There’s strange, and then there’s extremely strange. The odd series of events in the saga of two sets of stolen U.S. intelligence agency cyber tools, circa 2016-2017, definitely counts as extremely strange.
The weird tale has come up again in the last couple of weeks because of recent developments, one of them alleged by some participants to be related to Spygate. You can form your own judgment about that connection (below); I don’t see a decisively compelling basis for it at the moment. That may change when we learn more about a legal proceeding underway in Italy (where possibly related events do suggest we need to take special interest).
The other development is the implication of one of the tools in the hijacking of Baltimore’s city government computer systems. The tool, referred to as EternalBlue, was stolen from NSA and published to the world by a hacker group in April 2017. It was one of a package of stolen tools first seen in unauthorized public release by the same group in August 2016.
A second set of government-developed tools, this one from the CIA, was published in the same timeframe, although it appears to have been stolen a bit later. It was also released, but by WikiLeaks, in April 2017. The CIA tools are the ones in which James Comey reportedly interested himself, when he was still Director of the FBI.
Trending: Cartoon of the Day: Bombshells
However the NSA toolset was pilfered – and the exact nature of the heist hasn’t been definitively reported – its initial appearance was in mid-August 2016 via a pidgin English announcement and online posting by a group calling itself the Shadow Brokers. It was widely reported at the time, Edward Snowden having confirmed from his hideout in Russia that the tools came from NSA.
The Shadow Brokers initially sought to sell the most powerful tools through a Bitcoin auction. The tool that has been wreaking havoc with city government systems along with numerous other targets – i.e., EternalBlue – wasn’t released until 8 April 2017, however. The Bitcoin auction hadn’t generated the multimillion-dollar return the Shadow Brokers seemed to hope for, and a key to the unreleased tools from the package theft was eventually published.
EternalBlue was implicated in the wave of WannaCry ransomeware attacks in the spring of 2017. It has reportedly been used in quite a few other attacks in the months since, with one of the most recent and spectacular being the extended bureaucratic agony of the city of Baltimore. With its municipal systems out of commission, Baltimore was reduced a few weeks ago to manually processing city transactions that workers and citizens hadn’t had to handle in such a primitive way for more than 20 years.
The cost of attacks with EternalBlue, which exploits an often unpatched vulnerability in Microsoft’s Windows operating systems, is mounting into the millions of dollars. (One is tempted to say, “Let your Windows updates run, for crying out loud, people.” Some of the systems still in use are older, however, and the Windows OS no longer being supported with security patches.)
But of equal interest, and potentially more, is the allegation of an Italian engineer and investment-fund manager, Giulio Occhionero, that cybersecurity officials of the Italian government may have used EternalBlue to break into the servers of his investment company, Westland Securities, in May 2017, and plant incriminating evidence on them – evidence related to Spygate in the USA.
I can’t emphasize enough that there is no decisive proof of this in the information currently available to the public. Occhionero and his sister, Francesca, were accused by the Italian government in January 2017 of conducting cyber-attacks against a slew of Italian officials, and their cases are currently sequestered behind a wall of procedural confidentiality in Italy. Giulio Occhionero’s allegation is that when two agents of the CNAIPIC (the “Postal Police,” which is responsible for national infrastructure security) came to the U.S. in May 2017 to document information on the Westland Securities servers in Washington State and West Virginia, they attempted to plant evidence on the servers in the form of the most Spygate-related documentation of all: copies of Hillary’s emails.
I don’t advocate here for the Occhionero scenario. The suggestion that EternalBlue is connected with it comes from a reference to the exploit tool in an Italian court document, provided by Occhionero to a blogger who goes by Neon Revolt. The excerpt we get a glimpse of is merely a reference to the publication of EternalBlue on 14 April 2017 (it was actually published on 8 April, but most of the mainstream media picked it up on the 14th). There is no context afforded, or verbiage cited that indicates the CNAIPIC agents used it.
The agents had an official purpose for interacting with the Westland servers, so that’s not a smoking gun either, nor is working with the FBI to perform these operations, which they would obviously do, the servers being in the United States. We’re also told that the agents failed in the attempt to plant their evidence, so I imagine readers will join me in caution and skepticism until solid proof is offered.
But the larger context of this whole multi-skein thread is very peculiar. Probe it in any direction and you keep coming to echoes from bizarre corners of Spygate, and even, in fact, from Hillary Clinton’s homebrew server.
Here is the short summary.
The first thread-probe takes us to James Comey and the report that he intervened to effectively prevent the Department of Justice from making a limited-immunity deal with Julian Assange in March 2017, in exchange for a limited, less-damaging release of the CIA cyber tools WikiLeaks had received and was planning to publish.
These tools were not the NSA tools. They were a separate set of tools, some of which notoriously enabled the CIA to mimic other cyber actors, and hence throw suspicion on them for attack exploits.
WikiLeaks released the CIA tools on 7 April 2017, the day before the Shadow Brokers, on 8 April, published a password for the remaining files from their stolen NSA toolset.
