Author's Opinion

The views in this column are those of the author and do not necessarily reflect the views of iTWire.

Have your say and comment below.

Friday, 01 December 2017 09:00

Who leaked NSA exploits to Shadow Brokers? Ah, it's Russians again!


More "evidence" has emerged this week, once again from a security company, this one based in Washington DC, that appears to point the finger at Russian involvement in the leaking of NSA exploits on the Web last year.

The leaks were by a group that calls itself the Shadow Brokers. The company that provided the "evidence", InGuardians, used the website Krebs on Security, run by former Washington Post employee Brian Krebs, as its conduit.

Krebs used the material provided by InGuardians to write a speculative piece about the identity of the person who leaked the data to the Shadow Brokers. Curiously, he buried the fact that the data came from InGuardians in the 30th paragraph of his story.

Well-known blogger Marcy Wheeler raised some doubts about Krebs' story to which he replied with what she described as "a really snotty tweet". Her analysis of Krebs' article is well worth a read.

InGuardians claimed to have had found metadata in documents among the leaked exploits — which are now freely available on the Internet — relating to three people. Two of them had Western names – Nathan S. Heidbreder and Michael A. Pecoraro. The third had a Russian name — Gennadiy Sidelnikov — and therefore Krebs came to the conclusion that this was one reason why he could be someone likely to have leaked the material.

A little history here: the first person to leak material recently from the NSA was Edward Snowden in 2013. Following that, three others have been known to leak: one, Harold Martin, was arrested last year after having taken a massive trove of NSA data home.

Another, an unnamed software developer, who has been said to be a Vietnamese American, was taken into custody in 2015 after taking hacking tools home and reportedly having them leak from his PC to hackers in Russia. And a third, a woman named Reality Winner, was arrested after leaking a single NSA document to The Intercept this year.

shadow brokers big

Exploits for sale, exploits for sale, peoples is not wanting Shadow Brokers' exploits that are for sale.

Krebs makes a major error in his article with regard to the three people who are under investigation: he cites an article from The New York Times as stating that one is "a still publicly unidentified software developer secretly arrested after taking hacking tools home in 2015, only to have Russian hackers lift them from his home computer".

The NYT, however, plainly states that this individual was also a member of the NSA's Tailored Access Operations group, the elite unit that actually crafts such exploits and carried out operations against foreign enemies of the US.

Its article states: "The agency has active investigations into at least three former NSA employees or contractors. Two had worked for TAO: a still publicly unidentified software developer secretly arrested after taking hacking tools home in 2015, only to have Russian hackers lift them from his home computer; and Harold Martin, a contractor arrested last year when FBI agents found his home, garden shed and car stuffed with sensitive agency documents and storage devices he had taken over many years when a work-at-home habit got out of control, his lawyers say."

But then, if Krebs had admitted that the unidentified software developer was a member of TAO, he would not have been able to bring in the name of someone else and posit that that person was the source for the leaks to the Shadow Brokers.

The NSA tools are claimed to have leaked to the Russians through the unnamed developer's use of Kaspersky anti-virus software; like any A-V solution, the software uploads suspicious files to a server for later analysis and when it encountered the NSA files on this man's machine, it did the same. How the Russians obtained these exploits has never been made clear with the obvious implication being that after they reached Kaspersky's Moscow offices, they were handed over to government hackers. Kaspersky has denied handing over any files. Ah, the power of insinuation!

Krebs' conclusion that Sidelnikov was the most likely source from whom the Shadow Brokers obtained the exploits was based on circumstantial evidence. One was that since Sidelnikov had a Russian name, he was the most likely of the three people cited by InGuardians to be using Kaspersky software.

Then Sidelnikov was found to have obtained a degree from an university in Moldova, a former part of the old Soviet Union. His interests, listed on a LinkedIn profile, included Microsoft and the NSA. Based on the skills listed on this profile, Krebs concluded, based on hints from InGuardians, that he was a database administrator, and not a senior consultant as the man himself claimed. Therefore, Krebs concluded, based again on conclusions from InGuardians, the presence of his name on any document connected to the leak was an aberration as he was not a member of the TAO.

Sidelnikov had listed himself as being affiliated with a company named Independent Software. Krebs claims to have called and emailed this organisation but received no reply. Of course, if Sidelnikov had been arrested — as the headline on Krebs' article claims — it is not surprising that Krebs' queries went unanswered.

The good folk at InGuardians had more "proof" for Krebs. One was that Sidelnikov, who was now assumed to be a database programmer, would not normally have access to exploits of the kind that were leaked. The two others whose names were found in the metadata of the leaked files were claimed to be employees of the TAO.

Whoever the Shadow Brokers are, it is clear that they have detailed access to information about former TAO staff. This was made abundantly clear when they leaked details about Jake Williams, a former TAO member, after he wrote an article about them in April this year.

So, it looks like, once again, based on considerable speculation, much of it unfounded, a Russian has been claimed to be the link to the mysterious leak of NSA exploits. Exactly what Krebs' agenda is remains unknown; Wheeler hinted that he had one: "There’s more I won’t say publicly about Krebs’ project, what he really seems to be up to."

She ended her analysis with this: "..the reason I went through the trouble of pointing out the errors (in Krebs' article) is precisely because Krebs went so far out of his way to find a Russian to blame for … something.

"We’ve been seeing Russian metadata in documents for 17 months. Every time such Russian metadata is found, everyone says, Aha! Russians! That, in spite of the fact that the Iron Felix metadata was obviously placed there intentionally, and further analysis showed that some of the other Russian metadata was put there intentionally, too.

"At some point, we might begin to wonder why we’re finding so much metadata screaming 'Russia'?"

This, one would think, should be a point that strikes a journalist right between the eyes. Strangely, it does not seem to have occurred to Krebs.

Update, 4 December: Following the arrest of a Vietnamese American over taking NSA documents home, Krebs has now issued the following statement: "This author published a story earlier in the week that examined information in the metadata of Microsoft Office documents stolen from the NSA by The Shadow Brokers and leaked online.

"That story identified several individuals whose names were in the metadata from those documents. After the guilty plea entered this week and described above, KrebsOnSecurity has unpublished that earlier story."

The statement is published at the end of another post and is given nothing like the prominence that the original post (archived version here) was. There is no admission that the story could have been wrong.

Krebs has disallowed comments on the article where his faux pas is mentioned, presumably so that nobody can point out his error.

Subscribe to ITWIRE UPDATE Newsletter here


The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News