In its ‘Operation Kiwi Freedom’ final message, AnonOps NZ has released five encrypted files that it claims contain illegitimately obtained, classified data. The entity, purportedly the New Zealand presence of ‘hactivist’ group Anonymous, highlighted and linked to the files in its latest YouTube video, released at midnight last night (0000h today).
Via speech synthesis, as in previous videos, AnonOps NZ says: “The time is fast approaching to shed light on something much darker and far more sinister. The attacks on the GCSB, that completely crippled their website, was a warning that we were coming. The distributed denial of service attack was merely a distraction, as they do not see DDoS attacks as a threat, they did not see us a threat.
We did not restrict ourselves to one high-profile compromise.
“We had enough fissile material for 5 warheads, each contain classified data.
“[The files] have been quietly distributed to numerous mirrors over the last few days and they are available for download from this website now. We encourage all of those who believe in freedom to download and save these files to your computer, external hard drives and USB devices. Distribute them far and wide.”
The files are downloadable from anonymous file distribution site anonfiles.com over plain HTTPS (i.e. no FTP or peer-to-peer client software is required to download).
AnonOps NZ has not provided the key or keys used to encrypt the files. This leads to the ‘warhead’ analogy used in the message and filenames.
The files are distributed freely, with the intent of having them so widely mirrored online, and backed up offline, to be beyond the government’s ability to suppress. Should AnonOps NZ wish to damage the government, or other entities reliant on the files remaining secret, it may ‘detonate’ the ‘warheads’ by releasing the encryption keys to the public in a similar fashion. This would allow everyone with access to the encrypted files to access the ‘payload’, whatever supposedly classified data is inside.
The video explains: “We have not taken the New Zealand governments actions lightly, nor without consideration of the possible consequences. Should we be forced to reveal the trigger-key to these warheads, we understand that there will be collateral damage. We appreciate that many of whom work within the justice system believe in those principles that it has lost, corrupted, or abandoned, and that they do not bear the full responsibility for the damages caused by their occupation.”
This suggests that the files, if genuine, contain personal details of government employees, or show actions of those employees that the public may find objectionable. In the most extreme case, it may contain details of intelligence professionals or ongoing operations that could be damaging, or even potentially dangerous, to those professionals or operations.
There must be reform of the GCSB bill and other poorly-envisioned legislation.
An approach like this, which has been used by Anonymous and other such groups in the past, is interesting in that it’s impossible to distinguish from a bluff if the encryption keys are never released.
As per our analysis below, it is unlikely that the encryption on the publicised files could be broken by brute-force. We can make assumptions about the file type and contents from its extension, name and size, but the file files could just as well be nothing but blanks. Encrypted as they are, it’s impossible to tell.
AnonOps NZ’s ultimatum states that “... in order for this crisis to be resolved .... There must be reform of the GCSB bill and other poorly-envisioned legislation. Laws must be upheld unselectively, and not used as a weapon of government to make examples of those it deems threatening to its power. The people of New Zealand shall remain with their freedom, their privacy and human rights.”
It goes on to say: “It is our hope that these warheads need never be detonated. Although time will tell.”
No deadline is given for reform, and it is unclear exactly what conditions may lead AnonOps NZ to release the encryption keys.
Each of the five downloads is an unprotected ZIP file, which vary in size from 8MB to 29MB. Unzipped, the files each contain a single encrypted file of the same size as its container. It is unclear why ZIP files were used at all, as encrypted files are, by their nature, uncompressable in much the same manner as a JPEG or MP3 file.
The payloads are titled as follows:
The .doc file extensions likely mean each file is a Microsoft Word document (version 2003 or earlier, as often used in government and industry). The following .enc.enc.enc suggest that each file has been encrypted three times, perhaps by software that automatically appends ‘.enc’ to the existing file extension.
In such cases of multiple encryption, it is common to encrypt using two or three different algorithms – for example, it may be encrypted AES, then 3DES, then AES again. However, the files may be encrypted three times using the same algorithm. Without knowing the algorithm used at each step, brute-force decryption is highly unfeasible. Even knowing the algorithms used, decryption would be unfeasible unless trivially short or predictable keys were used, or the same key was used across the five files. Such mistakes are not a hallmark of IT-focused Anonymous, but possible: we’ll leave any decryption attempts to the security experts.
Assuming these are indeed Microsoft Word documents, the file sizes are exceptionally large for plain text documents, even of considerable length (hundreds of pages). It is therefore most likely the documents each contain a number of embedded images.
Blowing up the acronyms:
• Warhead - 1 - New Zealand - Government Communications Security Bureau - Security Intelligence Service - 2013
• Warhead - 2 - New Zealand - Government Communications Security Bureau - Ministry of Justice - 2013
• Warhead - 3 - New Zealand - United States - Australia - Great Britain - Canada - Government Communications Security Bureau - SEC* 2013
• Warhead - 4 - New Zealand - Ministry of Justice - Security Intelligence Service - 2013
• Warhead - 5 - New Zealand - Ministry of Justice - KDC** - ILS*** - 2013
* SEC may refer to the US Securities and Exchange Commission, which does have a stake in cybersecurity. It may also be a generic reference to SECurity, or another acronym we are unfamiliar with.
** KDC may refer to a Key Distribution Centre, a concept in cryptography. Given these are New Zealand documents, it could also refer to the Kaipara District Council, a district in Northland (north of Auckland). This seems unlikely, however. It could also refer to KDC Projects, a UK company that provides defense industry services including ILS, below. We are unsure of whether KDC Projects contracts or has contracted to the New Zealand defense force.
*** ILS may refer to Integrated Logistics Support, a military concept.
History and the 30 August riddle
AnonOps NZ appeared on YouTube on 22 August, the day after the controversial GCSB bill was passed into law by the New Zealand government by a vote of 61 for, 59 against. The account later announced a campaign in protest of the law, which it referred to as ‘Operation Kiwi Freedom’.
On 30 August, the @AnonOpsNZ Twitter account posted a series of tweets hinting at an upcoming event in the form of a riddle. PC World’s tentative interpretation pointed to 19 September, and the latest video did go live at midnight on the night of the 19th/morning of the 20th.
Given that the latest video’s title contains ‘Operation Kiwi Freedom, Final Message’, that campaign seems to refer to this claimed acquisition and leak of information.
With the the claim that AnonOps NZ will soon ‘shed light on something … far more sinister’, further activity from the account should be expected. We would expect future activities to appear under another campaign title. For example: a one-day takedown of the GCSB website in late August, which preceded Operation Kiwi Freedom, was entitled ‘Operation F*ck GCSB’ (censorship ours).