If it seems suspiciously like those two events were connected, there is also the data point that in August 2016, when the Shadow Brokers made their first announcement about the NSA tools, WikiLeaks claimed in a tweet to have its own copy of the NSA tools, and that it would be publishing them “in due course.”
We had already obtained the archive of NSA cyber weapons released earlier today and will release our own pristine copy in due course.
— WikiLeaks (@wikileaks) August 16, 2016
There has been no publication by WikiLeaks of the NSA tools.
But John Solomon learned, in June 2018, that James Comey had intervened in February 2017 to spike the immunity deal with Assange that would have limited the release of the CIA tools.
Solomon got this from a rare on-the-record source: attorney Adam Waldman, whom readers will remember as a one-time representative for Oleg Deripaska, a link to Christopher Steele, and a texting buddy of Democratic Senator Mark Warner of Virginia.
Waldman was acting as a go-between for Assange and the Justice Department, in particular Russiagate principals Bruce Ohr and David Laufman. Waldman told John Solomon in 2018 that during the negotiations, in mid-February 2017, Comey had contacted Warner to get the talks with Assange shut down.
The DOJ, in the person of David Laufman, was determined to continue the effort. Comey couldn’t actually overrule the DOJ, of course, but apparently his active intervention through Warner spooked Assange and prevented any deal from being made.
It’s obviously noteworthy that the CIA and NSA cyber tool releases occurred back to back on 7 and 8 April 2017. The publication of the CIA tools took place first, and that was the event Comey apparently didn’t want to limit the damage from. Perhaps his motive was to ensure Assange would have no limited-immunity agreement to hide behind in the future. It doesn’t sound like the deal would have protected Assange from much, but it’s possible that that was Comey’s priority. (In that regard, it’s interesting to note news from Monday that Assange will not be charged in connection with the WikiLeaks release of the CIA cyber tools.)
It’s also possible (as noted in my 2018 article) that Comey didn’t relish the thought of Assange explaining why it wasn’t the Russians who hacked the John Podesta email account in 2016.
It is not unreasonable, meanwhile, to read the sequence of events (the back-to-back releases) as the CIA tools release being a possible – not confirmed, but possible – trigger for someone to fully release the NSA cyber tools.
The FBI, of course, knew about the NSA tool heist, and had been investigating it for months at that point.
The attempted NSA tools “buy-back”
That brings us to the second thread-probe. This incident was one of surpassing weirdness, if what we are told about it is true. It was reported by the New York Times in February 2018. The report came out of the blue, and doesn’t seem to have related to anything else before or since.
But given the sudden notoriety of EternalBlue, one of the NSA hacking tools, and the incident’s echo of Spygate, it merits a mention.
The story is quite vague as to the when and who. The initial events seem to have occurred before the full release of the NSA tools on 8 April 2017. The tale is about an attempt to “buy back” the stolen cyber tools from a nameless broker who was offering this sale in Germany. For some reason, even after the release of the final NSA tools in April 2017, a money-involved effort to do business with the broker continued, reportedly through the first weeks of 2018.
The principal shadow-actor offering the stolen NSA toolset for a price was reportedly a Russian. The U.S. agency that allegedly responded to the offer by meeting with the broker in Berlin could have been the FBI, but that feature of the tale was not surrounded with enough hints to be certain.
Here, however, are the details that echoed decisively bogus for me when the story came out. One, the purported broker was offering to sell a thumb drive on which the cyber tools were copied. That, of course, is ridiculous; you don’t “buy back” easily copied computer files on a thumb drive. Once they’ve been stolen, they can be all over the place instantaneously.
Two, the broker was also said to be offering kompromat on Donald Trump. The New York Times averred that it had in its possession four documents containing this kompromat. It doesn’t appear that the information from it has ever been published by the Times, presumably because, according to the NYT, the material appeared to be mostly copied from press reporting.
The question about this story is why it was “leaked” and published, but without verifiable details and without follow-up. Perhaps it was a story that would explain “what else” James Comey might have being doing about the NSA tools, in February 2017 when he was busy spiking the Assange immunity deal for the CIA tools. If so, it was an extremely silly, non-credible effort, and doesn’t make any sense unless the purpose was to meet a Russian and try to pull a thread on him. (Even that is a weak motive, considering that the broker’s contact with a U.S. agency, even if indirect, probably put his communications profile in probing range.)
Other factors seem to have more explanatory value. One would be establishing a Russian connection to the Shadow Brokers. A Russian link has been somewhat noisily alleged from the beginning, although cyber experts are skeptical, pointing out that it could be anyone, including independent hackers not acting on behalf of a state.
From a separate standpoint the Russian implication is questionable. The supposed non-English speaker’s mistakes in the fractured verbiage of the Shadow Brokers’ online posts look false and manufactured to me, and they especially don’t look Russian. They look like someone faking a foreigner’s broken English.
