable warm water port for it's navy.
2. Russia had a leased port in Crimea from the Ukraine (Svastopol)
3. Ukraine was getting awfully cozy towards Western Europe/Nato
4. Russia Stole the port from the Ukraine because it was uncertain of the Ukraine's intentions should it closely align with the west.
5. ONE BRIDGE connects the stolen port to Russian soil.
6. Russia fabricates an uprising by "patriots" in SE Ukraine to capture territory to insure access to their stolen naval base.

One map and it all becomes obvious.

Facts: (Russia/Syria)

1. In spite of their stolen naval base in Crimea, any Russian naval assets leaving the Black Sea must essentially pass through downtown Instanbul to get to the Med.
2. Turkey is not a Russian ally.
3. Syria leases yet another naval base to the Russians at Tartus
4. The west seems intent on ousting the current Syrian government, again threatening Russia's ability to project Naval power.

When deciding the intentions of nations your first stop should always be a map. For instance the 10 year Iran-Iraq was wasn't about oil fields at all. Iraq was after the deepwater port at Bandar Imam Khomeini because in spite of having the third (or fourth depending on the estimates) largest oil reserves in the world, it has no port. When it failed, it turned south to Kuwait instead.

 

[Deleted member 192806]

Ezzy Black[/url]":x0nh4rcn]

Studbolt[/url]":x0nh4rcn]Trying to make sense of the last few months' activities on the part of various actors, combined with watching what's posted on Russia agitprop websites like RT and zerohedge, is giving me an old familiar feeling I remember while being taught to hide under my desk during a nuclear attack. For those who weren't alive during the Cold War, a great deal of this must not seem real.

I've come to the following conclusions:

1. The US is being attacked right now by Russia in a way that goes well beyond what might normally shrug off as the normal tradecraft between nations. My guess is that after a great deal of success in Europe, Russia felt confident enough that they could open up on the US at maybe the level they were using on Ukraine in about the 2001-2004 period.

2. The advanced measures include a great deal of agitprop, being released through a lot of websites. I hear versions being repeated word for word out of the mouths of street people and political candidates and everyone in between, from every corner of the political spectrum. Lots of useful idiots and fellow travelers out there right now.

3. There are probably four or five different narratives being pumped into the US right now, causing a great deal of confusion, agitation, loss of confidence in society and/or the government, loss of confidence in democracy, alienation between social groups, and dysfunction in the US political process.

4. Syria is a weapon to pump refugees into Europe and the USA and destabilize NATO countries.

I'm just beginning to be aware of the scope of everything that's happening, but there are lots of other people more paranoid than I who have been aware of what's going on long before I got there. Generally they're people who study Russian history. Some time, when I feel like I have the time to do so, I'm going to sit down and write out the various narratives, strategic goals, and attack vectors, just for organizational edification. That's about all I can do.

I think what's happening right now is the most serious threat to the United States (and Europe) since WWII. I'm amazed at how effective it's been, and how easily it's happened right under our noses. Europe is being divided, and the United States has been effectively neutered.

You are giving the Russians entirely too much credit here. The Ukrainian and Syrian interventions by Russia are purely geopolitical. All you need is a map.

Facts: (Russia/Ukraine)

1. Russia has no reliable warm water port for it's navy.
2. Russia had a leased port in Crimea from the Ukraine (Svastopol)
3. Ukraine was getting awfully cozy towards Western Europe/Nato
4. Russia Stole the port from the Ukraine because it was uncertain of the Ukraine's intentions should it closely align with the west.
5. ONE BRIDGE connects the stolen port to Russian soil.
6. Russia fabricates an uprising by "patriots" in SE Ukraine to capture territory to insure access to their stolen naval base.

One map and it all becomes obvious.

Facts: (Russia/Syria)

1. In spite of their stolen naval base in Crimea, any Russian naval assets leaving the Black Sea must essentially pass through downtown Instanbul to get to the Med.
2. Turkey is not a Russian ally.
3. Syria leases yet another naval base to the Russians at Tartus
4. The west seems intent on ousting the current Syrian government, again threatening Russia's ability to project Naval power.

When deciding the intentions of nations your first stop should always be a map. For instance the 10 year Iran-Iraq was wasn't about oil fields at all. Iraq was after the deepwater port at Bandar Imam Khomeini because in spite of having the third (or fourth depending on the estimates) largest oil reserves in the world, it has no port. When it failed, it turned south to Kuwait instead.

Looks like they're using an Iranian base.

