Agents an phone call from Agent Grisha about and new job assignment. He provided us with an archive number DT55RV. Go at it agents
Google Doc we're working in: https://docs.google.com/document/d/1T-UQBI6UC0xXSHYjWq9hmpIVfldcNEjcf1phljQCjok/edit?usp=sharing
Sent an email to dispatch asking if NITE4 had any idea as to the encryption scheme and got this in reply: Agent MidDipper, NITE Team 4 has been performing cryptanalysis on the intercepts and they believe that the encryption scheme is one that is vulnerable to a known plaintext attack. We will report if they have additional details about the key. --- Dispatch
New email. Agent MidDipper, We can confirm that the encryption method and key is correct, IRIS likely used this same key and method for the entire message exchange with Oran Plaskett. NITE Team 4 cryptanalysis has shown that it is a repeating key as well. Your next focus after retrieving the contents of the exchange should be to locate additional IRIS networks online. NITE Team 4 advises you search social networks for error messages or other signs of a command/control network. For reference, we're decoding the first message via XOR bruteforcing in the IRC right now. It'll be posted here when fully decoded.
"Lake Mercer Park. One hour. Come alone. If you do not show, we release your dirty secrets." Quaestio figured out the cipher. Chat room decoded the rest. Update - jen decoded the rest. No clues to the bot but transcript is in the doc.
The facebook messages were decrypted by jen-jen. IRIS: We know your secret, unless you want it to get out you will tell us everything about your relationship with the Black Watchmen. Plaskett: Please, don't do this to me. I'll tell you everything, just please don't leak this info on me. The Black Watchmen threatened me, I had no choice but to do what they asked. You have to understand that I never wanted to help them, but I feared for my life. I'm sorry that our company failed you IRIS: It is too late for apologies Mr. Plaskett, you assured us that things were under control. You have deceived us for the last time. You will cooperate with all of our future demands. Contact our network bot and provide all the information you have on the Black Watchmen. Houston...
Sent that over to Dispatch and got the following: Agent MidDipper, Excellent job to Agent jen-jen, this intelligence is extremely concerning. We need to deal with this threat immediately and locate the other IRIS network. NITE Team 4 has not found any traces of a network on Facebook, they believe that they abandoned the one they had set up with Oran Plaskett after he was killed. They have advised researching what social networks have been used for Command and Control, then searching for recent error messages on those networks (such as parse/syntax errors) or other signs of C2 communication. We need to find that network NOW. No sleep til brooklyn!
<Div66_Dispatch> Greetings agents, we are requesting an update on Operation RUBYDRAGON. <MidDipper> Hi Dispatch. <MidDipper> We're having trouble locating the network. <MidDipper> Do you know what sort of bots they use? <Div66_Dispatch> We don't have intelligence on what kind of bot is being used by IRIS, NITE Team 4 advises that it may be possible to locate them through error messages they throw. <Div66_Dispatch> The bot may throw an error when it receives a command that it could not parse or interpret correctly. <Div66_Dispatch> What error search terms have been used so far? <MidDipper> error with instruction syntax error” (nothing found) <MidDipper> “instruction parsing error” (nothing found) <MidDipper> “syntax error” (too many results) <MidDipper> “command error” (too many results) <VirtusVotis> commandnotfound <VirtusVotis> numerous results <Div66_Dispatch> We will forward your search terms to NITE Team 4 in case they are able to better filter the large results returned from "command error" and "syntax error", they recommend trying to locate the bot through those search terms. <jen-jen> https://twitter.com/MacArthurPincer <jen-jen> similar to this? <Div66_Dispatch> We are forwarding this account to NITE Team 4 for analysis, stand by. <Div66_Dispatch> NITE Team 4 says that the account tweets fit the same encryption scheme as those used with Oran Plaskett. It is with high confidence that we say the bot is linked to IRIS. <Div66_Dispatch> NITE Team 4 believes that the bot may be using an API to fetch their key. We advise searching for key sources the bot may be using. Once the key is determined, we recommend infiltrating the network and obtaining intel on what is being sent by IRIS. <Div66_Dispatch> It looks like commands are encrypted before sent to the bot, the bot will then likely respond with additional information. <Div66_Dispatch> NITE Team 4 has advised that after the encryption key is discovered agents attempt to communicate with the bot to retrieve intel on IRIS. <Div66_Dispatch> Commands they have suggested trying include "RETRIEVE CURRENT OPERATION, GET CURRENT OPERATION, EVALUATE CURRENT OPERATION" as well as info commands such as "INFO OPERATION" Div66_Dispatch> Send report to [email protected] upon reception of intelligence from the IRIS network.
