Difference between revisions of "Bradwell Electronics"

From Game Detectives Wiki
Jump to: navigation, search
[unchecked revision][unchecked revision]
(Added new tweets)
(removed discord credit in accordance with GD policy)
Line 21: Line 21:
 
== Email Newsletter ==
 
== Email Newsletter ==
  
On the [https://www.bradwellelectronics.com/ Bradwell Electronics site], there's a field where you can sign up for the Bradwell email newsletter.  A few minutes after signing up, the following message is sent to your email:
+
A field on the [https://www.bradwellelectronics.com/ Bradwell Electronics site] was found which allowed usrs to sign up for an e-mail newsletter.  A few minutes after signing up, the following message is sent to your email:
  
 
  Welcome to Bradwell Electronics - Better. Brighter. For Everyone.
 
  Welcome to Bradwell Electronics - Better. Brighter. For Everyone.
Line 84: Line 84:
 
This leads to [https://www.bradwellelectronics.com/__FILEDATA.ARCHIVE/ archive page], which contains a [https://www.bradwellelectronics.com/__FILEDATA.ARCHIVE/Bradwell-Press-Release-07022019.pdf press release] about Bradwell's involvement in the restoration of Stonehenge in 2019, while [https://www.bradwellelectronics.com/__FILEDATA.ARCHIVE/BradwellInternalMemo-060702019.zip the other file] is a passworded zip. In addition, in order to access other parts of the site, a decryption key is needed to be added in the [https://www.bradwellelectronics.com/wp-content/cache/autoptimize/js/autoptimize_5fb1719442f5f2a9ea5584295800051c.js code] of the website.
 
This leads to [https://www.bradwellelectronics.com/__FILEDATA.ARCHIVE/ archive page], which contains a [https://www.bradwellelectronics.com/__FILEDATA.ARCHIVE/Bradwell-Press-Release-07022019.pdf press release] about Bradwell's involvement in the restoration of Stonehenge in 2019, while [https://www.bradwellelectronics.com/__FILEDATA.ARCHIVE/BradwellInternalMemo-060702019.zip the other file] is a passworded zip. In addition, in order to access other parts of the site, a decryption key is needed to be added in the [https://www.bradwellelectronics.com/wp-content/cache/autoptimize/js/autoptimize_5fb1719442f5f2a9ea5584295800051c.js code] of the website.
  
Within the js of the website, Discord user Concerned Hobbit found [http://pastebin.com/Bsr0FWUW large blocks of hex] in the code which, when translated, included the decrypted data that was supposed to show only after the insertion of the decryption key. Just a few minutes later, Discord user A4 found the decryption key (<code>together</code>) in the same translated js blob. With the [[#2nd_Key|2nd key]] in hand, users unlocked the subsequent data and followed the instructions, but this still left the zip file encrypted and its content sealed.
+
Within the js of the website, [http://pastebin.com/Bsr0FWUW large blocks of hex] was found in the code which, when translated, included the decrypted data that was supposed to show only after the insertion of the decryption key. Just a few minutes later, Discord user A4 found the decryption key (<code>together</code>) in the same translated js blob. With the [[#2nd_Key|2nd key]] in hand, users unlocked the subsequent data and followed the instructions, but this still left the zip file encrypted and its content sealed.
  
[[File:bw1_bookcipher.png|thumbnail|right|The book cipher hidden in the footer of the press release.]] Later that day, Discord user Varstahl noticed a series of numbers in the footer of the [https://www.bradwellelectronics.com/__FILEDATA.ARCHIVE/Bradwell-Press-Release-07022019.pdf press release], which looked like a book cipher. Discord users dolomite and Randomiser, decoded it as <code>w3trusTu</code>, a keyword that unlocked the content of the encrypted zip file. The [https://www.bradwellelectronics.com/__FILEDATA.ARCHIVE/BradwellInternalMemo-060702019.zip internal memo] contains the planned repairs to the A303 tunnel and the Stonehenge museum, but just like the press release it also stored a hidden message, <code>together</code>, the [[#2nd_Key|2nd key]] needed for the advancement. Discord user qw5nt spotted it inside the middle diamond, at the end of the footer, in a very small size font, black on black background.
+
[[File:bw1_bookcipher.png|thumbnail|right|The book cipher hidden in the footer of the press release.]] Later that day, a series of numbers in the footer of the [https://www.bradwellelectronics.com/__FILEDATA.ARCHIVE/Bradwell-Press-Release-07022019.pdf press release] was found, which looked like a book cipher. It decoded as <code>w3trusTu</code>, a keyword that unlocked the content of the encrypted zip file. The [https://www.bradwellelectronics.com/__FILEDATA.ARCHIVE/BradwellInternalMemo-060702019.zip internal memo] contains the planned repairs to the A303 tunnel and the Stonehenge museum, but just like the press release it also stored a hidden message, <code>together</code>, the [[#2nd_Key|2nd key]] needed for the advancement. It was later spotted inside the middle diamond, at the end of the footer, in a very small size font, black on black background.
  