 

[disarmyouwitha]

Dan posts the best articles on Ars, hands down. ;3

 

[Ezzy Black]

Ostracus[/url]":14uf65wk]

Ezzy Black[/url]":14uf65wk]

Studbolt[/url]":14uf65wk]Trying to make sense of the last few months' activities on the part of various actors, combined with watching what's posted on Russia agitprop websites like RT and zerohedge, is giving me an old familiar feeling I remember while being taught to hide under my desk during a nuclear attack. For those who weren't alive during the Cold War, a great deal of this must not seem real.

I've come to the following conclusions:

1. The US is being attacked right now by Russia in a way that goes well beyond what might normally shrug off as the normal tradecraft between nations. My guess is that after a great deal of success in Europe, Russia felt confident enough that they could open up on the US at maybe the level they were using on Ukraine in about the 2001-2004 period.

2. The advanced measures include a great deal of agitprop, being released through a lot of websites. I hear versions being repeated word for word out of the mouths of street people and political candidates and everyone in between, from every corner of the political spectrum. Lots of useful idiots and fellow travelers out there right now.

3. There are probably four or five different narratives being pumped into the US right now, causing a great deal of confusion, agitation, loss of confidence in society and/or the government, loss of confidence in democracy, alienation between social groups, and dysfunction in the US political process.

4. Syria is a weapon to pump refugees into Europe and the USA and destabilize NATO countries.

I'm just beginning to be aware of the scope of everything that's happening, but there are lots of other people more paranoid than I who have been aware of what's going on long before I got there. Generally they're people who study Russian history. Some time, when I feel like I have the time to do so, I'm going to sit down and write out the various narratives, strategic goals, and attack vectors, just for organizational edification. That's about all I can do.

I think what's happening right now is the most serious threat to the United States (and Europe) since WWII. I'm amazed at how effective it's been, and how easily it's happened right under our noses. Europe is being divided, and the United States has been effectively neutered.

You are giving the Russians entirely too much credit here. The Ukrainian and Syrian interventions by Russia are purely geopolitical. All you need is a map.

Facts: (Russia/Ukraine)

1. Russia has no reliable warm water port for it's navy.
2. Russia had a leased port in Crimea from the Ukraine (Svastopol)
3. Ukraine was getting awfully cozy towards Western Europe/Nato
4. Russia Stole the port from the Ukraine because it was uncertain of the Ukraine's intentions should it closely align with the west.
5. ONE BRIDGE connects the stolen port to Russian soil.
6. Russia fabricates an uprising by "patriots" in SE Ukraine to capture territory to insure access to their stolen naval base.

One map and it all becomes obvious.

Facts: (Russia/Syria)

1. In spite of their stolen naval base in Crimea, any Russian naval assets leaving the Black Sea must essentially pass through downtown Instanbul to get to the Med.
2. Turkey is not a Russian ally.
3. Syria leases yet another naval base to the Russians at Tartus
4. The west seems intent on ousting the current Syrian government, again threatening Russia's ability to project Naval power.

When deciding the intentions of nations your first stop should always be a map. For instance the 10 year Iran-Iraq was wasn't about oil fields at all. Iraq was after the deepwater port at Bandar Imam Khomeini because in spite of having the third (or fourth depending on the estimates) largest oil reserves in the world, it has no port. When it failed, it turned south to Kuwait instead.

Looks like they're using an Iranian base.

It's significant in that it allows them the ability to project air power into the region without the inherent dangers (and expenses) of basing the aircraft in Syria. Any on their own bases would require them to fly around (once again) Turkish Airspace.

It also punctuates my point a bit. Russia certainly has it's own problems with Islamic extremists, but it's willing to crawl in bed with the Iranians to further it's geopolitical goals.

 

[Aelrik]

vakrimd[/url]":1tlvsdhy]

(3) The NSA is preparing a most epic of honeypots to sell to the highest bidder, and intends to own the bidder.

(4) By publishing the data under the guise of a hack, deniability is created for future hacks using these tools.

I don't think either of those add up. In (3) you're giving what is certainly precious (0day) stuff away for a lot of uncertainty about who - if anyone - would buy. And in (4) you would be hoping your targets don't patch the vulns or audit themselves for infection.

Re: (4) -- Not every system gets the same level of security scrutiny/defensive updates. Not every system owner understands their role/importance in the bigger picture or has the resources necessary to keep up with all prudent changes. Sure, the hard targets will use the info to get harder, but many soft targets won't. Limiting attribution whenever poking a soft target provides a valuable effect is a net gain.

 

[Hagen Stein]

Studbolt[/url]":h5l298fw]

lkpentil[/url]":h5l298fw]
In all seriousness, are you really surprised that the only people who speak freely about NSA are sitting in Moscow? Did it ever occur to you that perhaps people sitting "outside Moscow" are more afraid of NSA than Putin? There was one dude that was brave enough to speak about NSA openly and how did it go? Yes, he is sitting in Moscow now.

