This Is How They Tell Me the World Ends: The Cyberweapons Arms Race

by Nicole Perlroth

The Cold War was over, but new enemies were on the horizon, and the champagne would not flow for long. One year later R. James Woolsey, President Clinton’s new pick for CIA chief, would tell senators, “Yes, we have slain a large dragon. But we live now in a jungle filled with a bewildering variety of poisonous snakes. And in many ways, the dragon was easier to keep track of.”

Langley knew that if it did not quickly redefine its role in this emerging digital landscape, it would be elbowed out for good. Already the CIA leadership was busy pushing back on policymakers advocating that—in the post–Cold War era—the CIA should be abolished, with its primary functions turned over to the State Department.

In the blame game that followed, the 9/11 Commission and other lawmakers—many of whom had voted to slash intelligence budgets over the previous decade—would all agree: intelligence had been at fault. The intelligence community needed more resources, more legal authorities, more data, more machines, and more people to ensure that nothing like 9/11 ever happened again. The Patriot Act was signed, and later the Foreign Intelligence Surveillance Act was amended to expand the government’s ability to conduct electronic surveillance without court orders.

CHAPTER 9 The Rubicon

CHAPTER 10 The Factory

The year I stepped into the closet of Snowden’s classified secrets, the zero-day market had become a full-fledged gold rush. But there was little incentive to regulate a market in which the United States government was still its biggest customer. That year, having ironically spawned the zero-day market and launched the world into the era of cyberwar, Keith Alexander, Stuxnet’s architect, was asked what kept him up at night. “My greatest worry,” Alexander told a reporter, was the growing likelihood of zero-day exploits falling into the wrong hands.

CHAPTER 11 The Kurd

The closest the United States has ever gotten to controlling the export of hacking tools and surveillance technology is the Wassenaar Arrangement. Named for the Dutch town where the arrangement was originally signed in 1996, the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies was designed to replace the previous set of Cold War norms used by Western states to keep weapons and military technology from making their way to Russia, China, and their communist satellites. Wassenaar’s goal was to control the sale of conventional weapons systems and dual-use technologies—sophisticated computers, centrifuges, drones—from reaching despots in Iran, Iraq, Libya, and North Korea. Its original signatories included the United States and forty-one other countries, including most of Europe, Argentina, Australia, Canada, India, Japan, Mexico, New Zealand, Russia, South Africa, South Korea, Switzerland, Turkey, Ukraine, and the United Kingdom, and though the arrangement is nonbinding, member-states agree to establish and enforce their own domestic laws to control the sale of items on Wassenaar’s control list, which they update every December.

Beyond the Villa, Evenden started to see Abu Dhabi in a harsher light. Its man-made islands and museums were just distractions from a state that imprisoned anyone who offered even the tamest criticism. Evenden started to read local news stories about American expats being thrown in “debtors’ prison” because they were unable to pay their credit card debt. In traffic one day, he witnessed a bad accident in which an Emirati ran through a stoplight and collided with an expat. Though the accident was clearly the Emirati’s fault, the local police let the Emirati get away and dragged the expat into custody. “The local government started to terrify us more than any terrorist organization,” Evenden said.

Three years after Google’s attack, James Comey, then head of the FBI, put it this way: “There are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese, and those who don’t know they’ve been hacked by the Chinese.”

That June, correcting the trend became a matter of urgency. The Guardian dropped Snowden’s first NSA leaks that month, detailing an NSA program called Prism. One NSA slide appeared to show that Microsoft, and the other tech companies, gave the NSA direct access to their servers. Some leaks described Prism as a “team sport” between the tech companies, the NSA, the FBI, and CIA.

I recalled something Chris Inglis, the retired NSA deputy director, once said: “If I were to score cyber the way we score soccer, the tally would be 462–452 twenty minutes into the game. In other words, it’s all offense and no defense.

Cook had another solid argument. Even if Apple did what the government was asking, even if it wrote a backdoor just for this one case, that backdoor would become a target for every hacker, cybercriminal, terrorist, and nation-state under the sun. How could the U.S. government ever guarantee it could keep Apple’s backdoor safe, when it could not even manage to protect its own data?

The FBI was losing in the court of public opinion, but the case was still up to a judge, and Apple made it clear it was willing to take its fight all the way to the Supreme Court. But the week before I arrived in Miami, there was a twist. Without warning, the Justice Department dropped its case, informing the judge it had found another way to access Farook’s data. It no longer needed Apple’s help. Unnamed hackers had approached the FBI with an alternative way in, a hacking method that allowed the government to bypass Apple’s encryption to access Farook’s iPhone—a zero-day exploit. And perhaps most miraculously of all, Comey admitted that his agency had paid these cryptic hackers more than his salary for the seven-plus years left in his term. Journalists and hackers did the math: the FBI had just publicly copped to paying hackers $1.3 million for a way to bypass Apple’s security. And the FBI claimed it did not know what the underlying flaw was and had no plans to help Apple fix it.

