This Is How They Tell Me the World Ends: The Cyberweapons Arms Race

by Nicole Perlroth

On December 23, 2015, just ahead of Christmas Eve, Russia crossed a digital Rubicon. The very same Russian hackers that had been laying trapdoors and virtual explosives in Ukrainian media outlets and government agencies for months had also silently embedded themselves in the nation’s power stations. That December they made their way into the computers that controlled Ukraine’s power grid, meticulously shutting off one circuit breaker after another until hundreds of thousands of Ukrainians were without power. For good measure, they shut down emergency phone lines. And for added pain, they shut off the backup power to Ukraine’s distribution centers, forcing operators to fumble around in the dark.

Starting in 2016, the U.S. National Security Agency’s own cyber arsenal—the sole reason the United States maintained its offensive advantage in cyberspace—was dribbled out online by a mysterious group whose identity remains unknown to this day. Over a period of nine months a cryptic hacker—or hackers; we still don’t know who the NSA’s torturers are—calling itself the Shadow Brokers started trickling out NSA hacking tools and code for any nation-state, cybercriminal, or terrorist to pick up and use in their own cyber crusades.

Ukraine now had one of the lowest vaccination rates in the world and the Kremlin was capitalizing on the chaos. Ukraine’s outbreak was already spreading back to the States, where Russian trolls were now pushing anti-vaxxer memes on Americans. American officials seemed at a loss for how to contain it. (And they were no better prepared when, one year later, Russians seized on the pandemic to push conspiracy theories that Covid-19 was an American-made bioweapon, or a sinister plot by Bill Gates to profit off vaccines.)

The biggest secret in cyberwar—the one our adversaries now know all too well—is that the same nation that maintains the greatest offensive cyber advantage on earth is also among its most vulnerable.

The agency was even paying major American security companies, like RSA, to make its flawed formula for generating random numbers the default encryption method for widely used security products. When paying companies off didn’t do the trick, the NSA’s partners at the CIA infiltrated the factory floors at the world’s leading encryption chip makers and put backdoors into the chips that scrambled data. And in other cases still, the agency hacked its way into the internal servers at companies like Google and Yahoo to grab data before it was encrypted.

Also, as many, many men on Twitter regularly point out to me, nobody in cybersecurity actually uses “cyber” anymore. It’s “information security,” or preferably “infosec.” More than a few times, after introducing myself as a cybersecurity reporter at a hacking conference, I was told to GTFO. (Dear reader, I leave the deciphering of that code to you.) As it turns out, introducing yourself as “cyber” anything is the quickest way to the door.

Stuxnet—as the computer worm came to be called—had been discovered in bits and pieces in 2010 as it slithered its way through computers around the globe, using an unheard-of number of zero-day exploits, seven to be precise. Some were clearly designed to infect hard-to-reach—even offline—computers. One Microsoft zero-day allowed the worm to invisibly spread from an infected USB flash drive onto a computer undetected. Others allowed it to crawl across the network from there, climbing ever higher up the digital chain of command in search of its final destination: Iran’s Natanz nuclear plant, where it burrowed deep into the offline, or “air-gapped,” computers that controlled the rotors that spun Iran’s uranium centrifuges. And then, by remote command, Stuxnet silently spun some of Iran’s centrifuges out of control, while stopping others from spinning entirely. By the time Iran’s nuclear scientists discovered that a computer worm was responsible for the destruction of their centrifuges, Stuxnet had already destroyed a fifth of Tehran’s uranium centrifuges and set Iran’s nuclear ambitions back years.

Sabien’s team avoided idealists and whiners. And because there were no rules to this market, the bulk of their suppliers were hackers in Eastern Europe. “With the breakup of the Soviet Union, you had a lot of people with skills, without jobs,” Sabien explained. But the most talented hackers, he told me, were based in Israel, many of them veterans of Israel’s Unit 8200. I asked Sabien how old his youngest supplier was, and he recalled a transaction with a sixteen-year-old kid in Israel.