Are we not speaking freely about the NSA? People all over the US speak freely about the NSA. It's mostly people in the NSA that feel somewhat inhibited.

And because people can speak so freely, the Warrant Canary had to be invented.

 

[dehildum]

BotCyborg[/url]":19l3uwm6]

aPerson#847[/url]":19l3uwm6]So, considering the dates on the files and all that, it seems the Snowden did a bit more then reveal the extent of the US's surveillance network. It seems he took a weapon to, and gave it to the Russians. I wonder if he took the system to process the information the weapon collects.

The man just went from being a patriot to being opportunistic traitor selling us out to the highest bidder.

Do you get paid by NSA for posts like these?

Do you get paid by the Russians for posts like this? Get real, there are a lot of different views about what Snowden did and why he did it. There are many who feel that Snowden is a traitor. Deal with it, just like the people who view Snowden is a traitor deal with people who feel he is a hero.

I prefer the realpolitik view. We are in a new cold war now, fought on many fronts.

 

[Monocasa]

Ummm... GCC and MSVC convert from an addition to a subtraction automatically in this case.

http://gcc.godbolt.org/#compilers:!((co ... ed+int+*+S)+%7B%0A++S%5B0%5D+%3D+0xB7E15163%3B%0A++for(int+i+%3D+1%3B+i+%3C+44%3B+%2B%2Bi)+%7B%0A++++S%5Bi%5D+%3D+S%5Bi-1%5D+%2B+0x9E3779B9%3B%0A++%7D%0A%7D%0A++++')),filterAsmcommentOnly:!t,directives:!t,intel:!t,labels:!t),version:3

 

[Studbolt]

Einstein76[/url]":hldzqv46]

Studbolt[/url]":hldzqv46]

lkpentil[/url]":hldzqv46]

divisionbyzero[/url]":hldzqv46]Confirmed? Really? Wow. It doesn't take much. You trust Kaspersky?

Umm...

http://www.npr.org/sections/alltechcons ... ssian-govt

Another propaganda article from the western mass media.

Here in the West, we don't trust our mass media not to be unprofessional or uninformed, but we do trust them not to be working for the State. If they were working the State, the other press would be pointing at them like Body Snatchers.

Do you really believe the media isn't working with the state in the west? Really?

Phrases like "the media" and "the government" and, for that matter, "the state" don't survive examination in contexts like the one you're referencing.

"The media" is composed of many different people, working for many different organizations or by themselves, on many different topics.

"The government" is also composed of many different people, working for thousands of different local, state and national organizations.

"The state" is, for that reason, also meaningless, at least in the United States, because the USA does not have a monolithic government as it would in, say, the Soviet Union or China, where "The State" is really "The Party", or every increasingly today's Russia.

So no, I don't believe "the media" is working with "the state", because that's silly. Yes, members of the press do feel sympathy for various actors, and certainly Fox News has based an entire business plan out of working on behalf of a particular constituency, as have Rupert Murdoch's other holdings.

But overall, no. Your particular narrative is Russian agitprop, along with "Hillary is rigging the elections".

 

[pjlahaie]

orome[/url]":92zkn2i5]it'd be strange to see hackers concerned about energy use of their victim computers , monitoring energy use would be a novel way of detecting malware.

Hacking tools aren't malware and they often run on the hacker's computer not the victims. Malware is what you would inject after the hacking tools do their jobs.

I've seen crude versions of that detection method being used. We had a machine with a variable rate CPU fan that started to run at full speed 100% of the time. Looking at the system, we saw almost no load on the CPU. We powered down, unplugged the disks, booted off optical media and the CPU fan was running normally. Reboot to the disks in single user mode, CPU fan hits full speed within a few seconds of the kernel finishing booting. Shutdown server, remove drives, install new drives, re-install, restore data from backup. Going through the old disks on another system (reading the FS with command line utilities) revealed the presence of a pretty persistent rootkit. Luckily they left the file timestamps intact which made tracking down the point of intrusion rather easy.

 

[pjlahaie]

Rene Gollent[/url]":3nj2973k]

Parts of me want to say "* 2" using shift vs the multiply instruction but it was so long ago I forget the details.

This one isn't so much CPU specific as that it was a generally commonplace optimization before compilers became smart enough to recognize it automatically, since mul and div (particularly the latter) are by far the most expensive math instructions on pretty much every general purpose arch out there, while shift is among the cheapest.

Yeah, it was the multiply vs shift. But not 486 -> Pentium -> PPro but Pentium 3 -> Pentium 4 -> Core. Which makes sense since the Core processor is essentially a tweaked Pentium 3 core. The Pentium 4 dropped the high speed barrel shifter (present in i386+) with a shift/rotate execution unit running at the CPU clock rate whereas the multiply instruction was running at 2x clock rate (double pumped).