The Israelis were out in full force. One Israeli firm in particular, Cellebrite, which specialized in unlocking encrypted iPhones and Androids, was the leading suspect for the FBI’s iPhone jailbreak. Cellebrite had timed a strangely public product announcement about its iPhone cracking software for the week the FBI revealed that someone had helped it crack Farook’s iPhone. An Israeli newspaper surfaced a $15,278.02 FBI contract with Cellebrite, dated the same day the FBI informed the judge about their new access.

It was starting to show. Every year small teams of college students from over a hundred countries convene at the International Collegiate Programming Contest (ICPC), the oldest and most prestigious contest of its kind. Two decades ago, American teams from Berkeley, Harvard, and MIT dominated the top ten finalists. These days the winners were Russian, Polish, Chinese, South Korean, and Taiwanese. In 2019 a team from Iran beat Harvard, Stanford, and Princeton, which didn’t even break into the top twenty. America’s pool of cyber talent was shrinking. U.S. intel agencies had taken a big hit in morale after Snowden and NSA analysts were leaving in droves.

Chip manufacturers hired the Gaucho to make sure that their chips were secure. He’d discovered all sorts of ways one could hack chips to get into the global supply chain. He showed me how to hack a chip with a “side channel attack,” sending malware via radio emissions to the copper in the chip itself. There were at least ten of these chips now in every device.

While the United States was still the top player in offense, it was woefully behind in locking up its own systems, and only becoming more vulnerable by the day. American data breaches had surged 60 percent year over year, and were now so commonplace that most barely registered as more than a blip on the eleven o’clock news. Half of Americans had to have their credit cards replaced at least once because of internet fraud, including President Obama. Breaches had hit the White House, the State Department, the top federal intelligence agencies, the largest American bank, its top hospital operator, energy companies, retailers, even the Postal Service. By the time anyone noticed, their most sensitive government secrets, trade secrets, employee and customer data, had already left the building.

In closed-door briefings in a SCIF inside the Capitol, several senior administration officials—Janet Napolitano, the secretary of homeland security; Robert Mueller, then FBI director; General Martin Dempsey, chairman of the Joint Chiefs of Staff; and Mike McConnell, the director of national intelligence—tried to persuade senators that the cyber threat to the nation’s critical infrastructure was dire. “For the record, if we were attacked, we would lose,” McConnell told the senators. The government needed the private sector’s help.

Iran caught us completely off guard. The United States was already struggling to track, let alone fend off, thousands of Chinese cyberattacks. Aurora was just the tip of the iceberg. “Legion Yankee” was but one of more than two dozen Chinese hacking groups and contractors frenetically hacking into U.S. government agencies, businesses, universities, and labs. They were making off with trillions of dollars’ worth of U.S. intellectual property, nuclear propulsion blueprints, and weaponry, costing the United States as many as a million jobs a year.

“If we are going to be aggressive about using our cyberweapons against these adversaries,” Panetta told me, “we have to be damn well prepared when these attacks come our way.”

Just a few months earlier, Panetta had delivered the first major warning of a cyberattack by a U.S. defense secretary, an attack he said would be “as destructive as the terrorist attack of 9/11.” America was once again in a “pre 9/11 moment: An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches,” Panetta told an audience on the USS Intrepid in New York. “They could derail passenger trains, or even more dangerous, derail passenger trains loaded with lethal chemicals. They could contaminate the water supply in major cities or shut down the power grid across large parts of the country.”

Top of mind for Panetta and everyone else paying attention that year was Iran. “Like nuclear weapons, eventually they’ll get there,” Jim Lewis, a former government official and cybersecurity expert, told me in early 2014. Back then, nobody could ever have anticipated that the first destructive cyberattacks to hit American soil would take out a Las Vegas casino and a Hollywood movie studio.

In Washington the attack paralyzed U.S. officials, who had yet to formulate a clear strategy for containing the growing cyber threat from Iran, let alone how to respond when private American companies were caught in the crossfire. They were finding it hard enough to protect their own systems from attacks. American officials didn’t know it at the time, but the very same month that Sands was hacked, Chinese hackers were in the preparation phase of their attack on the Office of Personnel Management, the attack that resulted in the theft of the most sensitive data imaginable for 21.5 million Americans who had ever sought a security clearance.