 
[[File:bw1_together.png|thumbnail|center|The second key, highlighted, hidden in the footer of the 060702019 internal memo.]]
 
[[File:bw1_together.png|thumbnail|center|The second key, highlighted, hidden in the footer of the 060702019 internal memo.]]
Line 116: Line 116:
  
 
[https://twitter.com/intent/tweet?text=Fresh%20air%20is%20good%20for%20you.%20BETTERBE2026 The link] is a tweet template which says <code>Fresh air is good for you. BETTERBE2026</code>.
 
[https://twitter.com/intent/tweet?text=Fresh%20air%20is%20good%20for%20you.%20BETTERBE2026 The link] is a tweet template which says <code>Fresh air is good for you. BETTERBE2026</code>.
 
+
After several hours the message was modified, now reading:
Discord user Trailbl4z3r noticed that after several hours the message was modified, now reading:
 
  
 
<pre>
 
<pre>

Revision as of 22:54, 16 March 2017

Bradwell Electronics
Active since 2016-03-05
Bradwell Logo.png
Better. Brighter. For everyone.
Type [[List_of_Investigations#Investigation|Investigation]]
Creator Bossa Studios
Discovered 2016-03-05

Main Page > List of Investigations > Bossa Studios

Most of the content on this page so far is a rehash of this Reddit post by /u/blackbat24; all credit goes to him.


Bradwell Electronics is a promotional website released by Bossa Studios, a British game developer responsible for Surgeon Simulator and I Am Bread. At this time, the purpose of the site is unknown, but it is speculated to be an in-fiction promotional website for Bossa Studios' next game.

Email Newsletter

A field on the Bradwell Electronics site was found which allowed usrs to sign up for an e-mail newsletter. A few minutes after signing up, the following message is sent to your email:

Welcome to Bradwell Electronics - Better. Brighter. For Everyone.
Thank you for registering your interest for the upcoming relaunch of the Bradwell Electronics website.
When John Bradwell founded Bradwell Electronics over 62 years ago in 1964, he never imagined that the family business would become one of the most recognized brands worldwi$"%"$"!£2/.&%...

From this point onwards, the message is "corrupted", and is mostly comprised of Base64 ciphertext. For the full text of the email, check this Reddit post. At one point, the message becomes legible again:

>>INTERRUPT STREAM 
----------This is a mayday alert.
--------------------It is of concern to all of us.
------------------------------We ask you to trust us.
----------------------------------------We cannot do this alone.
<< END OF INTERRUPT

Encoding the Base64 in the text of the email yields an image which includes a QR code:

The image revealed when encoding the Base64 in the text of the "corrupted" email

(Note: Amesbury is the location of Stonehenge.)

Reading the QR code reveals the following string:

/?decrypt50726f6a65637441

(Note: 50726f6a65637441 is hexadecimal for ProjectA, but this is not yet relevant to the investigation.)

Countdown Timer

The countdown displayed when using the /?decrypt50726f6a65637441 URL extension

Appending /?decrypt50726f6a65637441 to the http://bradwellelectronics.com URL reveals a red box (link), containing this text:

\\>DECR_BRUTE_FORCE << |'fetch grid:[0x424cb726:0xbfe9c31a]/OENQJRYYVHZERCBEG.DAT'
-->BRUTEFORCE NODES RUNNING...
-->ESTIMATED BRUTEFORCE DECRYPTION COMPLETED IN: _d __h __m __s

The first line of the text contains the string OENQJRYYVHZERCBEG; this can be deciphered using ROT13 to obtain BRADWELLIUMREPORT. The significance of this is currently unknown.

Additionally, the final line of text in the red box is a countdown timer, which is counting down to 12:00 PM UTC, on March 8, 2017.

