Former intelligence officials say leaks are crippling U.S. espionage capabilities.
- By Jenna McLaughlinJenna McLaughlin is an intelligence reporter for Foreign Policy, focusing on the culture, dynamics, and events happening in the National Security Agency, the Central Intelligence Agency, and the other 15 members of the intelligence community—plus the way the sensitive information they gather and analyze informs and directs the White House and policy makers on the Hill. Previously, McLaughlin was a national security reporter for the Intercept where she covered everything from the FBI’s secretive subpoena powers to cybersecurity companies in the Middle East. Before that, she covered similar topics including the rise of the Islamic State at Mother Jones Magazine. You can reach her with tips and responses securely through Signal or WhatsApp at 203-537-3949, or through her email, firstname.lastname@example.org.
Last week’s dump of National Security Agency malware sparked brief hysteria until Microsoft reassured customers that most of the Windows exploits had already been patched, but several former intelligence officials say the leak points to a larger erosion of espionage capabilities.
“These were multimillion-dollar exploits,” one former cyberintelligence employee told Foreign Policy. “This is a big deal.”
On Friday, the mysterious group known as the Shadow Brokers released a large number of sophisticated, refined capabilities most likely developed by some of the NSA’s top hackers — the Tailored Access Operations group, known as TAO. Those capabilities, now rendered useless, joined similar CIA tools exposed in WikiLeaks’ recent Vault 7 release.
Although digital exploits are used for spying rather than destruction, they allow operators to break down invisible doors, pilfering information. Seeing these latest tools published online was “devastating,” the former cyber intelligence employee said.
Three recently retired intelligence employees who worked on hacking tools for the government requested anonymity in order to speak freely about sensitive matters and to protect ongoing work and employability.
“By my estimation, there’s not much left to burn,” another former intelligence official who worked for several three-letter agencies told Foreign Policy. “The tools that were released were pretty critical.”
Discovering vulnerabilities in code and developing a plan to get in and out undetected is difficult work, and there are only a limited number of holes in the digital fence. “There really isn’t a never-ending supply of tools and techniques,” the former intelligence official said. “I don’t know if our SIGINT [signals intelligence] ability will recover from this for decades. I mean that with deadly seriousness.”
“These were God mode tools that, used sparingly, were an incredible asset to U.S. intelligence,” Nicholas Weaver, senior researcher at Berkeley’s International Computer Science Institute, wrote to Foreign Policy.
Many of the more advanced exploits could be deployed remotely, requiring nothing more than an IP address to activate. Some of the CIA tools were similarly powerful, allowing spies to remotely take over the “kernel,” the nucleus of a phone’s operating system.
Judging from the documents, the NSA had backdoor access to EastNets, a Middle Eastern banking system; SWIFT, a secure system for financial information sent around the globe; and several versions of Windows, including older versions like Windows XP that are no longer supported — meaning they will never be fixed. These targets largely appear to be directed toward monitoring terrorism and its financial infrastructure.
Weaver believes that when the Shadow Brokers published a broad list of the tools in their possession in January, hoping to auction them off, the NSA moved quickly.
The NSA “did clearly, quietly tell Microsoft,” Weaver said, allowing the company to repair the holes before script kiddies and criminal hackers started figuring out the specifics of the exploits.
Microsoft published a massive patch exactly a month before the Shadow Brokers unleashed its trove.
Neither Microsoft nor the NSA immediately responded to a request for comment.
Before Microsoft revealed it had patched most of the holes, the Shadow Brokers’ release reignited the debate about when government agencies should be required to disclose vulnerabilities it finds in such major products as devices and browsers.
The White House’s Vulnerabilities Equities Process, which determines whether those flaws should be shared with the company in order to be repaired, or taken advantage of by intelligence agencies, was reinvigorated in 2014. The process involves several major agencies, which consider the likelihood that other nation states or criminal actors would come across the same flaws.
It’s unclear, however, which agencies are involved in the process and how those decisions are made. The agencies are not required to disclose vulnerabilities purchased or researched through government sponsorship. If the NSA told Microsoft about the tools, it was because the agency knew or suspected the vulnerabilities had been compromised.
Intelligence officials see the latest Shadow Brokers release as part of a larger erosion of capabilities that has been going on since 2013, when former NSA contractor Edward Snowden gave journalists internal NSA documents. Snowden’s leak kicked off a chain of damaging exposures that, while sparking an important worldwide debate about privacy, severely damaged U.S. intelligence capabilities, the former intelligence official argued.
One former TAO employee who spoke with Foreign Policy believes the release is “a bit dated,” because hacking tools to access more current Windows projects and other browsers weren’t included.
“It is a significant leak. … It gets harder to develop tools as defenses improve,” the former TAO employee said. “But it’s still entirely possible. There are many bugs to be found.”
But the intelligence community’s ability to keep those bugs secret for any amount of time continues to be questioned. In this latest leak, detailed NSA notes and work product were included in addition to technical details about the hacking tools — likely indicating deep-level access to TAO troves. “This should be on an NSA computer only,” Weaver told Foreign Policy.
The details the Shadow Brokers revealed are “scary,” the former cyberintelligence employee said, details that must be from internal emails, chat logs, or insider knowledge.
Only a handful of countries could have pilfered such sensitive material from the NSA remotely, the former TAO employee wrote, Russia and Israel the mostly likely among them.
“If it was an inside job like an operator [typically military] walking out with a thumb drive, then who knows,” the former TAO source wrote.
In recent years, the intelligence community has largely failed to detect insider threats and stem leaks from contractors. Thousands of private companies and their employees make up a massive percentage of the intelligence community’s workforce. As of a decade ago, about 70 percent of the intelligence community’s budget was spent on contracts, according to the Congressional Research Service.
Snowden was working for Booz Allen Hamilton when he copied the documents later released to journalists. Contractors, including Xetron Corp., a subsidiary of Northrop Grumman in Ohio, are being investigated in connection with the March CIA dump published by WikiLeaks.
Regardless of who is to blame, those familiar with the United States’ signals intelligence capabilities fear the massive leaks are having profound consequences. “The U.S. intelligence community needs to get their act together,” the former cyberintelligence official wrote. “We’re getting trounced in an information war we didn’t ask for.”