This Is How They Tell Me the World Ends: The Cyberweapons Arms Race

by Nicole Perlroth

iSight uploaded the BlackEnergy malware sample to VirusTotal, a kind of Google search engine for malware that researchers use to see where a piece of malware may have popped up before. VirusTotal revealed that four months earlier, in May 2014, attackers had used the same BlackEnergy attack to pop a Polish energy company, this time with a Microsoft Word file that purported to include the latest update on European oil and gas prices.

Sandworm’s attackers were targeting “.cim” and “.bcl” files, two file types used by General Electric’s industrial control Cimplicity software—the same software Peabody’s engineers used to remotely check on their mining equipment.

On April Fool’s Day, 2014, almost simultaneously, security researchers in Finland and at Google discovered a zero-day in a widely used encryption protocol. So critical was the zero-day that they uncovered that they spun up an entire branding campaign for the bug, complete with a memorable name, Heartbleed, a logo, and T-shirts. “On a scale of 1 to 10, this is an 11,” Bruce Schneier, a well-respected cybersecurity expert, wrote at the time.

Within days of Heartbleed’s discovery, Bloomberg published a thinlysourced report claiming that the NSA had known about the bug and had been quietly exploiting it all along. The allegation was picked up by CNN, the Drudge Report, the Wall Street Journal, NPR, and Politico, forcing an official response from the secret agency. The NSA tweeted that it never knew of the bug until it was made public.

By June 2014 the Kremlin had already dispatched two Russian agents, Aleksandra Y. Krylova and Anna V. Bogacheva, to the United States for a three-week recon tour. The two women bought cameras, SIM cards, and burner phones and devised “evacuation scenarios” in case American officials grew wise to the real impetus for their trip. Altogether the women visited nine states—California, Colorado, Illinois, Louisiana, Michigan, Nevada, New Mexico, New York, and Texas—to “gather intelligence” on American politics. Krylova sent their findings about American partisanship and “purple states” back to their bosses in St. Petersburg that summer. Their report formed a field guide for Russia’s 2016 interference.

A day after news broke of the breach, an enigmatic figure calling himself Guccifer 2.0 appeared on Twitter with a link to an online screed titled “DNC Servers Hacked by a Lone Hacker.”

The Russians saved their most damaging revelations for the days ahead of the Democratic National Convention, when party members were due to come together, leaking emails that showed the DNC had secretly favored Hillary Clinton over her primary opponent Bernie Sanders. Party officials had deliberated how best to discredit Sanders. Some questioned Sanders’s Jewish faith and argued that painting the candidate as an atheist “could make several points difference” this late in the primaries.

The first sign that the NSA’s cyberweapon stockpile had gotten out was a dribble of barely coherent tweets from the Twitter account @shadowbrokerss.

Among those who pushed that view was Edward J. Snowden himself. Tweeting from Moscow, Snowden wrote, “Circumstantial evidence and conventional wisdom indicates Russian responsibility”; the Shadow Brokers leaks were “likely a warning that someone can prove U.S. responsibility for any attacks that originated from this malware server.

As lucrative as the Shadow Brokers’ zero-days would have been on the underground market, their public auction never amounted to much. Perhaps that’s because would-be bidders were afraid—for good reason—that a bid would make them targets of the world’s preeminent spies. Twenty-four hours after their auction began, the NSA’s torturers only had one measly $900 bid.

For three months, the Shadow Brokers disappeared. Meanwhile another leak, this time a CIA vault—the leakers called it Vault7—of Langley’s hacking tools dated between 2013 and 2016 were published online. The vault detailed how the CIA could hack into cars, smart TVs, web browsers, and the operating systems of Apple and Android phones and Windows, Mac, and Linux computers. Essentially, the motherlode. But the Shadow Brokers did not take credit for the leaks. And based on the tools, it appeared Vault7 was the work of a second leaker. Two years later, the CIA would pin the Vault7 leaks on a former elite CIA programmer by the name of John Schulte, who claimed innocence. A jury determined Schulte was guilty of making false statements to investigators, but as to whether Schulte was the source of the leaks, the jury was deadlocked, forcing the judge to declare a mistrial.

One lead, from Israelis, led investigators to an NSA employee’s home computer. The employee had installed antivirus software made by Kaspersky, the Russian cybersecurity company.