/__FILEDATA.ARCHIVE

On March 8, 2017, the text on the login page of "Decryptkit" changed:


##DECRYPTIONKIT#############
## GRID MINI VM V0.11[ADDRESS REMOVED]##
##################################

\\>DECR_BRUTE_FORCE << |'fetch grid:[0x424cb726:0xbfe9c31a]/OENQJRYYVHZERCBEG.DAT'
-->BRUTEFORCE NODES STOPPED.
-->BRUTEFORCE DECRYPTION COMPLETED: 
----> ARCHIVE DETECTED (OENQJRYYVHZERCBEG.ARCHIVE)
----> DECOMPRESSING ARCHIVE... COMPLETED WITH ERRORS:
-------> TOTAL FILES: 10, RECOVERED: 2
----> WRAPPING RECOVERED FILES FOR ACCESS: COMPLETED
----> RECOVERED FILES AVAILABE FOR DOWNLOAD: /__FILEDATA.ARCHIVE/
-------> ENTER SECONDARY KEY TO DECRYPT REMAINING FILES: 

This leads to archive page, which contains a press release about Bradwell's involvement in the restoration of Stonehenge in 2019, while the other file is a passworded zip. In addition, in order to access other parts of the site, a decryption key is needed to be added in the code of the website.

Within the js of the website, large blocks of hex was found in the code which, when translated, included the decrypted data that was supposed to show only after the insertion of the decryption key. Just a few minutes later, Discord user A4 found the decryption key (together) in the same translated js blob. With the 2nd key in hand, users unlocked the subsequent data and followed the instructions, but this still left the zip file encrypted and its content sealed.

The book cipher hidden in the footer of the press release.
Later that day, a series of numbers in the footer of the press release was found, which looked like a book cipher. It decoded as w3trusTu, a keyword that unlocked the content of the encrypted zip file. The internal memo contains the planned repairs to the A303 tunnel and the Stonehenge museum, but just like the press release it also stored a hidden message, together, the 2nd key needed for the advancement. It was later spotted inside the middle diamond, at the end of the footer, in a very small size font, black on black background.
The second key, highlighted, hidden in the footer of the 060702019 internal memo.

2nd Key

The 2nd key, together, found initially through reverse engineering, when entered into the field produced this output:

##DECRYPTIONKIT#############
## GRID MINI VM V0.11[ADDRESS REMOVED]##
##################################

\\>DECR_BRUTE_FORCE << |'fetch grid:[0x424cb726:0xbfe9c31a]/OENQJRYYVHZERCBEG.DAT'
-->BRUTEFORCE NODES STOPPED.
-->BRUTEFORCE DECRYPTION COMPLETED: 
----> ARCHIVE DETECTED (OENQJRYYVHZERCBEG.ARCHIVE)
----> DECOMPRESSING ARCHIVE... COMPLETED WITH ERRORS:
-------> TOTAL FILES: 10, RECOVERED: 2
----> WRAPPING RECOVERED FILES FOR ACCESS: COMPLETED
----> RECOVERED FILES AVAILABE FOR DOWNLOAD: /__FILEDATA.ARCHIVE/
-------> ENTER SECONDARY KEY TO DECRYPT REMAINING FILES: ACCEPTED
-->SUBMITTING SECONDARY ENCRYPTION JOB TO GRID SYSTEM: [#####]
---->DECRYPTION TIME CANNOT BE DETERMINED.
---->NOTIFICATION ON JOB COMPLETITION AVAILABLE USING SOCIAL MEDIA NETWORKS TO PROTECT ANONYMITY
------>USE _LINK_ TO POST A TWEET INCLUDING SPECIAL CODE 'BETTERBE2026'
------>DECRYPTION SYSTEM WILL GET IN TOUCH ONCE JOB HAS BEEN COMPLETED

The link is a tweet template which says Fresh air is good for you. BETTERBE2026. After several hours the message was modified, now reading:

-->SUBMITTING SECONDARY ENCRYPTION JOB TO GRID SYSTEM: [#####]
---->DECRYPTION TIME CANNOT BE DETERMINED.
---->USURPING SOCIAL MEDIA BANDWIDTH TO DECREASE DATA DECRYPTION TIME
------>_REGISTER_ NODE WITH SYSTEM TO RECEIVE DECRYPTED PACKAGE
------>DECRYPTED PACKAGE WILL BE DISTRIBUTED TO REGISTERED NODES ON COMPLETION

The REGISTER link is a different tweet template, now reading @BetterBradwell #BETTERBE2026. It is yet unclear whether the alteration is a different step, or if it has simply being reworded (now reading USURPING SOCIAL MEDIA BANDWIDTH TO DECREASE DATA DECRYPTION TIME) to better instruct the players to tweet the message more.

On March 16, around 15:40 UTC (3:40 pm), users starting receiving mentions.

@username SEC TRIED TO SLOW US. DECRYPTION PRGRSS.
[######----] 63%. STANDBY

3 minutes later, Bradwell Electronics tweeted:

Please accept our apologies if you recently received a direct tweet. The intruder has been suppressed and our systems have been updated.

This could mean that no more tweets will be sent out, and that the updates will appear directly on the _FILEDATA in roughly a week time.

This page is a work in progress, and will be updated with new leads as they emerge.