National Security Agency shaken to its core
Current and former agency officials say hacking by mysterious group known as Shadow Brokers has been catastrophic for NSA
Jake Williams awoke in April in an Orlando, Fla., hotel where he was leading a training session. Checking Twitter, Williams, a cybersecurity expert, was dismayed to discover that he had been thrust into the middle of one of the worst security debacles ever to befall U.S. intelligence.
Williams had written on his company blog about the Shadow Brokers, a mysterious group that had somehow obtained many of the hacking tools the United States used to spy on other countries. Now the group had replied in an angry screed on Twitter.
It identified him — correctly — as a former member of the National Security Agency’s hacking group, Tailored Access Operations, or TAO, a job he had not publicly disclosed. Then the Shadow Brokers astonished him by dropping technical details that made clear they knew about highly classified hacking operations that he had conducted.
America’s largest and most secretive intelligence agency had been deeply infiltrated.
“They had operational insight that even most of my fellow operators at TAO did not have,” said Williams, now with Rendition Infosec, a cybersecurity firm he founded.
The jolt to Williams from the Shadow Brokers’ riposte was part of a much broader earthquake that has shaken the NSA to its core. Current and former agency officials say the Shadow Brokers disclosures, which began in August 2016, have been catastrophic for the NSA, calling into question its ability to protect potent cyberweapons and its very value to national security. The agency regarded as the world’s leader in breaking into adversaries’ computer networks failed to protect its own.
“These leaks have been incredibly damaging to our intelligence and cyber capabilities,” said Leon E. Panetta, the former defense secretary and CIA director.
Fifteen months into a wide-ranging investigation by the agency’s counterintelligence arm, known as Q Group, and the FBI, officials still do not know whether the NSA is the victim of a brilliantly executed hack, with Russia the most likely perpetrator, an insider’s leak, or both. Three employees have been arrested since 2015 for taking classified files, but there is fear that one or more leakers may still be in place. And there is broad agreement that the damage from the Shadow Brokers far exceeds the harm to U.S. intelligence done by Edward J. Snowden, the former NSA contractor who fled with four laptops of classified material in 2013.
Snowden’s cascade of disclosures to journalists and his defiant public stance drew far more media coverage than this new breach. But Snowden released code words, while the Shadow Brokers have released the actual code; if he shared what might be described as battle plans, they have loosed the weapons themselves. Those cyberweapons have now been picked up by hackers from North Korea to Russia and shot back at the United States and its allies.
Inside the agency’s Maryland headquarters and its campuses around the country, NSA employees have been subjected to polygraphs and suspended from their jobs in a hunt for turncoats allied with the Shadow Brokers. Much of the agency’s cyberarsenal is still being replaced, curtailing operations.
Morale has plunged, and experienced cyberspecialists are leaving the agency for betterpaying jobs — including with firms defending computer networks from intrusions that use the NSA’s leaked tools.
“It’s a disaster on multiple levels,” Williams said. “It’s embarrassing that the people responsible for this have not been brought to justice.”
Russia is the prime suspect in a parallel hemorrhage of hacking tools and secret documents from the CIA’s Center for Cyber Intelligence, posted week after week since March to the Wiki Leaks website under the names Vault7 and Vault8. That breach, too, is unsolved.
Have hackers and leakers made secrecy obsolete? Has Russian intelligence simply outplayed the United States, penetrating the most closely guarded corners of its government? Can a workforce of thousands of young, tech-savvy spies ever be immune to leaks?
Long known mainly as an eavesdropping agency, the NSA has embraced hacking as an especially productive way to spy on foreign targets. The intelligence collection is often automated, with malware implants — computer code designed to find material of interest — left sitting on the targeted system for months or even years, sending files back to the NSA.
TAO’s most public success was an operation against Iran called Olympic Games, in which implants in the network of the Natanz nuclear plant caused centrifuges enriching uranium to self-destruct. The TAO was also critical to attacks on the Islamic State and North Korea.
It was this cyberarsenal that the Shadow Brokers got hold of, and then began to release.