Risky Bulletin: "Between Two Nerds: NSA Gets Its Mojo Back!"

Podcast: Risky Bulletin
Host: Tommy Wren ("A")
Guest: The Gruk ("B")
Date: October 27, 2025

Episode Overview

In this episode of "Between Two Nerds", hosts Tommy Wren and The Gruk examine recent Chinese government leaks and propaganda about a major NSA cyber operation against China’s National Timekeeping Service. The discussion combines geostrategic analysis, technical deep dives, and signature banter, revealing new insights into NSA tradecraft, the nature of the targeted network, and the broader context of high-stakes nation-state hacking.

Key Discussion Points & Insights

1. Chinese Response and Propaganda

• MSS and CERT Reports: The Chinese Ministry of State Security (MSS) released a video (using an AI avatar) and the China CERT published a detailed technical report on the US cyber operation against the National Timekeeping Service ([00:11-03:26]).
• Narrative Framing: China’s state media and official channels portrayed the US as the “empire of hackers” and “the true matrix and the greatest source of chaos in cyberspace” ([03:26], B).

2. What is the National Timekeeping Service and Why Target It?

• Speculation on Value: The hosts struggle to identify obvious intelligence value but speculate on possible strategic motivations ([03:43-04:55]):
  • Its tie to satellite navigation, military systems (precision munitions), or potential as a jumping-off point.
  • Parallels drawn to previous hacks (e.g., Australian Bureau of Meteorology) in which innocuous-seeming infrastructure might serve as a hiding place for sensitive communications or access to powerful computation resources ([04:55-05:59]).

3. Technical Analysis: The ‘Triangulation’ Exploit

• Origins and Spread:
  • The CERT report attributed the attack to the NSA and linked it with "Triangulation," an iOS exploit previously reported by Kaspersky in mid-2023 ([06:15-06:51]).
  • Hosts clarify that in China’s case, the technique was used as early as March 2022—about nine months before Kaspersky’s public disclosure ([08:24]).
• Attack Sequence:
  • Around 10 employees at the Chinese time service targeted over nearly a year ([09:00-09:10]).
  • Main focus: credential theft from privileged accounts using iPhone exploits ([09:44]).
• Operational Logic:
  • The NSA likely used iOS zero-day (O-day) exploits not out of necessity, but for stealth: “NSA probably has a lot of O-day they could use…but they want something that has longevity and is reliable and doesn’t leave as many artifacts.” (B, [10:09])
  • Hosts observe this supports Rob Joyce’s (NSA) public claims about credential theft being the preferred method for persistence over pure exploitation ([10:09-11:15]).

4. Attack Timelines and Tradecraft

• Long Dwell and Small Scope:

  • Attack was slow-moving: up to 10 devices over more than a year ([12:11-13:38]).
  • Possible iterative approach: compromise one phone, extract contacts, move to another in the organization until privilege is escalated ([15:11-15:32]).
  • Not “high priority”—the exploit was slotted in where it made operational sense ([16:01]).
  • Analogy: “Let’s drink the milk before the use by date, and then turn the milk into ice cream and keep it in the fridge…” (A & B, [13:14-13:23]).

• Transition to Network Access:

  • Once admin credentials stolen, gradual shift: Initially, network reconnaissance (‘living off the land’), then implant (“BAC 11”) deployed for automation and persistence ([18:35-21:12]).
  • The implant required manual effort to evade antivirus, later upgraded for persistence and stealth ([19:54-20:53]).

5. Operational Security and Patience

• NSA’s ‘Patience and Caution’:
  • The CERT report praises “patience and caution”—NSA operators monitored host status, investigating every anomaly (file changes, reboots, etc.), watching for detection ([23:28]).
  • The implant is robust: wipes itself if a security tool or forensic tool is detected ([24:44]).
• Code Attribution:
  • Technical details (code overlaps) tightly link this campaign to the NSA, specifically referencing legacy “Dander Spritz” malware (leaked by the Shadow Brokers) ([24:44]).
• New Insights into NSA Tradecraft:
  • Slow, methodical, incremental movement (months of recon before persistent implant).
  • Use of both living-off-the-land and custom implants for stealth, adapting tradecraft as the operation progressed ([22:07-21:12]).

Notable Quotes & Memorable Moments

• On Chinese propaganda video:
  “Is this an AI? This is an AI.”
  – B, [01:38]

• On the significance of the target:
  “Not immediately clear what the intelligence value of [the time service] is, but… there’s either links to something that has intelligence value or it’s a jumping-off point.”
  – A, [03:43]

• On NSA operational restraint:
  “…They want something that has longevity and that’s reliable and that doesn’t have as many artifacts that get left behind. It’s straightforward to clean up login information, but if you try and hack something and it fails, you end up with lots of log entries.”
  – B, [10:09]

• On attacker patience:
  “Apparently the NSA thoroughly monitored the compromised hosts throughout the operation… File changes, system shutdowns and restarts prompted a thorough investigation of the cause of any anomalies.”
  – B, [23:28]

• On the goals of custom implants:
  “Let’s do a lot more work to get an implant to do all these things and that will get us the stealth … but we get to do more stuff.”
  – A, [21:40]

• On timeline oddities:
  “The timelines don’t make sense on the surface... They hack in March of ‘22, but they don’t log in until April of ‘23…”
  – B, [17:58]

• Summing up the mood:
  “NSA’s got its mojo back.”
  – A, [26:48]

Key Timestamps

• 00:11–03:26 — Chinese MSS/CERT reporting and propaganda breakdown
• 03:43–05:59 — Speculation on why the time service was targeted
• 06:15–06:51 — Origin and early use of ‘Triangulation’ iOS exploit
• 10:09–11:15 — Reasons for choosing mobile exploits over direct server attacks
• 12:11–13:38 — Scale and deliberation of the campaign
• 18:35–21:12 — From network login to persistent implants and automation
• 23:28–24:44 — NSA’s patient, OPSEC-driven operational approach
• 24:44–26:00 — Technical attribution to NSA via implant analysis
• 26:48 — Episode wrap-up: “NSA’s got its mojo back!”

Summary

This episode unpacks the anatomy and timeline of a stealthy, persistent NSA intrusion into a sensitive Chinese network. Through the lens of both Chinese public disclosures and the hosts' own technical expertise, listeners gain a rare look into world-class nation-state tradecraft. The approach—methodical, patient, adaptive—is presented as a case study in modern cyber espionage. The lively banter keeps complex material accessible, with both hosts appreciating the impressive (if unsettling) capabilities now confirmed to be in the field.

If you’re curious about how the NSA really operates, or want a deep-dive into the mechanics of high-end cyber-espionage, this is an essential listen.