More on this book
Community
Kindle Notes & Highlights
Read between
May 7 - June 17, 2022
They were all a cyberterrorist would need to break into government agencies, labs, and corporate networks all over the world.
The code and algorithms to exact mass destruction were now freely available to anyone with an ax to grind, or data to steal—the NSA’s worst nightmare essentially, the very scenario the VEP was designed to impede.
Cybercriminals the world over would surely use them for profit. But nation-states could just as easily bolt digital bombs and data wipers onto the tools, detonate data, and take America’s government agencies, corporations, and critical infrastructure offline.
The media did not flock to the Shadow Brokers release the way they had to the Snowden dumps or the DNC leaks. At the Times, my colleagues David Sanger, Scott Shane, and I covered the leaks in story after story, several on the front page, but, with their technical aspect, they did not land the same way as previous leaks. Still, the damages to the NSA’s operations were far greater.
EquationGroup
The vault detailed how the CIA could hack into cars, smart TVs, web browsers, and the operating systems of Apple and Android phones and Windows, Mac, and Linux computers. Essentially, the motherlode.
the CIA would pin the Vault7 leaks on a former elite CIA programmer by the name of John Schulte, who claimed innocence. A jury determined Schulte was guilty of making false statements to investigators, but as to whether Schulte was the source of the leaks, the jury was deadlocked, forcing the judge to declare a mistrial.
The Israelis, I learned from sources, had hacked into Kaspersky’s systems and discovered the firm was using its antivirus software’s access to computers all over the world, to search for and pull back Top Secret documents.
“They had operational insight that even most of my fellow operators at TAO did not have,” Williams said. “Whoever wrote this either was a well-placed insider or had stolen a lot of operational data.” The jolt from the Shadow Brokers’ riposte changed Williams’s life.
A few days later, on April 14, 2017, the Shadow Brokers unleashed their most damaging leak yet. The tally of damages to the NSA, to tech companies, and their customers, would go from millions to tens of billions of dollars, and counting.
Some of the exploits were “wormable,” meaning that anyone could pick them up and bolt on code that would self-replicate malware around the world.
EternalBlue, the exploit that could invisibly penetrate millions upon millions of Windows machines and leave barely a speck of digital dust behind. “Hard to detect and easy to use. It was pretty much point-and-shoot,”
The only trace that it had been used was a second, complementary NSA exploit, code-named DoublePulsar, that was often used to implant EternalBlue into machines.
One week later, the number of infected machines topped 100,000. Two weeks later, 400,000 victims were infected.
May 12, 2017.
in the United States, FedEx and small electrical utilities scattered around the country—were all held hostage by a red screen with a ticking countdown clock demanding $300 in ransom to decrypt their data. If they didn’t pay in three days, victims were told, the ransom would double. In seven days their data would be deleted for good. “Your important files are encrypted,” the ransom note read. “Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service.”
Within twenty-four hours, 200,000 organizations in 150 countries had been infested. Only Antarctica, Alaska, Siberia, mid-Africa, Canada, New Zealand, North Korea, and a wide swath of the American West were spared.
they dubbed the attacks WannaCry—not because the word perfectly encapsulated the way so many victims felt—but because of a tiny snippet left in the code: “.wncry.”
The attackers had used a powerful catalyst, the stolen NSA exploit EternalBlue.
Sure, the tools were ours, but we’re not responsible for how others use them became the official government line.
Pyongyang was learning that cyberattacks were a far easier way to get around sanctions than North Korea’s usual methods of counterfeiting and illicit wildlife trafficking.
Bangladesh Central Bank, where they’d made a $1 billion transfer request from the New York Federal Bank. Only a spelling error (they’d misspelled foundation as “fandation”) had kept bankers from transferring the full billion, but they’d still made off with $81 million, among the largest bank heists in history. WannaCry was the next evolution in North Korea’s efforts to generate badly needed income.
Marcus Hutchins discovered that he could neuter the attacks by redirecting victims’ servers away from the attackers’ command-and-control server toward a web address he bought for less than $11.
