This Is How They Tell Me the World Ends: The Cyberweapons Arms Race

by Nicole Perlroth

Starting in 2016, the U.S. National Security Agency’s own cyber arsenal—the sole reason the United States maintained its offensive advantage in cyberspace—was dribbled out online by a mysterious group whose identity remains unknown to this day. Over a period of nine months a cryptic hacker—or hackers; we still don’t know who the NSA’s torturers are—calling itself the Shadow Brokers started trickling out NSA hacking tools and code for any nation-state, cybercriminal, or terrorist to pick up and use in their own cyber crusades. The Shadow Brokers’ leaks made headlines, but like most news between 2016 and 2017, the news did not stick in the American consciousness for long. The public’s understanding of what was transpiring was—to put it mildly—a mismatch to the gravity of the situation, and to the impact those leaks would soon have on the NSA, on our allies, and on some of America’s biggest corporations and smallest towns and cities. The Shadow Brokers leaks were the world’s first glimpse of the most powerful and invisible cyber arsenal on earth. What these cryptic hackers had exposed was the largest government program you have never heard of, a cyberweapons and espionage operation so highly classified that for decades it was kept off the books completely, hidden from the public via shell companies, mercenaries, black budgets, nondisclosure agreements, and, in the early days, giant duffel bags of cash.

Investigators at CrowdStrike, the security firm, started getting called into U.S. oil and energy firms to investigate. As CrowdStrike teased the code apart in late 2013, they began to pick up Russian-language artifacts and time stamps indicating that the attackers were working on Moscow hours. Either this was a Russian campaign, or someone taking great pains to look like a Russian campaign. CrowdStrike gave the grid hackers a deceptively affable name, Energetic Bear—Bear being the firm’s code word for Russia’s state-backed groups. As they unspooled the attacks, they discovered that the code dated back to 2010—the same year Stuxnet was uncovered in Iran.

At 3:30 P.M., December 23, in the Ivano-Frankivsk region of western Ukraine, residents were just starting to pack up their desks and head home for the holidays when an engineer inside Prykarpattyaoblenergo’s control center noticed his cursor gliding across his computer screen, as if pushed by an invisible hand. The cursor moved to the dashboard that controlled Prykarpattyaoblenergo’s circuit breakers at substations around the region. One by one, the cursor double-clicked on the box to open the breakers and take the substations offline. The engineer watched in horror as a pop-up window suddenly appeared, confirming one last time that he wanted to cut heat and power to thousands of his countrymen. He desperately tried to regain command of his mouse, but it was no use. Whoever was inside his machine had left him powerless, and now was logging him out. He tried to log back in, but the hidden hand had already changed his password, kicking him out permanently. Now he could only watch as a digital ghost moved from one breaker to another, meticulously shutting down thirty substations altogether. Meanwhile, two other Ukraine power suppliers were struck in the same way, leaving a total of 230,000 Ukrainians in the dark. Once the power was cut, the hidden hand shut down Ukraine’s emergency phone lines too, just to add to the chaos. And finally, the coup de grace: The attackers shut off the backup power to the power distribution centers, forcing Ukrainians to try to put the pieces bac...

Below the quote was an emergency plan for cyberattacks. “Hour 0,” the notice read. “Notify White House Security Response. Hour 1: FBI and Secret Service reach out to victim. NSA searches intelligence for information. DHS coordinates national security response. End of Day: Send status message. If appropriate, this message will state that: ‘No further messages will be sent unless or until significant new information is obtained, which may take days or weeks.’ ” I’d always imagined the White House would have some advanced, real-time map of cyberattacks, denoted in red blips, sailing toward the White House from decoy servers around the globe, and a team of responders waiting to zap them in real time. Nope. When it came to defense, the nation with the most advanced hacking capabilities in the world was reduced to a printout, like the rest of us.

But as NSA operators, security researchers, and hackers all over the world started teasing the file apart, it became clear this was the real deal. The trove contained zero-day exploits that could invisibly break through the firewalls sold by Cisco, Fortinet, and some of the most widely used firewalls in China. I immediately called up every former TAO employee who would pick up their phone. What is this? “These are the keys to the kingdom,” one put it bluntly. He had already combed through the sample cache and recognized the tools as TAO’s. They were all a cyberterrorist would need to break into government agencies, labs, and corporate networks all over the world. If Snowden had dribbled out descriptions of NSA programs and capabilities, the Shadow Brokers had just unleashed the capabilities themselves. The code and algorithms to exact mass destruction were now freely available to anyone with an ax to grind, or data to steal—the NSA’s worst nightmare essentially, the very scenario the VEP was designed to impede.