Bradwell Electronics

From Game Detectives Wiki
Revision as of 07:31, 30 August 2018 by Sildu (talk | contribs)
Jump to: navigation, search



Bradwell Electronics
Active since 2016-03-05
Bradwell Logo.png
Better. Brighter. For everyone.
Type Investigation
Creator Bossa Studios
Discovered 2016-03-05

Main Page > List of Investigations > Bradwell Electronics


Bradwell Electronics is a promotional website released by Bossa Studios, a British game developer responsible for Surgeon Simulator and I Am Bread. At this time, the purpose of the site is unknown, but it is speculated to be an in-fiction promotional website for Bossa Studios' next game.

Email Newsletter

Most of the content in this section is a rehash of this Reddit post by /u/blackbat24; all credit goes to him.

A field on the Bradwell Electronics site was found which allowed usrs to sign up for an e-mail newsletter. A few minutes after signing up, the following message is sent to your email:

Welcome to Bradwell Electronics - Better. Brighter. For Everyone.
Thank you for registering your interest for the upcoming relaunch of the Bradwell Electronics website.
When John Bradwell founded Bradwell Electronics over 62 years ago in 1964, he never imagined that the family business would become one of the most recognized brands worldwi$"%"$"!£2/.&%...

From this point onwards, the message is "corrupted", and is mostly comprised of Base64 ciphertext. For the full text of the email, check this Reddit post. At one point, the message becomes legible again:

>>INTERRUPT STREAM 
----------This is a mayday alert.
--------------------It is of concern to all of us.
------------------------------We ask you to trust us.
----------------------------------------We cannot do this alone.
<< END OF INTERRUPT

Encoding the Base64 in the text of the email yields an image which includes a QR code:

The image revealed when encoding the Base64 in the text of the "corrupted" email

(Note: Amesbury is the location of Stonehenge.)

Reading the QR code reveals the following string:

/?decrypt50726f6a65637441

(Note: 50726f6a65637441 is hexadecimal for ProjectA, but this is not yet relevant to the investigation.)

Countdown Timer

The countdown displayed when using the /?decrypt50726f6a65637441 URL extension

Appending /?decrypt50726f6a65637441 to the http://bradwellelectronics.com URL reveals a red box (link), containing this text:

\\>DECR_BRUTE_FORCE << |'fetch grid:[0x424cb726:0xbfe9c31a]/OENQJRYYVHZERCBEG.DAT'
-->BRUTEFORCE NODES RUNNING...
-->ESTIMATED BRUTEFORCE DECRYPTION COMPLETED IN: _d __h __m __s

The first line of the text contains the string OENQJRYYVHZERCBEG; this can be deciphered using ROT13 to obtain BRADWELLIUMREPORT. The significance of this is currently unknown.

Additionally, the final line of text in the red box is a countdown timer, which is counting down to 12:00 PM UTC, on March 8, 2017.

/__FILEDATA.ARCHIVE

On March 8, 2017, the text on the login page of "Decryptkit" changed:


##DECRYPTIONKIT#############
## GRID MINI VM V0.11[ADDRESS REMOVED]##
##################################

\\>DECR_BRUTE_FORCE << |'fetch grid:[0x424cb726:0xbfe9c31a]/OENQJRYYVHZERCBEG.DAT'
-->BRUTEFORCE NODES STOPPED.
-->BRUTEFORCE DECRYPTION COMPLETED: 
----> ARCHIVE DETECTED (OENQJRYYVHZERCBEG.ARCHIVE)
----> DECOMPRESSING ARCHIVE... COMPLETED WITH ERRORS:
-------> TOTAL FILES: 10, RECOVERED: 2
----> WRAPPING RECOVERED FILES FOR ACCESS: COMPLETED
----> RECOVERED FILES AVAILABE FOR DOWNLOAD: /__FILEDATA.ARCHIVE/
-------> ENTER SECONDARY KEY TO DECRYPT REMAINING FILES: 

This leads to archive page, which contains a press release about Bradwell's involvement in the restoration of Stonehenge in 2019, while the other file is a passworded zip. In addition, in order to access other parts of the site, a decryption key is needed to be added in the code of the website.

Within the js of the website, large blocks of hex was found in the code which, when translated, included the decrypted data that was supposed to show only after the insertion of the decryption key. Just a few minutes later the decryption key (together) was found in the same translated js blob. With the 2nd key in hand, users unlocked the subsequent data and followed the instructions, but this still left the zip file encrypted and its content sealed.

The book cipher hidden in the footer of the press release.
Later that day, a series of numbers in the footer of the press release was found, which looked like a book cipher. It decoded as w3trusTu, a keyword that unlocked the content of the encrypted zip file. The internal memo contains the planned repairs to the A303 tunnel and the Stonehenge museum, but just like the press release it also stored a hidden message, together, the 2nd key needed for the advancement. It was later spotted inside the middle diamond, at the end of the footer, in a very small size font, black on black background.
The second key, highlighted, hidden in the footer of the 060702019 internal memo.

