More "evidence" has emerged this week, once again from a security company, this one based in Washington DC, that appears to point the finger at Russian involvement in the leaking of NSA exploits on the Web last year.
The leaks were by a group that calls itself the Shadow Brokers. The company that provided the "evidence", InGuardians, used the website Krebs on Security, run by former Washington Post employee Brian Krebs, as its conduit.
Krebs used the material provided by InGuardians to write a speculative piece about the identity of the person who leaked the data to the Shadow Brokers. Curiously, he buried the fact that the data came from InGuardians in the 30th paragraph of his story.
Well-known blogger Marcy Wheeler raised some doubts about Krebs' story to which he replied with what she described as "a really snotty tweet". Her analysis of Krebs' article is well worth a read.
{loadposition sam08}InGuardians claimed to have had found metadata in documents among the leaked exploits — which are now freely available on the Internet — relating to three people. Two of them had Western names - Nathan S. Heidbreder and Michael A. Pecoraro. The third had a Russian name — Gennadiy Sidelnikov — and therefore Krebs came to the conclusion that this was one reason why he could be someone likely to have leaked the material.
A little history here: the first person to leak material recently from the NSA was Edward Snowden in 2013. Following that, three others have been known to leak: one, Harold Martin, was arrested last year after having taken a massive trove of NSA data home.
Another, an unnamed software developer, who has been said to be a Vietnamese American, was taken into custody in 2015 after taking hacking tools home and reportedly having them leak from his PC to hackers in Russia. And a third, a woman named Reality Winner, was arrested after leaking a single NSA document to The Intercept this year.
Exploits for sale, exploits for sale, peoples is not wanting Shadow Brokers' exploits that are for sale.
Krebs makes a major error in his article with regard to the three people who are under investigation: he cites an article from The New York Times as stating that one is "a still publicly unidentified software developer secretly arrested after taking hacking tools home in 2015, only to have Russian hackers lift them from his home computer".
The NYT, however, plainly states that this individual was also a member of the NSA's Tailored Access Operations group, the elite unit that actually crafts such exploits and carried out operations against foreign enemies of the US.
Its article states: "The agency has active investigations into at least three former NSA employees or contractors. Two had worked for TAO: a still publicly unidentified software developer secretly arrested after taking hacking tools home in 2015, only to have Russian hackers lift them from his home computer; and Harold Martin, a contractor arrested last year when FBI agents found his home, garden shed and car stuffed with sensitive agency documents and storage devices he had taken over many years when a work-at-home habit got out of control, his lawyers say."
But then, if Krebs had admitted that the unidentified software developer was a member of TAO, he would not have been able to bring in the name of someone else and posit that that person was the source for the leaks to the Shadow Brokers.
The NSA tools are claimed to have leaked to the Russians through the unnamed developer's use of Kaspersky anti-virus software; like any A-V solution, the software uploads suspicious files to a server for later analysis and when it encountered the NSA files on this man's machine, it did the same. How the Russians obtained these exploits has never been made clear with the obvious implication being that after they reached Kaspersky's Moscow offices, they were handed over to government hackers. Kaspersky has denied handing over any files. Ah, the power of insinuation!
Krebs' conclusion that Sidelnikov was the most likely source from whom the Shadow Brokers obtained the exploits was based on circumstantial evidence. One was that since Sidelnikov had a Russian name, he was the most likely of the three people cited by InGuardians to be using Kaspersky software.
Then Sidelnikov was found to have obtained a degree from an university in Moldova, a former part of the old Soviet Union. His interests, listed on a LinkedIn profile, included Microsoft and the NSA. Based on the skills listed on this profile, Krebs concluded, based on hints from InGuardians, that he was a database administrator, and not a senior consultant as the man himself claimed. Therefore, Krebs concluded, based again on conclusions from InGuardians, the presence of his name on any document connected to the leak was an aberration as he was not a member of the TAO.
Sidelnikov had listed himself as being affiliated with a company named Independent Software. Krebs claims to have called and emailed this organisation but received no reply. Of course, if Sidelnikov had been arrested — as the headline on Krebs' article claims — it is not surprising that Krebs' queries went unanswered.
The good folk at InGuardians had more "proof" for Krebs. One was that Sidelnikov, who was now assumed to be a database programmer, would not normally have access to exploits of the kind that were leaked. The two others whose names were found in the metadata of the leaked files were claimed to be employees of the TAO.
Whoever the Shadow Brokers are, it is clear that they have detailed access to information about former TAO staff. This was made abundantly clear when they leaked details about Jake Williams, a former TAO member, after he wrote an article about them in April this year.
So, it looks like, once again, based on considerable speculation, much of it unfounded, a Russian has been claimed to be the link to the mysterious leak of NSA exploits. Exactly what Krebs' agenda is remains unknown; Wheeler hinted that he had one: "There’s more I won’t say publicly about Krebs’ project, what he really seems to be up to."
She ended her analysis with this: "..the reason I went through the trouble of pointing out the errors (in Krebs' article) is precisely because Krebs went so far out of his way to find a Russian to blame for … something.
"We’ve been seeing Russian metadata in documents for 17 months. Every time such Russian metadata is found, everyone says, Aha! Russians! That, in spite of the fact that the Iron Felix metadata was obviously placed there intentionally, and further analysis showed that some of the other Russian metadata was put there intentionally, too.
"At some point, we might begin to wonder why we’re finding so much metadata screaming 'Russia'?"
This, one would think, should be a point that strikes a journalist right between the eyes. Strangely, it does not seem to have occurred to Krebs.