 

[photochemsyn]

divisionbyzero[/url]":gcipe11s]Confirmed? Really? Wow. It doesn't take much. You trust Kaspersky?

Umm...

http://www.npr.org/sections/alltechcons ... ssian-govt

Well, certainly more than I trust NPR on any foreign policy story; they always align with U.S. State Department talking points; just as Russian state media always aligns with Kremlin talking points.

Kaspersky after all is selling internet security products; if they were ever caught doing political PR, they'd lose all customer trust. This is also why American tech companies don't want to be associated with U.S. government surveillance programs (i.e. the Apple - FBI flap, etc.). Too much of a risk to their bottom lines.

 

[robert.walter]

Snowden did us a double favor, opened our eyes to creeping surveillance state and got NSA to change their leaky server.

 

[Kebba]

Studbolt[/url]":2hrgw3sf]Trying to make sense of the last few months' activities on the part of various actors, combined with watching what's posted on Russia agitprop websites like RT and zerohedge, is giving me an old familiar feeling I remember while being taught to hide under my desk during a nuclear attack. For those who weren't alive during the Cold War, a great deal of this must not seem real.

I've come to the following conclusions:

1. The US is being attacked right now by Russia in a way that goes well beyond what might normally shrug off as the normal tradecraft between nations. My guess is that after a great deal of success in Europe, Russia felt confident enough that they could open up on the US at maybe the level they were using on Ukraine in about the 2001-2004 period.

2. The advanced measures include a great deal of agitprop, being released through a lot of websites. I hear versions being repeated word for word out of the mouths of street people and political candidates and everyone in between, from every corner of the political spectrum. Lots of useful idiots and fellow travelers out there right now.

3. There are probably four or five different narratives being pumped into the US right now, causing a great deal of confusion, agitation, loss of confidence in society and/or the government, loss of confidence in democracy, alienation between social groups, and dysfunction in the US political process.

4. Syria is a weapon to pump refugees into Europe and the USA and destabilize NATO countries.

I'm just beginning to be aware of the scope of everything that's happening, but there are lots of other people more paranoid than I who have been aware of what's going on long before I got there. Generally they're people who study Russian history. Some time, when I feel like I have the time to do so, I'm going to sit down and write out the various narratives, strategic goals, and attack vectors, just for organizational edification. That's about all I can do.

I think what's happening right now is the most serious threat to the United States (and Europe) since WWII. I'm amazed at how effective it's been, and how easily it's happened right under our noses. Europe is being divided, and the United States has been effectively neutered.

I was not alive for the cold war, but I also think this is getting creepy. The following has happened in my home country the last 6 months.

1. The security police officially warned against desinformation campaigns over social media from Russian troll factories.
2. "Someone" ddosed down all big news outlets websites at the same time for several hours. (Random twitter account explained it to be revenge for untrue coverage over Ukraine.
3. "Someone" very proffessionally sabotaged an antenna used for emergency broadcasts and police/firedepartment/emergency responce communications.

Put together, this worries me greatly! Desinformation networks and disruption of official communications is a VERY potent mixture. It really seems like a new cold war is playing out today

 

[pacocornholio]

It's all fun and games until the traffic lights suddenly stop working and our taps stop issuing clean water.

 

[chesterm8]

There is a typo in the post:

Among other things, the leaked ShadowBroker files use the negative constant -0x61C88647 instead of the more standard 0x61C88647 to speed up subtraction operations.

should instead be

Among other things, the leaked ShadowBroker files use the positive constant 0x61C88647 instead of the more standard -0x61C88647 which is commonly used as addition can be faster than subtraction.

The implication is that the Equation Group did not apply a common optimisation, not that they applied a novel one.

 

[mphillips]

Studbolt[/url]":wo8rsl6q]Trying to make sense of the last few months' activities on the part of various actors, combined with watching what's posted on Russia agitprop websites like RT and zerohedge, is giving me an old familiar feeling I remember while being taught to hide under my desk during a nuclear attack. For those who weren't alive during the Cold War, a great deal of this must not seem real.

I've come to the following conclusions:

1. The US is being attacked right now by Russia in a way that goes well beyond what might normally shrug off as the normal tradecraft between nations. My guess is that after a great deal of success in Europe, Russia felt confident enough that they could open up on the US at maybe the level they were using on Ukraine in about the 2001-2004 period.

....

I think what's happening right now is the most serious threat to the United States (and Europe) since WWII. I'm amazed at how effective it's been, and how easily it's happened right under our noses. Europe is being divided, and the United States has been effectively neutered.

Putin has made no secret of what he thinks of obuma.