Your Source for Leaks Around the World!

Author Archive

UNITEDRAKE: The Shadow Brokers Leak NSA Malware Manual from August Dump

In Archive, Hacking, NSA, Shadow Brokers on September 7, 2017 at 12:11 PM

PDF (2MB)

The Shadow Brokers – the hacker group behind the ongoing leaks of NSA tools and exploits – released their September 2017 communique yesterday. In it they detail upcoming prices and changes to their monthly dump service, stating the leaks will now be semi-monthly continuing until at least November 15, and that September’s will contain exploits.

More interestingly for non-subscribers, at the bottom of the post is a MEGA link containing “Files, Signed Message, Manual to August Dump.” The manual – titled “UNITEDRAKE Version 4.6.1” – appears to have been altered by an open source graphics program and then re-saved as a PDF. Classification markings have been removed and the company listed on the manual is fake.

UNITEDRAKE is a modular malware described as a “fully extensible remote collection system designed for Windows targets.”

Able to compromise Windows PCs running on XP, Windows Server 2003 and 2008, Vista, Windows 7 SP 1 and below, as well as Windows 8 and Windows Server 2012, the attack tool acts as a service to capture information, with clients planted on target machines that send information to a server over the internet.

The existence of UNITEDRAKE first came to light in 2013 as part of a series of classified NSA documents leaked by Edward Snowden and in a catalog of NSA hacking tools leaked by a second source, which revealed it was used by the NSA alongside other pieces of malware to infect millions of computers around the world.

By using “plugins”, UNITEDRAKE can perform tasks including listening in and monitoring communication, capturing keystrokes and both webcam and microphone usage, the impersonation users, stealing diagnostics information and self-destructing once tasks are completed.

via emptywheel:

The way in which UNITEDRAKE is used with FISA is problematic. Note that it doesn’t include a start date. So the NSA could collect data from before the period when the court permitted the government to spy on them. If an American were targeted only under Title I (permitting collection of data in motion, therefore prospective data), they’d automatically qualify for 705(b) targeting with Attorney General approval if they traveled overseas. Using UNITEDRAKE on — say, the laptop they brought with them — would allow the NSA to exfiltrate historic data, effectively collecting on a person from a time when they weren’t targeted under FISA. I believe this kind of temporal problem explains a lot of the recent problems NSA has had complying with 704/705(b) collection.

In 2015 cybersecurity and anti-virus provider Kaspersky released a report on the “Equation Group”, who The Shadow Brokers originally attributed the leak to and has been tied to NSA’s Tailored Access Operations (TAO) elite hacking unit. Kaspersky discovered UNITEDRAKE malware – which they dub EQUATIONDRUG and GRAYFISH in their report – on customer machines in over 30 countries including Iran, Russia, China, US, and UK, in sectors ranging from government, military, finance, energy, and media.

OTHER CODENAMES IN UNITEDRAKE MANUAL:

FOXACID

PUZZLECUBE

BLUISHDEFER

SOLARTIME
JUSTVISITING
FOGGYBOTTOM
SALVAGERABBIT
WISTFULTOLL (ANT Catalog)
INFOSPYDER
KILLSUIT
SQUASHCHUNKY
THERMALDIFFUSION
WHITESPYDER

BEIGETHICKET
DAYTONSUNDAY
GROK
KRISPYKREME
NETPSPYDER
STOWAGEWINK
SULPHURWRITE

FLEWAVENUE

HEAVENSLEW

FELONYCROWBAR

DOGROUND

DICEDEALER

Al-Qaeda Calls for Targeting U.S. Rail Network, Publishes Detailed Operational Guide for Derailing Trains

In Al-Qaeda, Archive, Terrorism on August 14, 2017 at 10:46 AM

LeakSource Note: This information is being published because we believe withholding this material from the public only endangers them more. Terrorists and government officials shouldn’t be the only ones aware of future attacks these groups plan to carry out. The public has a right to know so that they can take necessary precautions, instead of becoming unknowing victims because of secrecy and censorship.

08/14/2017

Al Qaeda in the Arabian Peninsula is encouraging followers in the West to carry out new mass casualty attacks, providing an in-depth tutorial on how to derail trains and listing dozens of ‘vulnerable’ train routes in the U.S. as example targets.

Issue 17 of the terror group’s Inspire Magazine includes several articles detailing railways in the West and the dependency of economies such as the U.S. on the efficiency of the railroad for passenger travel and the transportation of goods.

One introductory article cites a GAO (Government Accountability Office) highlighting the vulnerabilities faced by U.S. railways that total over 100,000 miles in length and citing the transportation of hazardous materials to be of particular concern. Also noted in the report is the 5.6 million daily commuters on the NY subway.