The Israelis, I learned from sources, had hacked into Kaspersky’s systems and discovered the firm was using its antivirus software’s access to computers all over the world, to search for and pull back Top Secret documents. The Israelis shared screenshots taken inside Kaspersky’s systems with their American counterparts, proving as much. And now it appeared that Kaspersky’s software may have stolen Top Secret NSA documents from an employee’s home computer. It was a dizzying story of spies hacking spies hacking spies, but by then, nothing surprised me anymore. After our story published in the Times, Kaspersky claimed an internal investigation determined that the firm’s antivirus software had simply been doing its job: searching for a particular string of malware that contained the word “secret” in the code. It was an admission that Kaspersky’s software had taken Top Secret data off an NSA employee’s computer, but Kaspersky said it destroyed the NSA’s data as soon as it realized what, exactly, had been caught in its dragnet.

“They had operational insight that even most of my fellow operators at TAO did not have,” Williams said. “Whoever wrote this either was a well-placed insider or had stolen a lot of operational data.” The jolt from the Shadow Brokers’ riposte changed Williams’s life. He canceled business trips to Singapore, Hong Kong, even the Czech Republic. He always thought that if someone outed him like this, the agency would have his back. But since the Shadow Brokers post, he hadn’t gotten so much as a phone call.

As hackers and security experts began to parse through the latest leaks, one TAO exploit stood above the rest: EternalBlue, the exploit that could invisibly penetrate millions upon millions of Windows machines and leave barely a speck of digital dust behind.

Now, as researchers tried to understand how widely EternalBlue had been used, they discovered just how nebulous a tool it was. The only trace that it had been used was a second, complementary NSA exploit, code-named DoublePulsar, that was often used to implant EternalBlue into machines.

As analysts started dissecting the ransomware code, they dubbed the attacks WannaCry—not because the word perfectly encapsulated the way so many victims felt—but because of a tiny snippet left in the code: “.wncry.” As they teased the code further still, they discovered why the attacks had spread so quickly. The attackers had used a powerful catalyst, the stolen NSA exploit EternalBlue. It was an inconvenient detail that Trump officials were careful to omit from their talking points over the next several days, as the tally of damages climbed. Three days into the biggest attack to hit the web, Tom Bossert, Trump’s homeland security advisor, told the hosts of Good Morning America that the attacks signaled an “urgent call for collective action” by governments throughout the world.

Secondly, and fortunately for the victims, the attackers had also unwittingly baked a kill switch into their code. Within hours of the attack, a twenty-two-year-old British college dropout named Marcus Hutchins discovered that he could neuter the attacks by redirecting victims’ servers away from the attackers’ command-and-control server toward a web address he bought for less than $11. By redirecting WannaCry’s victims to his own benign site, Hutchins stopped the attacks cold.

In the first hours of the campaign, researchers believed that the attack was from ransomware known as Petya—a reference to the James Bond film GoldenEye, in which top-secret Soviet satellites armed with nuclear warheads, one nicknamed Petya, the other Mischa, prepare to trigger a nuclear electromagnetic pulse to take out power worldwide. But it did not take long before researchers could see the attack was vastly more sophisticated than that of Petya. It used not one but two stolen NSA tools—EternalBlue and another called EternalRomance—to spread. And it had baked in yet another formidable exploit, MimiKatz, a password-stealing tool developed by a French researcher five years earlier as a proof-of-concept exploit, to crawl as deep into victims’ networks as it could.

“The Chinese use their best tools against their own people first because that’s who they’re most afraid of,” Jim Lewis, the former government official who tracked cyber threats, told me. “Then they turn those tools on us.”

Even Keith Alexander, the brains behind Stuxnet, was bracing for impact: “We’re probably one of the most automated technology countries in the world and we have a very good offense, but so do they,” General Alexander told me the week Trump walked away from the deal. “And unfortunately, we have more to lose.”

“There’s a pax mafiosa between the Russian regime and its cyber cartels,” is how Tom Kellermann, a Russian cybercrime expert, put it to me as we inched closer to the 2020 election. “Russia’s cybercriminals are treated as a national asset who provide the regime free access to victims of ransomware and financial crime. And in exchange, they get untouchable status. It’s a protection racket and it works both ways.”

In any other political climate, anyone pushing this fringe theory would be diagnosed as certifiably insane. Not in the age of Trump. This was the Kremlin and Trump’s last-ditch effort to malign Ukraine and the Democrats at the same time. And as with his earlier “birtherism,” the president would not relent. He held up nearly $400 million in Congressionally approved military aid to Ukraine. And when Ukraine’s new president, Volodymyr Zelensky, tried to ingratiate himself to Trump and shake the funds free, Trump told Zelensky, “I would like you to do us a favor though,” in their now infamous July 2019 call, followed shortly by, “The server, they say Ukraine has it.” A quid pro quo.

