Security breach shakes intelligence force
WASHINGTON — Jake Williams awoke in April in an Orlando, Florida, hotel where he was leading a training session. Checking Twitter, the cybersecurity expert was dismayed to discover that he had been thrust into the middle of one of the worst security debacles ever to befall U.S. intelligence.
Williams had written on his company blog about the Shadow Brokers, a mysterious group that had somehow obtained many of the hacking tools the United States has used to spy on other countries. Now, the group had replied in an angry screed on Twitter. It identified him — correctly
— as a former member of the National Security Agency’s hacking group, Tailored Access Operations, or TAO, a job he had not publicly disclosed. Then, the Shadow Brokers astonished him by dropping technical details that made clear they knew about highly classified hacking operations he had conducted.
America’s largest and most secretive intelligence agency had been deeply infiltrated.
“They had operational insight that even most of my fellow operators at TAO did not have,” said Williams, now with Rendition Infosec, a cybersecurity firm he founded. “I felt like I’d been kicked in the gut. Whoever wrote this either was a wellplaced insider or had stolen a lot of operational data.”
The jolt to Williams from the Shadow Brokers’ riposte was part of a much broader earthquake that has shaken the NSA to its core. Current and former agency officials say the Shadow Brokers disclosures, which began in August 2016, have been catastrophic for the NSA, calling into question its ability to protect potent cyberweapons and its very value to national security. The agency regarded as the world’s leader in breaking into adversaries’ computer networks failed to protect its own.
“These leaks have been incredibly damaging to our intelligence and cyber capabilities,” said Leon Panetta, the former defense secretary and director of the Central Intelligence Agency. “The fundamental purpose of intelligence is to be able to effectively penetrate our adversaries in order to gather vital intelligence. By its very nature, that only works if secrecy is maintained and our codes are protected.”
With a leak of intelligence methods like the NSA tools, Panetta said, “Every time it happens, you essentially have to start over.”
Fifteen months into a wide-ranging investigation by the agency’s counterintelligence arm, known as Q Group, and the FBI, officials still do not know whether the NSA is the victim of a brilliantly executed hack, with Russia as the most likely perpetrator, an insider’s leak, or both. Three employees have been arrested since 2015 for taking classified files, but there is fear that one or more leakers may still be in place.
And there is broad agreement that the damage from the Shadow Brokers far exceeds the harm to U.S. intelligence done by Edward Snowden, the former NSA contractor who fled with four laptops of classified material in 2013.
Snowden’s cascade of disclosures to journalists drew far more media coverage than this new breach. But Snowden released code words, while the Shadow Brokers have released the actual code; if he shared what might be described as battle plans, they have loosed the weapons themselves. And hackers from North Korea to Russia are using them on the United States and its allies.
Inside the agency, NSA employees have been subjected to polygraphs and suspended from their jobs in a hunt for turncoats allied with the Shadow Brokers. Much of the agency’s cyberarsenal is still being replaced, curtailing operations. Morale has plunged, and experienced cyberspecialists are leaving the agency for better-paying jobs — including with firms defending computer networks from intrusions that use the NSA’s leaked tools.
“It’s a disaster on multiple levels,” Williams said. “It’s embarrassing that the people responsible for this have not been brought to justice.”
An NSA spokesman, Michael Halbig, said the agency “cannot comment on Shadow Brokers.”
Russia is the prime suspect in a parallel hemorrhage of hacking tools and secret documents from the CIA’s Center for Cyber Intelligence. That breach, too, is unsolved. Together, the flood of digital secrets from agencies that invest huge resources in preventing such breaches is raising profound questions.
Long known mainly as an eavesdropping agency, the NSA has embraced hacking as an especially productive way to spy on foreign targets. Malware implants — computer code designed to find material of interest — can be left sitting on the targeted system for months or even years, sending files back to the NSA.
TAO’s most public success was an operation against Iran called Olympic Games, in which implants in the network of the Natanz nuclear plant caused centrifuges enriching uranium to self-destruct.
It was this cyberarsenal that the Shadow Brokers got hold of, and then began to release.
Some officials doubt the Shadow Brokers got it all by hacking the most secure of U.S. government agencies — hence the search for insiders. But some TAO hackers think that skilled, persistent attackers might have been able to get through the NSA’s defenses — because, as one put it, “I know we’ve done it to other countries.”
The agency has active investigations into at least three former NSA employees or contractors: a software developer secretly arrested after taking hacking tools home in 2015, only to have Russian hackers lift them from his home computer; and Harold T. Martin III, a contractor arrested last year when FBI agents found his home, garden shed and car stuffed with sensitive agency documents and storage devices.
The third is Reality Winner, a young NSA linguist arrested in June, who is charged with leaking a single classified report on a Russian breach of a U.S. election systems vendor.
Because the NSA hacking unit has grown so rapidly over the past decade, the pool of potential leakers has expanded into the hundreds. Trust has eroded as anyone who had access to the leaked code is regarded as the potential culprit.