An article entitled “Train Derail Operations,” urges jihadis to seize upon the vulnerabilities of the rail system, especially the lengthy unguarded tracks in the U.S., France and the U.K. and to place obstacles that will cause trains to derail, striking fear in the hearts of the West as well as weakening their economies.

“O Mujahideen, it is time that we instill fear and make them impose strict security measures to trains as they did with their Air transportation. Continue to bleed the American economy to more losses, increase the psychological warfare and make it worry, fear and weaken much more,” the article states.

An elaborate tutorial spanning 19 pages contains detailed instructions on how to assemble a “homemade derail tool,” as well as the best place to position it. Industrial uses for derail tools or “wedges” include unauthorized movement of trains of faulty breaks.

The tutorial instructs users on how to create a cardboard and Styrofoam scale model, which can then be used to build the contraption built with a mixture of steel and concrete, laid out in a six-part step-by-step tutorial.

The guide warns the ‘lone wolf’ to study train schedules carefully and place the obstacle close to the time a train passes by, as rail inspection cars are often deployed to inspect railways for wear and tear.

The simplicity of the device’s design (no explosives required) as well as the notion that such an attack is not a martyrdom operation, but rather one that can be repeated over and over again are listed by the writer as advantages over other forms of lone-wolf attacks.

A map of U.S. railroads also appears and some of the main passenger routes are highlighted.

Inspire Magazine has been published by Al Qaeda in the Arabian Peninsula with issues going back to 2010. Much of the magazine’s attack focus has been labelled “open source jihad,” step-by-step guides advising would-be jihadis on how to carry out terror attacks, often with materials or equipment readily available. Past issues have included a summer 2010 edition with details on how to build a pressure cooker bomb and a fall 2010 edition encouraging “car ramming” attacks.

There has been some debate in the past over the authenticity of Inspire Magazine as an authentic Al Qaeda publication. The U.S. government deems the connection to Al Qaeda plausible and in 2013 launched a cyber attack to disrupt the magazine’s publication

PDF (26MB)

 

h/t Lisa Daftari/TheForeignDesk

 

AQIM Releases South African Hostage Stephen McGown After Almost 6 Years; $4.2 Million Ransom Paid

In Al-Qaeda, AQIM, Archive, Mali, South Africa, Terrorism on August 3, 2017 at 10:56 AM

08/03/2017

NYTimes:

A South African tourist who was abducted nearly six years ago from an inn in Timbuktu, Mali, by the North African branch of Al Qaeda has been freed, officials said on Thursday.

The tourist, Stephen Malcolm McGown, 42, was the last of the “Timbuktu Three,” who were abducted on Nov. 25, 2011, to be released: A Dutch citizen was rescued in a French commando raid in 2015, and a Swedish man was released in June.

 

Militants released a video showing six captives, including Mr. McGown, last month, before a visit to Mali by President Emmanuel Macron of France. Mr. McGown also holds a British passport.

Mr. McGown’s lengthy captivity had become a cause célèbre in South Africa, but his freedom came at a price: A retired European intelligence official said on Thursday that 3.5 million euros (about $4.2 million) had been paid.

The retired official, who requested anonymity to discuss sensitive information, said that the payment was negotiated through an intermediary, Gift of the Givers Foundation, a South African charity that had campaigned for Mr. McGown’s release, and that it was paid by an undercover agent working for French security services in the Adrar des Iforas mountains, a massif in the deserts of northern Mali where Qaeda militants have held hostages.

“It was an operation managed by France and South African intelligence through an intermediary,” the former official said.

 

South Africa’s foreign minister, Maite Nkoana-Mashabane, who announced Mr. McGown’s release at a news conference in Pretoria on Thursday, responded vaguely when a reporter asked her whether a ransom had been paid.

“The South African government does not subscribe to payment of ransoms,” she said. “That’s why I focused on the work we have been doing in the past six years: campaigning, engaging with governments, and with the captors the way we know how. That’s what we have been doing. And that’s what we can confirm.”

Ms. Nkoana-Mashabane, the foreign minister, declined on Thursday to discuss the condition of Mr. McGown, now back in South Africa. “Is he receiving the necessary support — the requisite for any South African citizen who had gone through this very, very painful experience? The answer is yes,” she said.

A New York Times tally of ransoms collected by Al Qaeda’s affiliates conducted in 2014 found that the group had taken in at least $125 million, with $66 million paid just in 2013.

