Guise Bule


Tinker Tailor Hacker Spy | A Contrarian Analysis Of The Equifax Breach

Who Is Watching And Why?

Tinker Tailor Hacker Spy | A Contrarian Analysis Of The Equifax Breach

Some men like to watch the world burn, I would be lying if I said that I wasn't one of them and if we are honest you are at least a little bit like me.

*Disclaimer : This is an opinion piece.

Let us go out of bounds now and hope we don’t get lost in the bush.

Equifax was a slap in the face to not just our national intelligence and cybersecurity apparatus, but our civil society and our democracy.

The current narrative and coverage of the event undermines the seriousness of the Equifax breach and its perpetrators, I think its better we try to properly understand the real risks we are dealing with that stem from this breach.

Tip Of The Iceberg

Before we can begin to properly understand the repercussions of this breach, we need to understand the motivations of the people behind it.

Equifax Press Release

The publicly stated source of this breach is that criminals exploited a website application vulnerability, which is total horseshit when you think about it.

It requires you to believe that the Equifax security team was asleep at the wheel, was failing to patch against web application vulnerabilities and took months to realize that an infiltration and exfiltration had taken place.

Ir requires you to believe that the breach was limited to the social security numbers, drivers license numbers, addresses and birth dates of 143 million of you, as well as the credit card details of around 290k of them.

I believe that this is just the tip of the iceberg we can see.

Flaws In The Official Narrative

We can disregard those darknet operators extorting Equifax, we can disregard the purported size of the data breach and the stated source of the breach, if anything they are just a smokescreen, mocking laughs left behind to taunt us.

The Psyops Campaign — The darknet psyops campaign currently taunting security researchers and investigators is a smokescreen and the Equifax data has not yet appeared on the darknet for sale beyond this one website.

The Breach — Lets conduct a thought experiment and follow the public narrative, assuming the breach point was a vulnerability in Apache Struts.

This requires us to believe that either a known Apache Struts vulnerability (CVE-2017–5638 an expression language vulnerability disclosed in March) or a then unknown zero day vulnerability (CVE-2017–9085 an unsafe serialized object vulnerability disclosed in September) was responsible for the breach.

It also requires us to arrive at this conclusion on our own, because neither the official statement, nor the subsequent analysis of the breach actually confirms this, instead we are being nudged towards this narrative by various actors.

Subsequent Analysis — An investment analysis of the breach nor the official statement reveal anything, the phrase ‘not known’ is heavily leaned upon and there is no confirmation anywhere that these vulnerabilities were responsible.

Most cybersecurity commentators focused on this are in accord with this narrative and official sources are not challenging it, something I find quite incredible considering the sketchiness of this narratives foundation.

The Narrative Is A Smokescreen

Being a critical engineer of sorts, I am forced to challenge the public narrative and conduct a thought experiment which supports a different perspective.

In my thought experiment the public narrative surrounding the breach is untrue, the publicly stated belief that it is criminal activity is false and the fallout from the breach is much more serious than anyone is letting on.

What is not being reveled is that these data breaches are much more extensive and interconnected than we are being led to believe and they are being initiated by state sponsored actors from a country I shall not name.

The Equifax breach is connected with the breach at and its stolen data helps validate the OPM data, when you pool those two stolen data sets together with the biodata from the Anthem breach, you have a highly valuable source of intelligence on the US/UK intel/gov/def community.

What do these three breaches have in common? They were all conducted by the same actors and the data has never been seen for sale on the darknet markets, despite its very obvious value, its being saved for something else.

Continuing With The Thought Experiment

If our thought experiment rests on solid ground then we can extrapolate the following consequences and risks from the breach, bearing in mind that it would be a mistake to focus on the moment and to think of the immediate consequences when the long term effects have yet to be felt.

A financial crime spree in the short term really is the least of our worries, these breaches dramatically boost the intelligence capabilities and operations of our adversaries in lots of very important and fundamental ways.

  1. Enriched HUMINT Capabilities — The data sets allow the culprits to develop full out-of-band profiling of known US intelligence personnel and make credible assumptions about suspected operatives from their backstory. The biodata set in particular is highly useful for validating existing classified holdings, in support of counter-intelligence operations.
  2. Enriched Second Tier Intelligence — These data sets are rich sources of second tier intelligence, highly valuable to those with a target centric approach to target analysis and threat analysis.
  3. Enriched OSINT Capabilities — These data sets can be pooled with OSINT resources to create incredibly detailed pictures on a huge chunk of the American population in general, highly useful in target analysis.

What Is The Long Term Fallout?

Given these enriched capabilities, state sponsored operators could be highly effective at cyber espionage for the next decade and these data sets are rich with information that is highly useful to cyber espionage campaigns.

Corporate Phishing- This data can be leveraged in phishing attacks against corporate targets and make it really easy to spoof emails and calls to organizations running critical access accounts. They make it really easy to impersonate you and socially engineer their way into your company.

Individual Target Manipulation- This data can help identify potential targets working at important institutions who may be suffering from financial distress, making them vulnerable to manipulation and blackmail.

Credible Personas- This data helps any operative conducting live operation establish credible sets of personas for use during their operations. They will use these personas to set up credible fronts on social media, avoiding KYC when opening operational bank accounts, renting properties and vehicles.

Black Op Finance- Any time the team holding the data needs to raise funds for an operation, they can selectively turn segments of the data into cold hard cash and treat the data as a cash machine, using it to fund all manner of ills.

Threat To Democracy & Civil Society

Using these data sets operationally is just one way of leveraging them, the breaches by which these data sets were obtained and the high level use of this data can easily undermine our most important democratic, financial, political and civil institutions, destroying the confidence our citizens have in them.

We have only just begun to get to grips with the foundations of our civil society being eroded by divisive political propaganda and we are only just beginning to see the malicious destabilization of our democracy at work.

Federal government employees, high ranking corporate officials and the political figures aside, these data breaches leave the rest of us individually vulnerable to highly targeted campaigns that seek to cause political divisiveness and undermine our trust and confidence in one other.

When you combine these data sets from these breaches, correlate them with the last decades worth of data and IP theft and the way they are being leveraged, they are nothing short of acts of war against all us.

The Good Old Days

In the old days if you got caught you were either showcased and bargained with, or you were secretly executed following an interrogation, but these days operators act from the comfort of their battle stations with impunity.

They sit unchallenged and proactively do their work in a monotonous corporate way, safe in the knowledge they can go home at night to their families and leave their work at their doorsteps when they arrive.

This situation will not be allowed to continue, these affronts against everything we hold dear will be decisively responded to, with the responsible parties being held to account no matter where they are physically located.

These people better start hiding in caves.

But what do you think? Let me know in the comments below, DM me your story on Twitter or contact me on Wire using @BuleBule.

What’s that? You like the cut of my jib? Follow me on Twitter then and give me a CLAP using the clap button, you can clap more than once :)

More by Guise Bule

Topics of interest

More Related Stories