China’s addiction to bootlegged software left its systems among the hardest hit.
tête-à-tête
A staggering number of computers that controlled the world’s critical infrastructure—hospitals, patient records, and utilities—still ran Microsoft XP, even though Microsoft had stopped patching the software in 2014.
The NSA had withheld Microsoft’s vulnerabilities for years, allowed its customers to get hacked, and once again, left it to Redmond to clean up the mess.
“This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up in Wikileaks, and now this vulnerability stolen from the NSA has affected customers around the world,”
Petro Poroshenko, Ukraine’s new president, had personally asked Shymkiv to join him as his deputy and to help the country defend itself against nonstop Russian cyberattacks.
Computers at Kyiv’s two major airports were down.
Ukrainians couldn’t take money out of ATMs. Or pay for gas; the payment machines were no longer functioning. The same Ukrainian energy companies that had been taken out in the blackouts were paralyzed once more. Computers at bus stations, banks, railways, the postal service, and media companies were all displaying a familiar ransom message.
It used not one but two stolen NSA tools—EternalBlue and another called EternalRomance—to spread. And it had baked in yet another formidable exploit, MimiKatz, a password-stealing tool developed by a French researcher five years earlier as a proof-of-concept exploit, to crawl as deep into victims’ networks as it could.
Despite the cover story, NotPetya was not ransomware at all. The encryption in the ransomware could not be reversed. This was no for-profit venture; it was an attack designed to wreak maximum destruction.
Maersk, the world’s largest shipping operator, was paralyzed and would sustain hundreds of millions of dollars in damages. India’s largest container port was turning shipments away.
The attack even backfired on Moscow. Computers at Rosneft, the Russian oil giant, went down too.
No cyberattack can be confined to one nation’s citizens anymore. That had been the short-lived lesson from Stuxnet’s escape. These attacks were transnational. Any company that did any business in Ukraine—even those with a single employee working remotely from Ukraine—got hit.
The damage to Merck and Mondelez alone topped $1 billion. Their insurers would later refuse to pay out damages relating to NotPetya, citing a widely written but rarely invoked “war exemption” clause in their policies. The Russian attack, insurers concluded, qualified as an act of war;
Hardly a news cycle went by when we did not hear of some new hack. We were all inured to what happened next: an offer of a year’s worth of free credit monitoring, a weak public apology from a CEO. If the breach was really terrible, he or she might get fired; but more often than not, after a temporary dip in stock price, we all moved on.
The agreement Obama had reached with Xi Jinping to cease industrial espionage ended the day Trump kicked off his trade war with China.
Trump’s abandonment of the Iran nuclear deal—the only thing keeping Iran’s hackers on good behavior—unleashed more Iranian cyberattacks on American interests than ever before.
Russia’s trolls and state news outlets found it far more efficient to amplify American-made disinformation than create their own. This time they weren’t looking to go viral—that would draw too much attention—they simply searched for sparks wherever they flew and offered up a little kindling.
Russian trolls worked overtime to legitimize the vaccination debate, just as they had during the worst of Ukraine’s measles outbreak one year earlier. They retweeted Americans who challenged official Covid-19 statistics, protested the lockdowns, and doubted the benefits of wearing a mask.
“What that means is go into your adversary and tie them up in politics to the point where they are in such disarray that you are free to do what you will.”
phrase I saw graffitied on the wall on a recent visit to Facebook. Someone had crossed out “Move fast and break things” and replaced it with “Move slowly and fix your shit.”
“Ideally, you build it like it’s broken,” is how Casey Ellis, a cybersecurity entrepreneur, put it to me one day. “Companies have to assume they’ve already been compromised, then figure out how to limit the blast radius.”
Heartbleed forced the government to address its Vulnerabilities Equities Process,
One former TAO hacker likened the EternalBlue exploit to “fishing with dynamite.” And despite the VEP document’s claims that zero-days are held only “for a limited time,” the NSA held onto EternalBlue for more than five years. Likewise, the Shadow Brokers leaks included a four-year-old Oracle implant that affects some of the most widely used database systems in the world.