Unlike the Islamic State, also known as ISIS or ISIL, Al Qaeda has tended to see hostages as a product that it can monetize. Only a minority of its hostages have died while in custody, unlike those of the Islamic State, which both ransoms and regularly kills captives.

Is This the Document Russian Lawyer Veselnitskaya Shopped to Donald Trump Jr?

In Archive, Donald Trump Jr., Hillary Clinton, Russia, Trump on July 19, 2017 at 2:53 AM

Note: LeakSource does not necessarily believe the opinions and Russia scaremongering contained in some of the articles linked below. Does that mean we are Trump supporters? No. To date we just have not found any reasonable evidence to back up claims of Trump/Russia collusion. The main focus of this post is the document. The selected paragraphs are simply to connect the dots through mainstream media sources to show the likeliness that this is the document Russian lawyer Natalia Veselnitskaya gave to Donald Trump Jr. All signs point to Veselnitskaya using the lure of opposition research (which was noting revelatory) as an in to meet, where she could then focus on her real goal of lobbying against the Magnitsky act. There was no nefarious election collusion masterminded by Putin here, like the media outlets below would want you to believe.
———————————————————————————————————————————
WHAT WE KNOW SO FAR

Bloomberg:

Around the time of last summer’s meeting with Trump Jr., Russian attorney Natalia Veselnitskaya was peddling a new political spin on a well-worn international scandal, according to one person familiar with her work. She was focusing on hedge fund manager William Browder, the subject of her scorn and of a film she was promoting, and on Ziff Brothers Investments LLC, which had invested with Browder, the person said.

Russian prosecutors said they were opening new lines of inquiry against these investors. What Veselnitskaya saw in these steps were alleged tax improprieties that would be a black mark on the Democratic Party, because Browder and at least one member of the wealthy Ziff family had contributed to the Clinton Global Initiative, the person said.
———————————————————————————————————————————
WaPo:

Rinat Akhmetshin said that “as part of her work, with her clients” Veselnitskaya had found that an American hedge fund was violating Russian tax and securities law and that the fund “seemed linked to the Democratic National Committee.” He said that Veselnitskaya “left a document behind” after the session.
———————————————————————————————————————————
WSJ:

Veselnitskaya said her meeting wasn’t coordinated with official Russian government structures. She did, however, share information similar to what the Russian prosecutor general’s office gave to Rep. Dana Rohrabacher (R., Calif.) in a Moscow meeting two months earlier. Namely, she said she wanted to inform the Trump campaign of allegations that an American firm Mr. Browder worked with, Ziff Brothers Investments, had dodged taxes in Russia and later donated to Democrats.

“Both during the meeting, while I was talking to Donald Trump Jr., and in the written materials I prepared, I was trying to tell the story that I myself had personally investigated,” Ms. Veselnitskaya said, referring to Mr. Browder.
———————————————————————————————————————————
CHAIKA/ROHRABACHER/VESELNITSKAYA CONNECTION

NYT:

Rob Goldstone, the former British tabloid journalist and music promoter who arranged the Trump Tower meeting, had written in an email to Donald Trump Jr. that Ms. Veselnitskaya would bring information from Yury Chaika ,the Prosecutor General of Russia, that would be damaging to Mrs. Clinton.

What that information was is still not known. But at the time, Mr. Chaika was trying to push back against an American sanctions law, the Magnitsky Act, in part by trying to discredit an American-born businessman, William J. Browder, who had lobbied for its passage. At least some of the information seemed to concern accusations of tax evasion by prominent Democratic donors involved with Mr. Browder.

Mr. Chaika made the same accusations in a statement on his website and in documents handed to Rohrabacher when he was in Moscow. In an interview, Mr. Rohrabacher said using the information in opposition research against the Democrats in the presidential campaign had never crossed his mind. “That’s a big zero,” he said.
———————————————————————————————————————————
DailyBeast:

That same Prosecutor General’s office also was listed as being behind the “very high level and sensitive information” that was offered to Donald Trump Jr. in an email prior to his now infamous meeting with Russian officials at Trump Tower on June 9—just days before the congressional hearing. Veselnitskaya attended that meeting with Trump Jr. She also happens to have worked as a prosecutor in the Moscow region and is a close personal friend of Chaika.

As Rohrabacher pitched for support in the weeks after returning from Russia, Rinat Akhmetshin set to work on lobbying House members. A U.S. congressional staffer told The Daily Beast that former California Rep. Ron Dellums (D-CA) and Akhmetshin showed up at their office without an appointment.

“They said they were lobbying on behalf of a Russian company called Prevezon and asked us to delay the Global Magnitsky Act or at least remove Magnitsky from the name,” the staffer said.