Since this is a common question, I'm going to post a little 'how to' on how to decrypt the XOR messages we've been seeing. The tool we've been using is here: http://www.darkfader.net/toolbox/convert/ Scroll all the way to the bottom, where it says 'XOR/ADD stream encryption'. You want to put the hex string that is our encrypted ciphertext into the 'input' box, and then convert the key to hex as well using the utility of your choice, and enter that where it says 'XOR input (repeat)'. The output will be in the 'Result(string)' box. If you're not sure what I mean by all this, here's a screenshot of the text message decryption.
<Div66_Dispatch> Greetings agents, requesting an update on Operation RUBYDRAGON <AgentMeier> Trying to reverse-engineer the key used on the Twitter account. We've deduced, with decent accuracy, that it's got to be numbers or a date. <Div66_Dispatch> What key sources have been investigated? <Div66_Dispatch> NITE Team 4 believes that the bot fetches a new key daily, the last key was obtained yesterday at 16:00 GMT. <Div66_Dispatch> It is likely a data source that changes daily and uses an API to get this information. <Div66_Dispatch> Based on the image used by the bot, it is likely pointing to an API data source related to politics or law. <AgentMeier> http://www.programmableweb.com/api/sunlight-labs-congress <Div66_Dispatch> We will send this data source to NITE Team 4 for evaluation <Div66_Dispatch> NITE 4 suggests investigating the different API's available on that site: Capitol Words API, Congress API, Open States API, Political Party Time API and Real-Time Federal Campaign Finance API. <Div66_Dispatch> Jane Smith tweeted most recently to the bot, we recommend attempting key guesses on those tweets. Successful decryption will point to the current correct key. <Div66_Dispatch> After obtaining the key, attempt to retrieve information on the current IRIS operation. <Div66_Dispatch> In the meantime, NITE 4 is investigating the API source as well and we will return for updates as necessary. o7
Okay so... From the Twitter: The key is UTB00004685 Jane Smith: 1211161073656266737661751B12756271647D7976 "GET CURRENT OPERATION" Bot: 1A0407627164797B78187407170A717E777578 OPERATION ARCHANGEL Jane Smith: 1C1A047F107F60716479611C1B0C107162737C7776721018 INFO OPERATION ARCHANGEL Bot: 100C127562797D71786C0F751C03627E756367166A7C130062757E7562736F1873071B0F10777C7F76777415161C0B7E71647F6378187214000763 EXPERIMENT: HARNESS RIFT ENERGY FROM GLOBAL CHINATOWN GATES
<dylanamite> Dispatch <dylanamite> We decoded some tweets <Div66_Dispatch> Excellent work, we will prepare a briefing on how to proceed with the mission. We must obtain additional intelligence on the areas where IRIS is planning to conduct this operation. <Div66_Dispatch> What is the current key for the IRIS bot commands? <dylanamite> The current key is UTB00004685 <dylanamite> And the previous key was AKB00002005 <dylanamite> which gives <dylanamite> "GAVE ACONITE SECRETS TO TBW. ELIMINATE ON SITE" <Div66_Dispatch> NITE 4 suggests using the key on the most recent tweeted commands to obtain the command set. <Div66_Dispatch> We believe that there is likely two sets of commands, one for obtaining information on operations and one for targets. <Div66_Dispatch> We recommend checking the network for targets in the event that they update the target list. <Div66_Dispatch> The next phase of the operation will deal with getting data on the sites where IRIS is planning Operation ARCHANGEL. Good luck agents o7
AGENT, 1. Action required: Obtain recon photos of Chinatown gates across the world to gather intel on possible occult activity as part of IRIS Network Operation ARCHANGEL. 2. Background: Falcon Recon Team 3 was observing the residence of Aconite Capital CFO Oran Plaskett when he left his home in the middle of the night and traveled to a nearby park. It was at this location where he was killed by an unknown sniper whose whereabouts are currently unknown. The CFO was having regular encrypted message exchanges with a third party and we must investigate them to verify if they are a credible threat. 3. Updates: The agents at Office of Analysis were able to decrypt several encrypted communications between Oran Plaskett and IRIS. This led them to a covert Twitter network with a bot designed to relay IRIS operation info to their members. We infiltrated the network and obtained information about an operation to gather rift energies from Chinatown archways (codenamed Operation ARCHANGEL). We need to get recon photos of these areas to gather intel on the IRIS group. 3. Recommendation: (a) Take recon photos of Chinatown archways in your area of operations. (b) Submit photos to Dispatch ([email protected]) with your agent name and the GPS coordinates of the Chinatown you performed recon in. (c) Join the global agent network in the investigation on IRC at irc.blackwatchmen.com - #division66. (d) Monitor the Division 66 Twitter channel for updates on the operation (@division66).
I'm mobilizing my network(read: my little sister) to get a pic of the chinatown gate in Boston tonight.
