This Is How They Tell Me the World Ends: The Cyberweapons Arms Race

by Nicole Perlroth

unless Microsoft locked its systems down, a bad actor would inevitably use those same capabilities for a cyberattack of mass destruction or as a tool in brute authoritarianism. The stakes were only getting higher.

Their work triggered equal parts admiration and disdain, particularly from Microsoft, which accused them of disclosing the bug before it had a patch. Project Zero’s team gave vendors ninety days. After that, they would dump their bugs online. Part of the goal was to light a big fat fire under vendors’ asses.

Hackers weren’t hobbyists anymore. They weren’t playing a game. In short order, they had become the world’s new nuclear scientists—only nuclear deterrence theory did not so neatly apply. Cyberweapons didn’t require fissile material. The barrier to entry was so much lower; the potential for escalation so much swifter.

This is what the new era of asymmetrical cyberwarfare looked like. The United States could strike a country’s critical infrastructure with cyberattacks, but when foreigners retaliated, U.S. businesses would be left holding the bag. The United States had no coherent response to the escalating nation-state cyberattacks on its systems.

The U.S. grid is powered by local electricity distributors who are regulated state-to-state and not held to any federal security standards. The computer systems that powered the grid were designed long before cyberattacks became the norm; they were built for access, not security. Many ran older, expired software that software companies like Microsoft no longer patched. And these local grid operators had few of the resources that big power distributors like PG&E had at their disposal.

“Virtually all of our civilian critical infrastructure—including telecommunications, water, sanitation, transportation, and health care—depend on the electric grid. The grid is extremely vulnerable to disruption caused by a cyber or other attack. Our adversaries already have the capability to carry out such an attack.

“Under current conditions, timely reconstitution of the grid following a carefully targeted attack if particular equipment is destroyed would be impossible; and according to government experts, would result in widespread outages for at least months to two years

By the end of 2012, DHS analysts had responded to 198 attacks on U.S. critical infrastructure systems—a 52 percent increase from the previous year.

In a speech in 2012, Russia’s minister of telecommunications pushed for an international treaty banning computer warfare, while Russian officials back-channeled with their American counterparts to come up with a bilateral ban. But Washington dismissed Moscow’s bids, believing them to be a Russian diplomatic ploy to neuter the U.S. lead in cyberwarfare.

Russian hackers infected the software updates that reached the industrial controllers inside hydroelectric dams, nuclear power plants, pipelines, and the grid, and were now inside the very computers that could unleash the locks at the dams, trigger an explosion, or shut down power to the grid.

The Kremlin was signaling to Washington that if it retaliated on behalf of its Ukraine ally, or ever dared turn off the lights in Moscow, Russia had the ability to turn around and do the same. Call it mutually assured destruction for the internet era.

VirusTotal, a kind of Google search engine for malware that researchers use to see where a piece of malware may have popped up before.

All discovered BlackEnergy and KillDisk on their systems, but the attackers had broke into each network using different techniques and methods, almost like they were tinkering. In one case, the attackers downloaded their tools over time—1:20 P.M. every day. In another, they downloaded them rapid-style. “They tried one technique here, one technique there,” Yasinsky told me. “This was the scientific method in action.”

The Ukraine blackouts were the nightmare scenario officials and cybersecurity specialists had forecast for years.

By now, Russian hackers were so deeply embedded in the American grid and critical infrastructure, they were only one step from taking everything down. This was Putin’s way of signaling the United States. If Washington intervened further in Ukraine, if it pulled off a Stuxnet-like attack in Russia, they would take us down.

Our grid was no less vulnerable than Ukraine’s; the only difference is we were far more connected, far more dependent, and in far greater denial.

Trump would eliminate the White House cybersecurity coordinator completely.

Dutch intelligence agencies had hacked into a university just off Moscow’s Red Square, where the SVR’s hackers—known to private security researchers as Cozy Bear—sometimes operated. The Dutch had managed to get inside the university’s security cameras and, using facial-recognition software, identified the SVR’s hackers by name.

if the White House had followed through more closely, they might have caught those very same hackers in the beginning stages of their attack on our elections.

now it’s not so cut-and-dried. We’ve all migrated to the same technology. You can no longer cut a hole in something without poking a hole in security for everyone.”

By June 2014 the Kremlin had already dispatched two Russian agents, Aleksandra Y. Krylova and Anna V. Bogacheva, to the United States for a three-week recon tour. The two women bought cameras, SIM cards, and burner phones and devised “evacuation scenarios” in case American officials grew wise to the real impetus for their trip. Altogether the women visited nine states—California, Colorado, Illinois, Louisiana, Michigan, Nevada, New Mexico, New York, and Texas—to “gather intelligence” on American politics.

the Internet Research Agency (IRA) set to work recruiting twentysomething news writers, graphics designers, and “search engine-optimization specialists” with $1,400 weekly salaries, more than four times what they could make anywhere else. On one floor, Russian trolls operating in rotating twelve-hour shifts created and deployed hundreds of fake accounts on Facebook and Twitter to pummel anyone who criticized their master, Vladimir Putin. On another floor, the IRA trolls waited for their daily assignment: a list of America’s political crises du jour,

Demonstrators from the Heart of Texas group confronted pro-Muslim protesters across the street in a terrifying real-world standoff that Russia’s digital puppeteers were coordinating from five thousand miles away. Even the Russian trolls back in St. Petersburg couldn’t believe the Americans were so gullible.