2nd Key

The 2nd key, together, found initially through reverse engineering, when entered into the field produced this output:

##DECRYPTIONKIT#############
## GRID MINI VM V0.11[ADDRESS REMOVED]##
##################################

\\>DECR_BRUTE_FORCE << |'fetch grid:[0x424cb726:0xbfe9c31a]/OENQJRYYVHZERCBEG.DAT'
-->BRUTEFORCE NODES STOPPED.
-->BRUTEFORCE DECRYPTION COMPLETED: 
----> ARCHIVE DETECTED (OENQJRYYVHZERCBEG.ARCHIVE)
----> DECOMPRESSING ARCHIVE... COMPLETED WITH ERRORS:
-------> TOTAL FILES: 10, RECOVERED: 2
----> WRAPPING RECOVERED FILES FOR ACCESS: COMPLETED
----> RECOVERED FILES AVAILABE FOR DOWNLOAD: /__FILEDATA.ARCHIVE/
-------> ENTER SECONDARY KEY TO DECRYPT REMAINING FILES: ACCEPTED
-->SUBMITTING SECONDARY ENCRYPTION JOB TO GRID SYSTEM: [#####]
---->DECRYPTION TIME CANNOT BE DETERMINED.
---->NOTIFICATION ON JOB COMPLETITION AVAILABLE USING SOCIAL MEDIA NETWORKS TO PROTECT ANONYMITY
------>USE _LINK_ TO POST A TWEET INCLUDING SPECIAL CODE 'BETTERBE2026'
------>DECRYPTION SYSTEM WILL GET IN TOUCH ONCE JOB HAS BEEN COMPLETED

The link is a tweet template which says Fresh air is good for you. BETTERBE2026. After several hours the message was modified, now reading:

-->SUBMITTING SECONDARY ENCRYPTION JOB TO GRID SYSTEM: [#####]
---->DECRYPTION TIME CANNOT BE DETERMINED.
---->USURPING SOCIAL MEDIA BANDWIDTH TO DECREASE DATA DECRYPTION TIME
------>_REGISTER_ NODE WITH SYSTEM TO RECEIVE DECRYPTED PACKAGE
------>DECRYPTED PACKAGE WILL BE DISTRIBUTED TO REGISTERED NODES ON COMPLETION

The REGISTER link is a different tweet template, now reading @BetterBradwell #BETTERBE2026. It is yet unclear whether the alteration is a different step, or if it has simply being reworded (now reading USURPING SOCIAL MEDIA BANDWIDTH TO DECREASE DATA DECRYPTION TIME) to better instruct the players to tweet the message more.

On March 16, around 15:40 UTC (3:40 pm), users starting receiving mentions.

@username SEC TRIED TO SLOW US. DECRYPTION PRGRSS.
[######----] 63%. STANDBY

3 minutes later, Bradwell Electronics tweeted:

Please accept our apologies if you recently received a direct tweet. The intruder has been suppressed and our systems have been updated.

This could mean that no more tweets will be sent out, and that the updates will appear directly on the _FILEDATA in roughly a week time.

Bradwell Returns

At 15:00 UTC on 2018-08-29, the Bossa Studios Twitter account posted a tweet which said:

PLEASE HELP!! I’m a technician at Bradwell Electronics and have made some important discoveries which need to be brought to light! I’ve managed to hack into the company’s social accounts, but think I’m being watched… Gotta go, but I’ll be back shortly!

This tweet was followed by three more tweets at two hour intervals, which can be seen below:

You’ve been led to believe that Bradwell Electronics is a kind and altruistic organisation. It’s not! There are thousands of incriminating files but I can’t access the drives internally, as my cover could be compromised. Hold on, I’m gonna try something...
Phew, that was a close one. A security guard just walked past, so I had to abandon the attempt. One false move and it’s game over. People are counting on me for this information all around the world, and they don’t even know it! About to try again...
Ok, so that didn’t work. I tried accessing the docs by bouncing my connection off an external node but no use. I’m going to have to access a senior staff member’s computer, but how? Wish me luck - we’re all going to need it.
Good news - I’m on my way to one of the technician’s offices! I “accidentally” spilt coffee on them at lunch and managed to swipe their key card in the confusion. They’ve popped to the toilets to change but won’t be long. Now might be my only chance!
Success! He’d left his computer unlocked, and I managed to download a file off the internal drives and get out before they returned. It won’t be long before he realises his key card’s missing though, and suspects I’m the reason. Time’s running out!

After this tweet, two hour interval has been changed.

It’s all here, and worse than I ever suspected. 
The only way this will get past the internal firewall is if I disguise the information within Bradwell Electronic’s ridiculous recruitment video! Ok… I’m going to need to get creative here. 
Stay vigilant, I’ll post again soon!
Ok, progress is slow but I’m nearly there. I’ve managed to sneak some footage into the video but that's all I’ve got time for. Security seems to be on high alert, and it’s only a matter of time until they find me.

(This list will be updated as new Tweets are posted.)

This signaled to players that the ARG may be starting up again. This led players back to the Bradwell Electronics website. Players who signed up for the newsletter again received a new email, which can be seen here, and appeared to be an uncorrupted version of the email received previously in the ARG. In addition, the metadata of the new email contained the full text of the old, corrupted email.