That December 2014, as American officials were consumed with China, Iran, and the Russians’ increasing incursions into Ukraine’s election systems and its grid, North Korean hackers popped out of nowhere and struck Sony Pictures in an Aramco/Sands–style attack that destroyed 70 percent of Sony’s computers and reduced employees to pen and paper for months. North Korean hackers targeted the Sony studio as revenge for a ridiculously bad James Franco–Seth Rogen film, The Interview, in which Franco and Rogen’s characters assassinate North Korea’s Dear Leader, Kim Jong-un. The North Koreans, like the Iranians before them, had wiped the data, leaked employees’ Social Security numbers, and, in an escalation from previous attacks, dumped executives’ embarrassing emails online.

Our enemies were not just learning from us; they were learning from each other. “Destructive alarm bells should have gone off,” Panetta told me.

It was unnerving to see how each of these attacks evolved and built off the last, how much more destructive each was. The Sony attack, like the attack on Sands before it, was also a strike on free speech. If Americans were no longer at liberty to put out bad movies, make bad jokes, or share their darkest thoughts without the threat of a cyberattack that cost them millions of dollars’ or leaked their email for all to see, this would inevitably lead to an erosion in free speech, perhaps not all at once but little by little, bit by bit.

For years the military and intelligence officials warned Congress that a foreign nation or rogue hacker could exploit software holes and access points to take down the substations that power Silicon Valley, the NASDAQ, or a swing county’s voting systems on Election Day. In 2010 a bipartisan group of ten former national security, intelligence, and energy officials—including former secretaries of defense James Schlesinger and William Perry, former CIA directors R. James Woolsey and John Deutsch, and former White House national security advisors Stephen Hadley and Robert McFarlane—sent a confidential letter to the House Committee on Energy and Commerce in support of a bill to improve the cybersecurity of America’s critical infrastructure. Their letter was blunt: “Virtually all of our civilian critical infrastructure—including telecommunications, water, sanitation, transportation, and health care—depend on the electric grid. The grid is extremely vulnerable to disruption caused by a cyber or other attack. Our adversaries already have the capability to carry out such an attack. The consequences of a large-scale attack on the U.S. grid would be catastrophic for our national security and economy.” It went on: “Under current conditions, timely reconstitution of the grid following a carefully targeted attack if particular equipment is destroyed would be impossible; and according to government experts, would result in widespread outages for at least months to two years or more, depe...

“Beyond a certain community focused on grid security, nobody was treating this as a Code Red situation,” a senior Obama official told me. “It was a concern, sure. But you also have to remember where we were. There was a lot going on.” Indeed. China was pillaging U.S. intellectual property. Iran was just coming online. But the escalating cyberattacks on the U.S. energy sector that began to spike in 2012 presented a far graver threat. Russia emerged as the chief suspect, but only because the hackers had gone to great lengths to hide their tools and cover their tracks. Perhaps the NSA hackers at TAO knew who they were, but if they did, they weren’t sharing this intel with their defense counterparts at DHS. DHS analysts told me that nobody at the agency knew who was behind the attacks, and nobody had been able to crack the attackers’ payload. This was telling in its own right. Iran’s code was destructive but crude. If Tehran could disguise their payloads, they would have. Likewise, China’s cyberattacks on American companies were brazen but relatively trivial to attribute. Whoever was now embedding itself in the American electrical grid was demonstrating levels of obfuscation and sophistication that analysts had only seen in America’s own cyber campaigns. And they were succeeding at an alarming rate. By the end of 2012, DHS analysts had responded to 198 attacks on U.S. critical infrastructure systems—a 52 percent increase from the previous year.

This was hardly the first time a foreign actor had targeted the energy sector. China had hacked into one American energy firm after another with cyberattacks that American officials concluded were designed to steal U.S. fracking and renewable energy technology.

Some of the files dated as far back as 2010, the same year Energetic Bear started hacking the American energy sector, but this group appeared distinct. Littered throughout attackers’ code were references to the 1965 science fiction epic Dune, a Frank Herbert science fiction novel set in a not-too-distant future in which the planet has been destroyed by nuclear war. The protagonists take refuge in the desert, where thousand-foot-long sandworms roam just beneath the surface. Hultquist called this new Russian attack group Sandworm.

Inside NSA, intelligence analysts tracked Sandworm by a different name: It was one of several departments working under Unit 74455, a division of Russian General Staff Main Intelligence Directorate, the GRU.

Hultquist’s team celebrated the publication of their Sandworm findings that October inside iSight’s SCIF—actually a windowless bar with Miller Lite beer on tap.

Two weeks after Trend Micro published its alarming addendum to Hultquist’s findings, DHS sounded the sirens further. Sandworm, the agency warned in an October 29, 2014, security advisory, wasn’t just after General Electric’s clients. It was also targeting clients of two other industrial control software makers: Siemens, the same company the United States and Israelis had hijacked in the Stuxnet attack, and Advantech, one of the leading “Internet of Things” enablers in the world.