The big defense contractors—Lockheed Martin, Raytheon, BAE Systems, Northrop Grumman, Boeing—couldn’t hire cyber specialists fast enough. They began poaching from the intel agencies and acquiring boutique contractors like Sabien’s. By the time Sabien had agreed to meet with me, he’d been out of the market for more than a decade, but the market was hard to avoid these days. “In the nineties, there was just a small community of people working on exploits and selling them. These days it’s so commoditized. It’s blown up. Now”—he swirled his finger in a wide circle in the air around the Beltway—“we’re surrounded. There are more than a hundred contractors in this business, probably only a dozen that know what they’re doing.”

“The most likely way for the world to be destroyed,” it read, “most experts agree, is by accident. That’s where we come in; we’re computer professionals. We cause accidents.”

“That’s why the Europeans are so good at writing exploits,” he says. “After babies, European parents get like a year to hack.”

Little Boy—the very first nuclear weapon America dropped in war—killed eighty thousand people on Hiroshima. But the destruction could have been much worse—only 1.38 percent of its nuclear core fissioned. Three days later, when Americans dropped their second bomb—codename “Fat Man”—on Nagasaki, it accidentally detonated one mile off target, though it still managed to kill forty thousand.

The “kernel” is the nerve center of any computer system. It manages communications between a computer’s hardware and software. In a machine’s pecking order, the kernel is at the very top, allowing anyone with secret access to it to take full control of the device. The kernel also forms a powerful blind spot for most security software, allowing attackers to do what they want, unnoticed, and remain there for months, years even, regardless of how vigilant their victim is at installing software patches and updates. Spies coined a name for these attacks: “The race to the bare metal.”

In the years following 9/11, a dozen NSA employees were caught trying to use the agency’s vast eavesdropping apparatus to spy on their exes and love interests. The incidents were by no means common, but the agency had coined a name for the practice, nonetheless: LOVEINT, a new twist on SIGINT, “signals intelligence,” and HUMINT, “human intelligence.” In each case, NSA auditors caught the offenders within days, demoted them, cut their pay, and revoked their clearances, which in many cases left them with little choice but to leave the agency. But not one was criminally prosecuted.

The closest I would ever get to the NSA’s large-scale SIGINT operations was Operation Shotgiant. For years American officials blackballed Huawei of China—the world’s largest manufacturer of telecom equipment—from American business dealings. More recently, the United States has been on a crusade to pressure allies to ban Huawei’s equipment from new high-speed 5G wireless networks, citing suspected ties between the company and China’s Community Party.

American officials routinely point out that Huawei’s founder, Ren Zhengfei, “China’s Steve Jobs,” was a former Chinese PLA officer, and warn that Huawei’s equipment is riddled with Chinese backdoors. Chinese intelligence could use that access to intercept high-level communications, vacuum up intelligence, wage cyberwar, or shut down critical services in times of national emergency.

Even as American officials were publicly accusing China of embedding trapdoors in Huawei’s products, my Times colleague David Sanger and I learned from leaked classified documents that the NSA had pried its way into Huawei’s headquarters in Shenzhen, years ago, stolen its source code, and planted its own backdoors in the company’s routers, switches, and smartphones.

“The most likely way for the world to be destroyed, most experts agree, is by accident. That’s where we came in; we’re computer professionals. We cause accidents.”

Some say it was an NSA computer algorithm that came up with the name. Others said it was purposely chosen for the five Olympic rings, symbolizing the unprecedented five-way cooperation between NSA, Israel’s Unit 8200, the CIA, Mossad, and the national energy labs.

We still do not know where—with two glaring exceptions—these zero-days came from, whether they were developed “in-house” by TAO or Israel’s Unit 8200 or procured off the underground market. What we do know is that the worm—in its final form, 500 kilobytes—was fifty times bigger than anything discovered before it. It was one hundred times the kilobytes required to send Apollo 11 to the moon. And it was pricey, easily worth millions of dollars. But, held against a single $2 billion B-2 bomber, it was a Costco bargain. Each of the seven zero-days played a critical role in getting their worm into the Natanz computers and crawling its way into the centrifuges.*

For thirteen days, it did nothing but measure the speed of the centrifuge rotors. It was checking to make sure the rotors ran at speeds between 800 and 1100 hertz, the exact frequency range used by Natanz’s centrifuges. (Frequency converters that operate past 1000 hertz are actually bound by U.S. export controls because they are primarily used for uranium enrichment.) Once that thirteen-day waiting period was over, the payload got to work. The code was designed to speed up the rate at which the rotors spun to 1400 hertz for exactly fifteen minutes, before returning to normal for twenty-seven days. After those twenty-seven days were over, it would slow the speed of the rotors to just 2 hertz for fifty minutes, before returning to normal for another twenty-seven days, and repeating the whole process all over again.