When it came to disinformation, Russia’s goal was still the same: divide and conquer. But this time, the Kremlin’s trolls didn’t have to spin up “fake news.” Americans—perhaps nobody more so than our president—were generating plenty of false, misleading, and divisive content every single day.

Trump and his advisers continued to dilute the threat from Russia by playing up the threat from Iran and China. At a September campaign rally, the president claimed, again, that Russian interference was a hoax. “What about China? What about other countries? It’s always Russia, Russia, Russia. They’re at it again.” Trump’s deputies were happy to toe that line. Asked in television interviews which country posed the gravest threat to the upcoming election, Trump’s national security adviser, Robert O’Brien, and his pugnacious attorney general, Bill Barr, each repeated that it was China—not Russia—that posed the most serious threat.

The same month Barr and O’Brien were on television calling out China, Wray testified to lawmakers that Russia was interfering in the election through “malign foreign influence in an effort to hurt Biden’s campaign.” He spoke the words matter-of-factly but, given the truth famine we found ourselves in, they landed like the words of a renegade soldier, and Trump and his minions punished him for it. “Chris, you don’t see any activity from China, even though it is a FAR greater threat than Russia, Russia, Russia. They will both, plus others be able to interfere in our 2020 Election with our totally vulnerable Unsolicited (Counterfeit?) Ballot Scam,” Trump tweeted.

When our story went to print that June 2019, Trump went ballistic. He took to his favorite medium, Twitter, to demand that we immediately release our sources, and to accuse us of “a virtual act of treason.” It was the first time the president had ever dropped the word treason. For years, we had become inured to his attacks—“fake news,” “the enemy of the people,” “the failing New York Times”—but now he was accusing us of a crime punishable by death. It was a serious escalation in his war on the press, an attack that until now had been reserved for autocrats and dictators. To his eternal credit, our publisher, A. G. Sulzberger, came to our swift defense, writing in an op-ed in the Wall Street Journal that the president had crossed a “dangerous line.”

And in a separate incident two years earlier that did not emerge until Trump singled us out for “treason,” the Times received a call from a concerned American citizen. The caller made clear he was acting on his own volition. Egyptian authorities were preparing an imminent arrest of another colleague, Declan Walsh, who had recently published an investigation into Egypt’s role in the torture and murder of an Italian student, whose body had been dumped along a highway in Cairo. Alarming as the call was, it was also fairly standard. The Times had received many such warnings from American diplomats over the years. But this one was different. The official was distressed. They told the Times that their bosses at the American embassy had already signaled to the Egyptians that they would not intervene. The Trump administration was going to let the arrest be carried out. When Walsh called the embassy for help, officials there feigned concern but suggested that, as an Irish citizen, he call the Irish embassy instead. In the end, it was Ireland—not the United States—who got him out safely. The episode made clear, Walsh would later write, “that journalists can’t rely on the United States government to have our back as it once did.” In other words, our invisible armor was gone. It vanished the day Trump was inaugurated.

“Listen, Nicole,” Gosler said. “You’d have to be a cloistered monk on a mountain in Africa to not be concerned about cyber vulnerabilities.”

Part of the problem is the economy still rewards the first to market. Whoever gets their widget to market with the most features before the competition wins. But speed has always been the natural enemy of good security design. Our current model penalizes products with the most secure, fully vetted software.

The annual cost from cyber losses now eclipses those from terrorism. In 2018, terrorist attacks cost the global economy $33 billion, a decrease of thirty-eight percent from the previous year. That same year, a study by RAND Corporation from more than 550 sources—the most comprehensive data analysis of its kind—concluded global losses from cyberattacks were likely on the order of hundreds of billions of dollars. And that was the conservative estimate. Individual data sets predicted annual cyber losses of more than two trillion dollars.

But if there is any good to have come out of the past few years of headline-grabbing attacks, it may be the new phrase I saw graffitied on the wall on a recent visit to Facebook. Someone had crossed out “Move fast and break things” and replaced it with “Move slowly and fix your shit.”

Despite the fact OpenSSL was used by hospital chains, Amazon, Android, the FBI, and the Pentagon, Heartbleed revealed its code had been left to a guy named Steve in England who barely had enough money to eat.

After Heartbleed, the non-profit Linux Foundation and tech companies that relied on OpenSSL stepped up to find and fund critical open-source projects. The Linux Foundation, together with Harvard’s Laboratory for Innovation Science, is now midway through a census effort to identify the most critical and widely deployed open-source software in use, with the goal of giving developers the funds, training, and tools to protect it. Separately, Microsoft and Facebook sponsor an internet-wide bug bounty program to pay hackers cash for bugs they turn over in widely used technology.