A text analyst at the Illinois Institute of Chicago had the same reaction, with an assessment derived from a more scientific approach:
Shlomo Engelson Argamon, a professor of Computer Science at the Illinois Institute of Chicago and chief scientist at Taia Global who specializes in text analysis and attribution, has evaluated the text posted by the person or persons calling themselves the Shadow Brokers. He suggests that the broken English used to advertise the stolen code was intentionally broken—written by a native US English speaker. The lack of misspellings mixed with some strange combinations of grammatical errors “leads to the conclusion that the author is most likely a native speaker of US English who is attempting to sound like a non-native speaker by inserting a variety of random grammatical errors,” Engelson wrote in a post on Taia Global’s site.
The attribution of the Shadow Brokers’ work to a Russian patron thus needed bolstering.
The other factor in dropping the story in NYT is the placement of a “Trump kompromat” theme-let, the relentless calling-card of Spygate. It has never had follow-up, however.
Hillary’s homebrew server
The third thread-probe goes all the way to Hillary’s private email server, through the connections of the NSA cyber tools. The commentary to peruse on this comes from a tweet thread posted by @The_War_Economy in January 2019; the short version is that another tool from the stolen NSA package (referred to frequently as the product of the NSA cell “the Equation Group”) was called “Tadaqueous,” and was designed to go after a single target: a “Fortinet firewall device that also included VPN services.”
— The_War_Economy (@The_War_Economy) January 9, 2019
The Fortinet company’s firewall device was used on Clinton’s homebrew server.
As early as 2016, analysts like Jonathan Langdale (last link above) were suggesting that the NSA cyber toolset had actually been stolen in 2013, in part because it had nothing in it dated later than July of that year. A Reuters article from September 2016 on the FBI investigation of the Shadow Brokers heist suggested the same thing. The story was supposedly that some NSA workers exercising really bad security discipline had left the very sensitive tool files on an exposed server, which was then accessed by hackers.
The Shadow Brokers – or someone later in contact with them – then had the cyber toolset for three years before finally deciding to put it online.
In light of what we now know about Spygate, it’s of more than passing interest that the Shadow Brokers appeared to be preparing for their first, August 2016 announcement when they created a Reddit account on 1 August 2016. No need to post a reminder that Crossfire Hurricane was launched by the FBI on 31 July 2016.
The first tweet from an account associated with the Shadow Brokers was on 13 August 2016.
All of this can be gleaned from @The_War_Economy thread (along with a linked thread of his from December 2018). Based on dates, @The_War_Economy demonstrates a potential connection of the Tadaqueous tool with abstracting data from the private server Hillary used while she was secretary of state, which was shut down in June 2013. He notes as well what earlier analysts had observed: that the dates associated with the toolset released by the Shadow Brokers ran from 2010 to June 2013.
But wait! – there’s more. Alert readers will remember a report from last year that the emails flowing through Hillary’s private server were all being routed to a third party during at least part of the period when her server was in operation. The third party was thought to be China. (That report is in addition to a report three years earlier that the ISP to which Hillary’s email server was connected in New York was hacked by China. And both reports are separate from the information below.)
Fortinet, the unfortunate connection
One reason to give the China link reported in 2018 a serious look is the connection of Fortinet to a counterfeit sales rap, in which the company sold the U.S. military products it certified to be “made in USA,” but which were actually made in China.
The years when this was happening were 2009 to 2016. The Trump administration has been prosecuting Fortinet – Hillary’s firewall and VPN supplier – for the falsely-labeled products, and obtained a settlement in April 2019.
There’s one more piece of the puzzle that points to China in the same timeframe. A “persistent threat” group called Buckeye, thought to be linked to China, was detected using elements of the NSA toolset: not during the peak years of Hillary’s private-server operations, but starting in March 2016 – before the toolset was first offered online by the Shadow Brokers (i.e., in August 2016).
Symantec reported that assessment a few weeks ago, on 6 May 2019, specifically referencing tools including EternalBlue and DoublePulsar, which weren’t released by the Shadow Brokers until April 2017. The news media picked it up quickly.
Buckeye may only have started using the NSA tools in March 2016. But the attack group started operating in 2009, targeting the United States. According to Symantec, Buckeye ceased operations in mid-2017.
The nearly exact overlap of the Fortinet counterfeit sales and the operation of the Buckeye group – with each other and with the dates of the Obama administration – is another of those things that make you go, Hmm. Apparently, Buckeye didn’t need to obtain the NSA tools through the Shadow Brokers’ 2016 and 2017 releases. Perhaps Buckeye got the NSA tools through the Shadow Brokers, or even through a theft by Buckeye itself, prior to March 2016.
Perhaps the tools were obtained by Buckeye from yet another group: possibly a group that had the tools in the period 2010 to 2013, and was siphoning off Hillary’s emails then.
It’s a good question when U.S. agencies knew the NSA tools had been compromised – assuming that that part of the story accurately describes what happened. And it remains to be explained why James Comey really didn’t want an immunity deal for Julian Assange that would have limited the damage from WikiLeaks’ release of the CIA hacking tools.
We don’t have the information right now to judge how much relation this all has, if any, to the Occhionero case in Italy. But in my experience, the odds are very low that these cyber events linked to James Comey, Hillary’s server, WikiLeaks, and a reported exchange in Europe involving kompromat on Trump had nothing to do with Spygate.