In some cases Pegasus still required a target to click on a malicious link, image, or message to download onto the phone, but increasingly it required no interaction at all. Digging through NSO’s pitch decks and proposals, the company marketed a new zero-click infection method that executives called “over the air stealth installation.” NSO did not detail how exactly it had accomplished this. In some cases they alluded to rigging public WiFi hot spots, but it appeared they could also hijack a target’s phone from long distances.

They charged a flat $500,000 installation fee, then another $650,000 to hack just ten iPhones or ten Android phones. Their clients could hack an additional hundred targets for $800,000; fifty extra targets cost $500,000; twenty, $250,000; and ten extra cost $150,000. But what this got you, NSO told customers, was priceless: you could “remotely and covertly collect information about your target’s relationships, location, phone calls, plans and activities—whenever and wherever they are.”

NSO had already installed Pegasus at three Mexican agencies: the country’s Center for Investigation and National Security, its attorney general’s office, and its department of defense. All told, the firm had sold the Mexicans $15 million worth of hardware and software, and they were now paying NSO some $77 million to track a wide array of targets.

Of course the Israelis denied all of this. In one of the stranger conference calls I have ever had, ten NSO executives, who refused to give me their names or titles, insisted they were not cold-blooded mercenaries. They only sold Pegasus to democratic governments, they said, for the express use in criminal and terrorism investigations. Like Hacking Team before them, they told me that NSO had a strict internal vetting process to determine which governments it would and would not sell to.

A frequent target for the menacing hacking attempts was Carmen Aristegui, the Mexican journalist who broke the scandal of the so-called Casa Blanca, a real estate intrigue that involved Peña Nieto’s wife getting a cheap deal on a mansion from a major government contractor. Not long after her story forced Peña Nieto’s wife to give up the house, Aristegui started receiving messages

Within hours of publishing our story, people had taken over the streets in Mexico City to call for Peña Nieto’s resignation. The hashtag #GobiernoEspía—the government spies—started trending worldwide on Twitter. All of Mexico appeared to be up in arms. Our reporting had forced Peña Nieto to acknowledge that Mexico was using NSO’s spyware—a first for any government leader. But Peña Nieto denied ordering the government to spy on his critics and journalists. And then Mexico’s president strayed from his script: His administration, he warned, would “apply the law against those who have levelled false accusations against the government.” Peña Nieto’s underlings later backtracked. The president had misspoken and had not intended to threaten Azam and me, or the New York Times.

Legion Yankee was among the murkiest—and most prolific—of the more than two dozen Chinese hacking groups that NSA hackers tracked, as they raided intellectual property, military secrets, and correspondence from American government agencies, think tanks, universities, and now the country’s most vibrant technology companies.

The majority of hacking crusades were conducted by the China’s People’s Liberation Army’s Second and Third Departments. It was clear from their targets that various PLA units were assigned to hack foreign governments and ministries in specific geographic locales, or to steal intellectual property in distinct industries that benefited China’s state-owned enterprises and economic plans.

Increasingly, high-ranking Chinese officials at China’s Ministry of State Security started outsourcing attacks on high-profile targets—political dissidents like the Dalai Lama, Uighur and Tibetan ethnic minorities, and high-profile defense contractors in the United States—to freelance hackers at Chinese universities and internet companies. The state identified these hackers for their skills, which often far exceeded those of their PL...

security researchers traced attacks back to employees at China’s leading internet company, Tencent. Often China routed attacks through some of its most popular websites, like 163.com—China’s equivalent of Yahoo—and Sina, the company that runs Sina Weibo, China’s Twitter equivalent. 163.com was officially owned and run by a Chinese gaming billionaire, but its mail servers were operated by a Chinese government domain, giving the Communist party’s minders access to all the messages, and digital traffic, routed through it. And the PRC had started using 163.com’s servers as staging grounds for its attacks.

