In the summer of 1972, state-of-the-art campaign spying consisted of amateur burglars, armed with duct tape and microphones, penetrating the headquarters of the Democratic National Committee. Today, amateur burglars have been replaced by cyberspies, who penetrated the DNC armed with computers and sophisticated hacking tools.
Where the Watergate burglars came away empty-handed and in handcuffs, the modern- day cyber thieves walked away with tens of thousands of sensitive political documents and are still unidentified.
Now, in the latest twist, hacking tools themselves, likely stolen from the National Security Agency, are on the digital auction block. Once again, the usual suspects start with Russia – though there seems little evidence backing up the accusation.
BEST OF COMMENTARY
Putin's latest moves show we're back in the U.S.S.R.
Trump doubles down on Trumpiness
Who's afraid of the lady in the burkini?
In addition, if Russia had stolen the hacking tools, it would be senseless to publicize the theft, let alone put them up for sale. It would be like a safecracker stealing the combination to a bank vault and putting it on Facebook. Once revealed, companies and governments would patch their firewalls, just as the bank would change its combination.
A more logical explanation could also be insider theft. If that’s the case, it’s one more reason to question the usefulness of an agency that secretly collects private information on millions of Americans but can’t keep its most valuable data from being stolen, or as it appears in this case, being used against us.
In what appeared more like a Saturday Night Live skit than an act of cybercrime, a group calling itself the Shadow Brokers put up for bid on the Internet what it called a “full state-sponsored toolset” of “cyberweapons.” “!!! Attention government sponsors of cyberwarfare and those who profit from it !!!! How much would you pay for enemies cyberweapons?” said the announcement.
The group said it was releasing some NSA files for “free” and promised “better” ones to the highest bidder. However, those with loosing bids “Lose Lose,” it said, because they would not receive their money back. And should the total sum of the bids, in bitcoins, reach the equivalent of half a billion dollars, the group would make the whole lot public.
While the “auction” seemed tongue in cheek, more like hacktivists than Russian high command, the sample documents were almost certainly real. The draft of a top-secret NSA manual for implanting offensive malware, released by Edward Snowden, contains code for a program codenamed SECONDDATE. That same 16-character string of numbers and characters is in the code released by the Shadow Brokers. The details from the manual were first released by The Intercept last Friday.
The authenticity of the NSA hacking tools were also confirmed by several ex-NSA officials who spoke to the media, including former members of the agency’s Tailored Access Operations (TAO) unit, the home of hacking specialists.
“Without a doubt, they’re the keys to the kingdom,” one former TAO employee told theWashington Post. “The stuff you’re talking about would undermine the security of a lot of major government and corporate networks both here and abroad.” Another added, “From what I saw, there was no doubt in my mind that it was legitimate.”
Like a bank robber’s tool kit for breaking into a vault, cyber exploitation tools, with codenames like EPICBANANA and BUZZDIRECTION, are designed to break into computer systems and networks. Just as the bank robber hopes to find a crack in the vault that has never been discovered, hackers search for digital cracks, or “exploits,” in computer programs like Windows.
The most valuable are “zero day” exploits, meaning there have been zero days since Windows has discovered the “crack” in their programs. Through this crack, the hacker would be able to get into a system and exploit it, by stealing information, until the breach is eventually discovered and patched. According to the former NSA officials who viewed the Shadow Broker files, they contained a number of exploits, including zero-day exploits that the NSA often pays thousands of dollars for to private hacking groups.
The reasons given for laying the blame on Russia appear less convincing, however. “This is probably some Russian mind game, down to the bogus accent,” James A. Lewis, a computer expert at the Center for Strategic and International Studies, a Washington think tank, told the New York Times. Why the Russians would engage in such a mind game, he never explained.
Rather than the NSA hacking tools being snatched as a result of a sophisticated cyber operation by Russia or some other nation, it seems more likely that an employee stole them. Experts who have analyzed the files suspect that they date to October 2013, five months after Edward Snowden left his contractor position with the NSA and fled to Hong Kong carrying flash drives containing hundreds of thousands of pages of NSA documents.
So, if Snowden could not have stolen the hacking tools, there are indications that after he departed in May 2013, someone else did, possibly someone assigned to the agency’s highly sensitive Tailored Access Operations.
In December 2013, another highly secret NSA document quietly became public. It was a top secret TAO catalog of NSA hacking tools. Known as the Advanced Network Technology (ANT) catalog, it consisted of 50 pages of extensive pictures, diagrams and descriptions of tools for every kind of hack, mostly targeted at devices manufactured by U.S. companies, including Apple, Cisco, Dell and many others.
Like the hacking tools, the catalog used similar codenames. Among the tools targeting Apple was one codenamed DROPOUTJEEP, which gives NSA total control of iPhones. "A software implant for the Apple iPhone,” says the ANT catalog, “includes the ability to remotely push/pull files from the device. SMS retrieval, contact-list retrieval, voicemail, geolocation, hot mic, camera capture, cell-tower location, etc.”
Another, codenamed IRATEMONK, is, “Technology that can infiltrate the firmware of hard drives manufactured by Maxtor, Samsung, Seagate and Western Digital.”
In 2014, I spent three days in Moscow with Snowden for a magazine assignment and a PBS documentary. During our on-the-record conversations, he would not talk about the ANT catalog, perhaps not wanting to bring attention to another possible NSA whistleblower.
I was, however, given unrestricted access to his cache of documents. These included both the entire British, or GCHQ, files and the entire NSA files.
But going through this archive using a sophisticated digital search tool, I could not find a single reference to the ANT catalog. This confirmed for me that it had likely been released by a second leaker. And if that person could have downloaded and removed the catalog of hacking tools, it’s also likely he or she could have also downloaded and removed the digital tools now being leaked.
In fact, a number of the same hacking implants and tools released by the Shadow Brokers are also in the ANT catalog, including those with codenames BANANAGLEE and JETPLOW. These can be used to create “a persistent back-door capability” into widely used Cisco firewalls, says the catalog.
Consisting of about 300 megabytes of code, the tools could easily and quickly be transferred to a flash drive. But unlike the catalog, the tools themselves – thousands of ones and zeros – would have been useless if leaked to a publication. This could be one reason why they have not emerged until now.
Enter WikiLeaks. Just two days after the first Shadow Brokers message, Julian Assange, the founder of WikiLeaks, sent out a Twitter message. “We had already obtained the archive of NSA cyberweapons released earlier today,” Assange wrote, “and will release our own pristine copy in due course.”