Prevezon’s lawyer at the time was Natalia Veselnitskaya, who was working to defend the Cyprus-based company against U.S. money laundering allegations related to the massive fraud uncovered by Magnitsky.
———————————————————————————————————————————
TheHill:

Just days after meeting Trump Jr., Veselnitskaya also attended a dinner with Rohrabacher and roughly 20 other guests at a dinner club frequented by Republicans.

In an interview with The Hill on Wednesday, Rohrabacher said, “There was a dinner at the Capitol Hill Club here with about 20 people. I think I was the only congressman there. They were talking about the Magnitsky case. But that wasn’t just the topic. There was a lot of other things going on. So I think she was there, but I don’t remember any type of conversation with her between us. But I understand she was at the table.”
———————————————————————————————————————————
While searching through the leaked emails of U.S. State Department Russian intelligence official Robert Otto, LeakSource discovered documents that Rohrabacher received from Moscow regarding the Magnitsky Act. Included is a file labeled confidential, which contains details matching what news outlets have so far reported on regarding the information Veselnitskaya gave to Trump Jr. That, along with the reported connections between Chaika, Rohrabacher, and Veselnitskaya gives credence to this being the document that was given to Trump Jr.

———————————————————————————————————————————
WHAT DOES THIS HAVE TO DO WITH HILLARY CLINTON AND THE DNC?

Ziff Brothers Investments’ political contributions in 2016 (via OpenSecrets):

———————————————————————————————————————————
RT:

Natalia Veselnitskaya insisted her meeting with Trump Jr. was aimed at countering Browder’s lobbying in America and had nothing to do with the US presidential election.

“I am already tired of talking about it, but apparently nobody wants to hear. This was the story that I brought to Donald Trump Jr. I wanted him to know that Browder, a person who gave up his US citizenship, is trying to manipulate people in Congress,” she said.

“If the Senate wishes to hear the real story, I will be happy to speak up and share everything I wanted to tell Mr. Trump,” she added, referring to the alleged economic crimes that Browder is suspected of in Russia. “I will share everything I know about this situation when millions came into my country and billions left it – and nobody paid taxes.”

Veselnitskaya also said she is now concerned for the safety of her family as it’s been revealed that Browder’s team spied on her family’s activities even before her meeting with Trump Jr.

“It’s been revealed that Mr. Browder and his team have been gathering information about my family,” she told RT, adding, that Browder’s team “found photos of my house and sent them to Kyle Parker… a famous man in the House of Representatives, who worked for Mr Browder for many years – and not for any congressmen or congress as a whole.”

People working for Browder also shared all her personal details with representatives of the State Department, Veselnitskaya said.

An email containing an alleged photo of the Veselnitskaya’s house was discovered in the trove of hacked Robert Otto emails that were leaked.

Examining Hacked Emails From US State Dept’s Top Russian Intel Official Robert Otto

In Archive, Hacking, Russia, State Dept, USA on July 18, 2017 at 1:25 AM

Robert Otto (image via emails)

via Johnnie Walker (h/t to @codefiscal for link):

Perhaps you know that the U.S. State Department has a direct bearing on the agenda formation not only at home but throughout the world.

Now you can make sure it’s true. Let me show you the correspondence between the Deputy Chief of Staff for Intelligence, Surveillance and Reconnaissance Agency Robert P. Otto and his colleagues, CIA officers and other intelligence agencies, as well as representatives of mainstream media, NGOs, international funds and think tanks.

With the respect for privacy I’ve deleted his correspondence with his wife and relatives. The rest of emails will give evidence of who is responsible for different information campaigns, the so-called mythmaking and essentially engaged in the promotion of “American values” throughout the world.

DOCUMENT CACHE CAN BE DOWNLOADED HERE

ForeignPolicy:

The State Department did not confirm or deny the authenticity of the emails. “The Department of State is well aware that malicious actors often target email accounts of government and business leaders across the United States. As a matter of policy, we do not discuss specific attempts or incidents,” a State Department spokesman said.

But the official’s expertise in Russian politics and organized crime makes him a significant target.

“He’s probably the top intelligence guy in the entire U.S. government on Russia. He knows more than anybody about what’s going on there,” said one source whose correspondence with the official was revealed in the hack.

The official’s emails were primarily conversations among Russia experts in government, including the intelligence community, exchanging articles, newsletters, and thoughts on current events. The official corresponded frequently with other Russia experts in academia and the think-tank world.

While several of his colleagues contacted by FP said they were unaware of the hack, they were not surprised, given recent events.