Google’s attacker, Legion Yankee, had come to U.S. intelligence analysts’ attention six months before Google spotted the blip on their screen. They’d surfaced in a number of hacks on defense contractors. State Department officials would later connect the Google hacks back to Zhou Yongkang, China’s top security official, and Li Changchun, a member of China’s top ruling body, the Politburo Standing Committee, and the country’s senior propaganda official. Li had apparently googled himself and didn’t like what he saw, according to leaked diplomatic cables. As a result, Li sought to punish Google, first by ordering state-owned Chinese telecoms to stop doing business with the company, and later by coordinating the contracted hit on Google’s networks—but those answers did not come until much later.

Google soon discovered it was not the only victim. As investigators traced the attack further back to the attackers’ command-and-control server, they found trails leading to dozens of American companies, many in Silicon Valley—Adobe, Intel, Juniper Networks—and others that were not. The body count included defense contractors, the cybersecurity company Akamai, Dow Chemical, Morgan Stanley, and many more that—to this day—have refused to even acknowledge that they were breached.

A subsequent investigation by researchers at McAfee—who dubbed the Chinese operation Aurora—found that it wasn’t just Google. Everywhere the Chinese hackers had gone—high-tech companies, defense contractors—they were disturbingly successful at cracking source code repositories. With that access, they could surreptitiously change the code that made its way into commercial products and attack any customers who used the software.

Google had entered the Chinese market as some kind of savior. At the time Brin and his cofounder, Larry Page, told employees it was better to give the Chinese censored search results than nothing at all. Google would help educate Chinese citizens about AIDS, environmental issues, avian flu, and world markets. The alternative, they argued, was to leave a billion people in the dark.

By the time Clinton took the podium, China’s hackers had already unplugged and abandoned their hacking tools and command-and-control servers. It would be months before Legion Yankee would hit American radars again. One year later, they would resurface in yet another sophisticated cyberattack at RSA, the security company that sold authentication keys to some of the most high-profile U.S. defense contractors, before using RSA’s source code to hack Lockheed Martin. They would eventually go on to compromise thousands of Western companies across diverse swaths of industries—banks, NGOs, auto makers, law firms, and chemical companies—siphoning billions of dollars’ worth of sensitive military and trade secrets in the process.

“Atado con alambre!” the driver chimed in. It was the first of many times I would hear those three little words—atado con alambre—over the next week. It was Argentine slang for “held together with wire”

In Argentina, nobody, not even hackers, bothered with banks. From the moment I’d arrived in Buenos Aires, the porteños told me to avoid them altogether. They pointed me to various cuevas, illegal exchange houses, instead. After years of economic collapse and government freezes on withdrawals, Argentinians had lost their trust in banks. Online and mobile banking were still virtually unheard of, which meant there was less to be gained by hacking them.

Hackers weren’t hobbyists anymore. They weren’t playing a game. In short order, they had become the world’s new nuclear scientists—only nuclear deterrence theory did not so neatly apply. Cyberweapons didn’t require fissile material. The barrier to entry was so much lower; the potential for escalation so much swifter. Our own stockpile of cyber exploits and cyberweapons hardly deterred our adversaries from trying to acquire their own. What Iran, North Korea, and others could not develop on their own, they could now just buy off the market.

For all the criticism of the Iran nuclear deal that was signed in July 2015—that the deal didn’t go far enough, that the release of sanctions would lead to regional instability, that the United States had been duped—the cybersecurity community breathed a sigh of relief. After the deal was signed, the wrecking crew ceased. “The nuclear deal imposes a constraint on them,” Jim Lewis told me that month. But, he warned, “When the deal goes away, so goes their restraint.”

Chinese hackers had taken everything from the designs for the next F-35 fighter jet to the Google code, the U.S. smart grid, and the formulas for Coca-Cola and Benjamin Moore paint.