(FBI agents would later discover that “purple states” had become something of a Russian mantra in the 2016 interference).

By the time the IRA campaign was fully revealed, years later, Putin’s trolls had reached 126 million Facebook users and received 288 million Twitter impressions—a staggering number, given that there are only 200 million registered voters in the United States, and only 139 million voted in 2016.

Fancy Bear’s Russian hackers had sent John Podesta, Hillary Clinton’s campaign chairman, a fake Google alert, declaring that he had to change his Gmail password. Podesta had forwarded the email to the DNC’s IT staff for vetting, and in what would become the most tragic typo in American election history, a campaign aide wrote back, “This is a legitimate email.” He had intended to type “illegitimate,” but the damage was done.

When Podesta entered his new password into the Russian’s fake Gmail log-in page, it gave Russian hackers access to sixty thousand emails, stretching back a decade, and a foothold to dig even deeper into the DNC and Hillary Clinton’s emails.

“This is Watergate,” we both agreed. We called our editors at the Times, but it was difficult to get much momentum that June, in the midst of the most mind-boggling president campaign of our era.

Guccifer 2.0’s hacking alias and Illuminati reference were all part of an elaborate Russian cover story.

In the back and forth, Americans had lost sight of where these leaks were coming from.

Months after Sanders ended his campaign and endorsed Clinton, several activists who ran Facebook pages for Bernie Sanders began to note a suspicious flood of hostile comments aimed at Clinton. “Those who voted for Bernie will not vote for corrupt Hillary!” they read. “The Revolution must continue! #NeverHillary.” “The magnitude and viciousness of it,” one Facebook administrator told my colleague Scott Shane, suggested that this was the work of a cold-blooded adversary with an agenda, but the sheer idea that any of this was a Russian campaign still struck many Americans as crazy Cold War–speak.

Russian hackers would not necessarily even need to compromise the voting machines themselves; it would be far easier, and less visible, to simply digitally disenfranchise thousands of voters in traditionally blue urban counties in purple states. Even if they tweaked the data just a little, the Russians could cause fears of a rigged election and throw the election, and the country, into chaos. And chaos, Russian foreign policy experts said, was always the point.

Mitch McConnell, the Senate majority leader, made it clear that he would not sign onto any bipartisan statement blaming the Russians; he dismissed the intelligence, admonished officials for playing into what he wrote off as Democrats’ spin, and refused to warn Americans about efforts to undermine the 2016 election.

If Snowden had dribbled out descriptions of NSA programs and capabilities, the Shadow Brokers had just unleashed the capabilities themselves. The code and algorithms to exact mass destruction were now freely available to anyone with an ax to grind, or data to steal—the NSA’s worst nightmare essentially, the very scenario the VEP was designed to impede. But the cache was just a teaser, an advertisement for a much larger trove of NSA tools they planned to release to the highest bidder.

none of the investigators at the FBI or the NSA’s counterintelligence arm, known as the Q Group, believed that the Shadow Brokers had done this for profit.

Investigators came to believe this was a terror plot, unfolding in slow motion.

the WannaCry attacks were different. The NSA had withheld Microsoft’s vulnerabilities for years, allowed its customers to get hacked, and once again, left it to Redmond to clean up the mess. Smith was apoplectic. It was time to hold the agency to account. And so, he took direct aim at the NSA in a manifesto.

We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of exploits.”

he knew that as much as Russian meddling in Ukraine would continue in one form or another, the country was its digital test kitchen, not its end target.

Two years later, Ukraine was still picking through the rubble. “The question we should all be asking ourselves,” he continued, “is what they will do next.”

169 nation-states signed on to the Fourth Geneva Convention, agreeing to basic protections for wounded or captured military personnel, medical personnel, and nonmilitary civilians during wartime—rules that still hold today.

happening. We’re seeing nations attack civilians even in times of peace.”

The agreement Obama had reached with Xi Jinping to cease industrial espionage ended the day Trump kicked off his trade war with China.

Trump’s abandonment of the Iran nuclear deal—the only thing keeping Iran’s hackers on good behavior—unleashed more Iranian cyberattacks on American interests than ever before.

The Kremlin—which had yet to feel much of any pain for its 2016 election interference or its hacks on the Ukraine and U.S. grids—never stopped hacking our election ...

EternalBlue had become a permanent feature in cyberattacks on American towns, cities, and universities, where local IT administrators oversee tangled, cross-woven networks made up of older, expired software that stopped getting patched long ago. Not a day went by in 2019, Microsoft’s security engineers told me, when they did not encounter the NSA’s cyberweapons in a new attack. “Eternal is the perfect name,”

“These exploits are developed and kept secret by governments for the express purpose of using them as weapons or espionage tools. They’re inherently dangerous. When someone takes that, they’re not strapping a bomb to it. It’s already a bomb.”

It was another sign that NOBUS—the presumption that “nobody but us” had the sophistication to find and exploit zero-days—was an arrogant one. Not only that, it was obsolete. The NSA’s advantage had hugely eroded over the last decade—not just because of Snowden and the Shadow Brokers and what had been learned from Stuxnet, but because we had grossly underestimated our enemies.

“The Chinese use their best tools against their own people first because that’s who they’re most afraid of,” Jim Lewis, the former government official who tracked cyber threats, told me. “Then they turn those tools on us.”

To help its prospects, Iran’s hackers took aim at Trump’s 2020 reelection campaign.