Tag Archives: playbook

Ooops, a Gentlemen’s Agreement Breaks

The mysterious hacking group that supplied a critical component of the WannaCry “ransomware” software attack that spread across the globe in mid-May 2017 has been releasing alleged National Security Agency secrets for the past eight months.  Former intelligence officials now fear that the hackers, who go by the name Shadow Brokers, are taking a new tack: exposing the identities of the NSA’s computer-hacking team. That potentially could subject these government experts to charges when traveling abroad.

The Shadow Brokers on April 14, 2017 posted on a Russian computer file-sharing site what they said were NSA files containing previously unknown attack tools and details of an alleged NSA hack affecting Middle Eastern and Panamanian financial institutions.

But something went largely unnoticed outside the intelligence community. Buried in the files’ “metadata”—a hidden area that typically lists a file’s creators and editors—were four names. It isn’t clear whether the names were published intentionally or whether the files were doctored. At least one person named in the metadata worked for the NSA, a person familiar with the matter said.  Additionally, the hacking group in April, 2017 sent several public tweets that seemingly threatened to expose the activities of a fifth person, former NSA employee Jake Williams, who had written a blog post speculating the group has ties to Russia… Security experts who have examined the documents believe they contain legitimate information, including code that can be used in hacks, as well as the names of the files’ creators and editors.

Because nation-state hackers might run afoul of other countries’ laws while discharging their duties, they could, if identified, face charges when outside their country. So, to keep their own people safe, governments for decades have abided by a “gentleman’s agreement” that allows government-backed hackers to operate in anonymity, former intelligence officials say….

Some former intelligence officials suggested the U.S. prompted the outing of state-sponsored hackers when it indicted five Chinese military hackers by name in 2014, and more recently brought charges against two officers with Russia’s Federal Security Service over a 2014 Yahoo Inc. breach.  By exposing cyberagents, the Shadow Brokers appear to be taking a page from the U.S. playbook, said Mr. Williams, who worked for the NSA’s Tailored Access Operations hacking group until 2013. An NSA spokesman said the agency doesn’t comment about “most individuals’ possible current, past or future employment with the agency.”  “We’ve fired first,” Mr. Williams said, referring to the U.S. charging the alleged Chinese hackers by name. “This is us taking flak.”…

The documents revealed jealously guarded tactics and techniques the NSA uses to access computer systems…For example, the files include source code for software designed to give its creators remote access to hacked machines, and to evade detection from antivirus software. If the code was created by the NSA, it now gives security professionals a digital fingerprint they can use to track the NSA’s activities prior to the leak.

That could prove disruptive to NSA activities, forcing the agency to consider pulling its software from others’ networks and taking other steps to erase its tracks. And while the information could help companies determine whether they have been hacked by the NSA, it could also be used to create more malicious software. The Shadow Brokers tools, for example, are now being used to install malicious software such as WannaCry on corporate networks.

Mr. Williams initially thought the Shadow Brokers had access only to a limited set of NSA tools. His assessment changed after three tweets directed at him April 9, 2017 included terms suggesting the group had “a lot of operational data or at least operational insight” into his work at the NSA, he said.  The tweets, which are public, are cryptic. They express displeasure over an article Mr. Williams wrote attempting to link the Shadow Brokers to Russia. They also mention apparent software code names, including “OddJob” and “Windows BITS persistence.”…..OddJob is a reference to software released by the Shadow Brokers five days after the tweets. “Windows BITS persistence” is a term whose meaning isn’t publicly known.

Excerpts from In Modern Cyber War, the Spies Can Become Targets, Too, Wall Street Journal, May 25, 2017

 

War and Play: the playbook of targeted killings

Image from wikipedia

The Obama administration is nearing completion of a detailed counterterrorism manual that is designed to establish clear rules for targeted-killing operations but leaves open a major exemption for the CIA’s campaign of drone strikes in Pakistan, U.S. officials said.  The carve-out would allow the CIA to continue pounding al-Qaeda and Taliban targets for a year or more before the agency is forced to comply with more stringent rules spelled out in a classified document that officials have described as a counterterrorism “playbook.”

The document, which is expected to be submitted to President Obama for final approval within weeks, marks the culmination of a year-long effort by the White House to codify its counterterrorism policies and create a guide for lethal operations through Obama’s second term.

A senior U.S. official involved in drafting the document said that a few issues remain unresolved but described them as minor. The senior U.S. official said the playbook “will be done shortly.”  The adoption of a formal guide to targeted killing marks a significant — and to some uncomfortable — milestone: the institutionalization of a practice that would have seemed anathema to many before the Sept. 11 , 2001, terrorist attacks.Among the subjects covered in the playbook are the process for adding names to kill lists, the legal principles that govern when U.S. citizens can be targeted overseas and the sequence of approvals required when the CIA or U.S. military conducts drone strikes outside war zones.

U.S. officials said the effort to draft the playbook was nearly derailed late last year by disagreements among the State Department, the CIA and the Pentagon on the criteria for lethal strikes and other issues. Granting the CIA a temporary exemption for its Pakistan operations was described as a compromise that allowed officials to move forward with other parts of the playbook.The decision to allow the CIA strikes to continue was driven in part by concern that the window for weakening al-Qaeda and the Taliban in Pakistan is beginning to close, with plans to pull most U.S. troops out of neighboring Afghanistan over the next two years. CIA drones are flown out of bases in Afghanistan.

Excerpt, Greg Miller, Ellen Nakashima and Karen DeYoung, CIA drone strikes will get pass in counterterrorism ‘playbook,’ officials say, Washington Post., Jan 19, 2012