Xi appeared genuine. But then came Trump, who turned the table over with tariffs and the trade war. If it weren’t for that, some officials told me, Chinese industrial cyberattacks might have slowed to a trickle. But the cynics saw it differently. The agreement had always been a con job, they said. Xi was just biding his time. Two years later, the cyberattacks resumed. Only these weren’t the sloppy spearphishing attacks of the previous decade. They were vastly more stealthy, strategic, and sophisticated.

All optimism evaporated in 2014, when the Russians took their attacks one step further. That January, CrowdStrike discovered that Russian hackers had successfully compromised industrial control software companies and Trojanized the software updates that made their way into hundreds of industrial control systems across the country. It was the same technique the Americans and Israelis had used five years earlier with Flame, when they infected computers in Iran using Trojanized Microsoft software updates. But the Russians had been far less judicious. It wasn’t just U.S. oil and gas companies anymore; Russian hackers infected the software updates that reached the industrial controllers inside hydroelectric dams, nuclear power plants, pipelines, and the grid, and were now inside the very computers that could unleash the locks at the dams, trigger an explosion, or shut down power to the grid.

At the same time Russia was embedding in our grid, “little green men”—armed Russian Special Forces wearing green uniforms without insignia—had started cycling into Crimea. The Kremlin was signaling to Washington that if it retaliated on behalf of its Ukraine ally, or ever dared turn off the lights in Moscow, Russia had the ability to turn around and do the same. Call it mutually assured destruction for the internet era. And if Russia did attack the grid, we were screwed.

Littered throughout attackers’ code were references to the 1965 science fiction epic Dune, a Frank Herbert science fiction novel set in a not-too-distant future in which the planet has been destroyed by nuclear war. The protagonists take refuge in the desert, where thousand-foot-long sandworms roam just beneath the surface. Hultquist called this new Russian attack group Sandworm.

Inside NSA, intelligence analysts tracked Sandworm by a different name: It was one of several departments working under Unit 74455, a division of Russian General Staff Main Intelligence Directorate, the GRU. And the NSA’s analysts were increasingly alarmed by what they saw.

Sandworm wasn’t after emails and Word docs. It was targeting files used by industrial engineers. One of Trend Micro’s researchers had previously worked at Peabody Energy, the world’s largest coal producer. This gave him a unique window into what they were seeing. Sandworm’s attackers were targeting “.cim” and “.bcl” files, two file types used by General Electric’s industrial control Cimplicity software—the same software Peabody’s engineers used to remotely check on their mining equipment. That very same GE software was used by industrial engineers the world over. It was a human-machine interface used to check on the PLCs that control the world’s water treatments facilities, electric utilities, transportation companies, and oil and gas pipelines.

This would be the last time we met face-to-face before the election. In a year, Daniel would be out of office, and a few years after that, Trump would eliminate the White House cybersecurity coordinator completely. Daniel and I had spoken many times before, about the Iranian attacks at Aramco and the banks, China’s attacks on OPM, and the woeful state of America’s cyber defenses.

With a multimillion-dollar budget at its disposal—source still unknown—the Internet Research Agency (IRA) set to work recruiting twentysomething news writers, graphics designers, and “search engine-optimization specialists” with $1,400 weekly salaries, more than four times what they could make anywhere else. On one floor, Russian trolls operating in rotating twelve-hour shifts created and deployed hundreds of fake accounts on Facebook and Twitter to pummel anyone who criticized their master, Vladimir Putin. On another floor, the IRA trolls waited for their daily assignment: a list of America’s political crises du jour, anything the Russians could exploit for division, distrust, and mayhem.

An enterprising reporter at Motherboard, the online tech news site, interviewed Guccifer 2.0 over Twitter. Motherboard’s reporter, Lorenzo Franceschi-Bicchierai, had cleverly phrased his questions in English, Romanian, and Russian. Guccifer 2.0 answered the questions in broken English and Romanian, but claimed not to understand the questions in Russian. When linguists began to tease Guccifer 2.0’s responses apart, it was clear that he was no Romanian at all: he’d used Google Translate. This was a Russian influence operation through and through.