According to a second source whose correspondence showed up in the hacked emails, at least one other Russia expert was recently hacked — an Australian academic with a history of government service, although the emails appear not to have been released.

There’s no evidence proving Russian hackers targeted the official, but the first media outlet to pick up on the hack was an obscure website in Crimea (NewsFront), which published specific emails and provided a link to the cache. A former employee of the news agency had claimed in an article that the website is financed by the Russian secret service, and its topics assigned by top political leadership in Moscow.

A Donetsk, Ukraine-based editor for the website, who declined to provide his name, said allegations of Russian government funding were untrue and “funny.”

———————————————————————————————————————————

LeakSource has only analyzed mostly emails containing attachments so far, looking for any confidential documents or information that is not intended for distribution. If you are searching through the documents as well, please comment here or tweet to me any additional details you find newsworthy.

 

Click to Enlarge

Click to Enlarge

  • Email from Toby Gati, former United States Assistant Secretary of State for Intelligence and Research, questioning why there was no American interpreter at G-20 Obama/Putin meeting

Click to Enlarge

 

  • Email between Dan Goldberg (unable to confirm position but I believe it is in Defense Dept.) and Robert Otto, analyzing fashion sense of a young Vladimir Putin:

Click to Enlarge

  • Email between Wayne Allensworth and Robert Otto re: a report of a fake document claiming American government is paying a Russian activist to leak information saying top Russian officials are gay. Allensworth seems to insinuate that rumors about Putin are common in Moscow’s gay community:

Click to Enlarge

  • What I believe is a previously unpublished photo of Sen. John McCain and Vladimir Milov, former Deputy Energy Minister of the Russian Federation and president of the Institute of Energy Policy think-tank:

h/t to @steemwh1sks: “Someone converted the leaked U.S. State Department e-mails to pdf, sorted by keyword. Posted on reddit”:

PDFs Matching “Clinton”

https://www.scribd.com/document/353850851/Clinton-1

https://www.scribd.com/document/353850860/Clinton-2

https://www.scribd.com/document/353850867/Clinton-3

https://www.scribd.com/document/353850856/Clinton-4

https://www.scribd.com/document/353850868/Clinton-5

https://www.scribd.com/document/353850871/Clinton-6

https://www.scribd.com/document/353850875/Clinton-7

https://www.scribd.com/document/353850866/Clinton-8

PDFs Matching “Trump”

In this next section, I searched for 534 emails which mentioned “TRUMP” and extracted the PDFs without the articles in such a distracting way.

https://www.scribd.com/document/353854712/Trump1

https://www.scribd.com/document/353854711/Trump2

https://www.scribd.com/document/353854705/Trump3

https://www.scribd.com/document/353854703/Trump4

https://www.scribd.com/document/353854707/Trump5

https://www.scribd.com/document/353854708/Trump6

https://www.scribd.com/document/353855238/Trump7

https://www.scribd.com/document/353855230/Trump8

https://www.scribd.com/document/353855245/Trump9

https://www.scribd.com/document/353855241/Trump-10

https://www.scribd.com/document/353855234/Trump-11

https://www.scribd.com/document/353855225/Trump12-pdf

PDFs Matching “Veselnitskaya”

In this section, I found a handful of emails matching the Trump Lawyer that should have a second look.

https://www.scribd.com/document/353856170/Veselnitskaya1

PDFs Matching “Magnitskiy”

In this section, I found 93 emails matching Magnitskiy, which is connected to the Trump lawyer.

https://www.scribd.com/document/353856542/Magnitskiy1

https://www.scribd.com/document/353856577/Magnitskiy2

PDFs Matching “Podesta”

https://www.scribd.com/document/353857003/Podesta-Clinton

PDFs Matching “Lynch”

https://www.scribd.com/document/353858422/Lynch

PDFs Matching “Eric Holder”

https://www.scribd.com/document/353858572/Holder1-pdf

PDFs Matching “DNC”

https://www.scribd.com/document/353864582/Dnc

PDFs Matching “McCain”

https://www.scribd.com/document/353866545/McCain

PDFs Matching “Manafort”

https://www.scribd.com/document/353868118/Manafort

PDFs Matching “Soros”

https://www.scribd.com/document/353868611/Soros

PDFs Matching “Uranium”

https://www.scribd.com/document/353869252/Uranium1

PDFs Matching “Samochornov” (Veselnitskaya’s unnamed translator)

https://www.scribd.com/document/353869492/Samochornov

Contacts – Cross reference with Wikileaks Intelligence :

https://icwatch.wikileaks.org/

https://pastebin.com/1kgxCigKh

https://pastebin.com/s6PP2bR2

%d bloggers like this: