Difference between revisions of "Bradwell Electronics"

From Game Detectives Wiki
Jump to: navigation, search
[unchecked revision][unchecked revision]
(Removal of credits)
m (Moved the reddit starter in the proper section)
Line 11: Line 11:
 
}}
 
}}
 
[[Main Page]] > [[List of Investigations]] > '''Bossa Studios'''
 
[[Main Page]] > [[List of Investigations]] > '''Bossa Studios'''
 
''Most of the content on this page so far is a rehash of [https://www.reddit.com/r/gamedetectives/comments/5x113k/bradwell_electronics_bossa_studios/ this Reddit post] by /u/blackbat24; all credit goes to him.''
 
  
  
Line 20: Line 18:
  
 
== Email Newsletter ==
 
== Email Newsletter ==
 +
 +
''Most of the content on this section is a rehash of [https://www.reddit.com/r/gamedetectives/comments/5x113k/bradwell_electronics_bossa_studios/ this Reddit post] by [https://www.reddit.com/r/gamedetectives/comments/5x113k/bradwell_electronics_bossa_studios/ /u/blackbat24]; all credit goes to him.''
  
 
A field on the [https://www.bradwellelectronics.com/ Bradwell Electronics site] was found which allowed usrs to sign up for an e-mail newsletter.  A few minutes after signing up, the following message is sent to your email:
 
A field on the [https://www.bradwellelectronics.com/ Bradwell Electronics site] was found which allowed usrs to sign up for an e-mail newsletter.  A few minutes after signing up, the following message is sent to your email:

Revision as of 22:58, 16 March 2017

Bradwell Electronics
Active since 2016-03-05
Bradwell Logo.png
Better. Brighter. For everyone.
Type [[List_of_Investigations#Investigation|Investigation]]
Creator Bossa Studios
Discovered 2016-03-05

Main Page > List of Investigations > Bossa Studios


Bradwell Electronics is a promotional website released by Bossa Studios, a British game developer responsible for Surgeon Simulator and I Am Bread. At this time, the purpose of the site is unknown, but it is speculated to be an in-fiction promotional website for Bossa Studios' next game.

Email Newsletter

Most of the content on this section is a rehash of this Reddit post by /u/blackbat24; all credit goes to him.

A field on the Bradwell Electronics site was found which allowed usrs to sign up for an e-mail newsletter. A few minutes after signing up, the following message is sent to your email:

Welcome to Bradwell Electronics - Better. Brighter. For Everyone.
Thank you for registering your interest for the upcoming relaunch of the Bradwell Electronics website.
When John Bradwell founded Bradwell Electronics over 62 years ago in 1964, he never imagined that the family business would become one of the most recognized brands worldwi$"%"$"!£2/.&%...

From this point onwards, the message is "corrupted", and is mostly comprised of Base64 ciphertext. For the full text of the email, check this Reddit post. At one point, the message becomes legible again:

>>INTERRUPT STREAM 
----------This is a mayday alert.
--------------------It is of concern to all of us.
------------------------------We ask you to trust us.
----------------------------------------We cannot do this alone.
<< END OF INTERRUPT

Encoding the Base64 in the text of the email yields an image which includes a QR code:

The image revealed when encoding the Base64 in the text of the "corrupted" email

(Note: Amesbury is the location of Stonehenge.)

Reading the QR code reveals the following string:

/?decrypt50726f6a65637441

(Note: 50726f6a65637441 is hexadecimal for ProjectA, but this is not yet relevant to the investigation.)

Countdown Timer

The countdown displayed when using the /?decrypt50726f6a65637441 URL extension

Appending /?decrypt50726f6a65637441 to the http://bradwellelectronics.com URL reveals a red box (link), containing this text:

\\>DECR_BRUTE_FORCE << |'fetch grid:[0x424cb726:0xbfe9c31a]/OENQJRYYVHZERCBEG.DAT'
-->BRUTEFORCE NODES RUNNING...
-->ESTIMATED BRUTEFORCE DECRYPTION COMPLETED IN: _d __h __m __s

The first line of the text contains the string OENQJRYYVHZERCBEG; this can be deciphered using ROT13 to obtain BRADWELLIUMREPORT. The significance of this is currently unknown.

Additionally, the final line of text in the red box is a countdown timer, which is counting down to 12:00 PM UTC, on March 8, 2017.

/__FILEDATA.ARCHIVE

On March 8, 2017, the text on the login page of "Decryptkit" changed:


##DECRYPTIONKIT#############
## GRID MINI VM V0.11[ADDRESS REMOVED]##
##################################

\\>DECR_BRUTE_FORCE << |'fetch grid:[0x424cb726:0xbfe9c31a]/OENQJRYYVHZERCBEG.DAT'
-->BRUTEFORCE NODES STOPPED.
-->BRUTEFORCE DECRYPTION COMPLETED: 
----> ARCHIVE DETECTED (OENQJRYYVHZERCBEG.ARCHIVE)
----> DECOMPRESSING ARCHIVE... COMPLETED WITH ERRORS:
-------> TOTAL FILES: 10, RECOVERED: 2
----> WRAPPING RECOVERED FILES FOR ACCESS: COMPLETED
----> RECOVERED FILES AVAILABE FOR DOWNLOAD: /__FILEDATA.ARCHIVE/
-------> ENTER SECONDARY KEY TO DECRYPT REMAINING FILES: 

This leads to archive page, which contains a press release about Bradwell's involvement in the restoration of Stonehenge in 2019, while the other file is a passworded zip. In addition, in order to access other parts of the site, a decryption key is needed to be added in the code of the website.

Within the js of the website, large blocks of hex was found in the code which, when translated, included the decrypted data that was supposed to show only after the insertion of the decryption key. Just a few minutes later the decryption key (together) was found in the same translated js blob. With the 2nd key in hand, users unlocked the subsequent data and followed the instructions, but this still left the zip file encrypted and its content sealed.

The book cipher hidden in the footer of the press release.
Later that day, a series of numbers in the footer of the press release was found, which looked like a book cipher. It decoded as w3trusTu, a keyword that unlocked the content of the encrypted zip file. The internal memo contains the planned repairs to the A303 tunnel and the Stonehenge museum, but just like the press release it also stored a hidden message, together, the 2nd key needed for the advancement. It was later spotted inside the middle diamond, at the end of the footer, in a very small size font, black on black background.
The second key, highlighted, hidden in the footer of the 060702019 internal memo.

2nd Key

The 2nd key, together, found initially through reverse engineering, when entered into the field produced this output:

##DECRYPTIONKIT#############
## GRID MINI VM V0.11[ADDRESS REMOVED]##
##################################

\\>DECR_BRUTE_FORCE << |'fetch grid:[0x424cb726:0xbfe9c31a]/OENQJRYYVHZERCBEG.DAT'
-->BRUTEFORCE NODES STOPPED.
-->BRUTEFORCE DECRYPTION COMPLETED: 
----> ARCHIVE DETECTED (OENQJRYYVHZERCBEG.ARCHIVE)
----> DECOMPRESSING ARCHIVE... COMPLETED WITH ERRORS:
-------> TOTAL FILES: 10, RECOVERED: 2
----> WRAPPING RECOVERED FILES FOR ACCESS: COMPLETED
----> RECOVERED FILES AVAILABE FOR DOWNLOAD: /__FILEDATA.ARCHIVE/
-------> ENTER SECONDARY KEY TO DECRYPT REMAINING FILES: ACCEPTED
-->SUBMITTING SECONDARY ENCRYPTION JOB TO GRID SYSTEM: [#####]
---->DECRYPTION TIME CANNOT BE DETERMINED.
---->NOTIFICATION ON JOB COMPLETITION AVAILABLE USING SOCIAL MEDIA NETWORKS TO PROTECT ANONYMITY
------>USE _LINK_ TO POST A TWEET INCLUDING SPECIAL CODE 'BETTERBE2026'
------>DECRYPTION SYSTEM WILL GET IN TOUCH ONCE JOB HAS BEEN COMPLETED

The link is a tweet template which says Fresh air is good for you. BETTERBE2026. After several hours the message was modified, now reading:

-->SUBMITTING SECONDARY ENCRYPTION JOB TO GRID SYSTEM: [#####]
---->DECRYPTION TIME CANNOT BE DETERMINED.
---->USURPING SOCIAL MEDIA BANDWIDTH TO DECREASE DATA DECRYPTION TIME
------>_REGISTER_ NODE WITH SYSTEM TO RECEIVE DECRYPTED PACKAGE
------>DECRYPTED PACKAGE WILL BE DISTRIBUTED TO REGISTERED NODES ON COMPLETION

The REGISTER link is a different tweet template, now reading @BetterBradwell #BETTERBE2026. It is yet unclear whether the alteration is a different step, or if it has simply being reworded (now reading USURPING SOCIAL MEDIA BANDWIDTH TO DECREASE DATA DECRYPTION TIME) to better instruct the players to tweet the message more.

On March 16, around 15:40 UTC (3:40 pm), users starting receiving mentions.

@username SEC TRIED TO SLOW US. DECRYPTION PRGRSS.
[######----] 63%. STANDBY

3 minutes later, Bradwell Electronics tweeted:

Please accept our apologies if you recently received a direct tweet. The intruder has been suppressed and our systems have been updated.

This could mean that no more tweets will be sent out, and that the updates will appear directly on the _FILEDATA in roughly a week time.

This page is a work in progress, and will be updated with new leads as they emerge.