DHS made clear that as early as 2011, Sandworm had started embedding itself in the computers that control the world’s critical infrastructure, not just in Ukraine and Poland but in the United States as well. Sandworm had not yet used this vast access for destruction, but reading the report that October, it became clear that is what Moscow had planned.

It wasn’t just Heartbleed. Daniel was still picking up after Snowden. North Korea had struck Sony Pictures on his watch. “I have Kim Jong-un to thank for the fact I didn’t spend Christmas with my family,” he told me. It was his phone that rang at 3:00 A.M. when Iranians breached the (wrong) Bowman Dam. It was Daniel who ran point on China’s recent hack of OPM. And now, right below our feet, a Russian hacking unit—a division of the old KGB now known as the SVR—was winding its way through computers at the State Department, the White House, the Joint Chiefs of Staff—and, though neither of us knew it at the time, the Democratic National Committee. “It never stops,” Daniel told me. “We’re doing this stuff on the fly. I’m a history buff. But on this there is no precedent.”

“Governments are starting to say, ‘In order to best protect my country, I need to find vulnerabilities in other countries,’ ” Schmidt told me before his passing. “The problem is that we all fundamentally become less secure.”

The VEP Daniel now oversaw was designed to weigh the competing interests involved in keeping Americans safe. On the one hand, retaining a zero-day vulnerability undercuts our collective cybersecurity. On the other, disclosing a zero-day so vendors can patch it undercuts intelligence agencies’ ability to conduct digital espionage, the military’s ability to carry out offensive cyberattacks, and law enforcement to investigate crimes. This calculation was far simpler back in the day when we were all using different typewriters.

The process was, Daniel conceded, more art than science. He would never say it, but given the vast resources U.S. intelligence agencies were now pouring into offense, and the intelligence a zero-day could render on imminent terrorist attacks or North Korean missile launches, the process would always weigh more heavily on hoarding a zero-day than turning it over for patching. But as more hospitals, nuclear plants, stock exchanges, airplanes, cars, and parts of the grid came online, the VEP discussions could get ruthless.

It was an NSA computer algorithm that had come up with the name, but Eternal ended up being a fitting moniker for a set of zero-day exploits that would haunt Daniel, the NSA, and American businesses, towns, and cities for years to come. One of those exploits, EternalBlue, targeted critical bugs in a Microsoft software protocol called the server message block (SMB). The protocol enabled computers to pass information, like files or printer services, from server to server at internet speed.

Daniel never spoke of EternalBlue, or any other exploit, directly. But in a reflective moment years later, he conceded there were some VEP decisions he had come to regret. And once EternalBlue had been picked up by not one adversary but two and used to wreak billions of dollars of destruction around the globe, it was safe to assume the decision to withhold the Microsoft zero-days for seven years was one of them.

Back in St. Petersburg, Putin’s propaganda machine, known as the Internet Research Agency, was just sputtering up. The Russians code-named their creation the Translator Project, and its stated goal was to “spread distrust toward the candidates and the political system in general.” Putin nominated his former chef—a burly bald man named Yevgeny Prigozhin, who spent nine years in prison for fraud before working his way from a hot-dog salesman to Putin’s confidante—to oversee Russia’s information warfare campaign from an unassuming four-story building just off Red Square. With a multimillion-dollar budget at its disposal—source still unknown—the Internet Research Agency (IRA) set to work recruiting twentysomething news writers, graphics designers, and “search engine-optimization specialists” with $1,400 weekly salaries, more than four times what they could make anywhere else. On one floor, Russian trolls operating in rotating twelve-hour shifts created and deployed hundreds of fake accounts on Facebook and Twitter to pummel anyone who criticized their master, Vladimir Putin. On another floor, the IRA trolls waited for their daily assignment: a list of America’s political crises du jour, anything the Russians could exploit for division, distrust, and mayhem.

With Krylova’s field guide in hand, Russia’s trolls started in on Texas and spread out from there. In September 2014 the IRA launched a Heart of Texas Facebook group and started pumping out pro-Texan secessionist memes, #texit hashtags, and the usual scare tactics: Hillary Clinton was coming to take their guns away, and the like. Within a year the group had generated 5.5 million Facebook likes. Then, in a countermove, the IRA created a separate Facebook group, the United Muslims of America, and promoted rallies and counterrallies outside the Islamic Da’wah Center in Houston. Demonstrators from the Heart of Texas group confronted pro-Muslim protesters across the street in a terrifying real-world standoff that Russia’s digital puppeteers were coordinating from five thousand miles away. Even the Russian trolls back in St. Petersburg couldn’t believe the Americans were so gullible.

In Florida, the IRA paid an unwitting Trump supporter to build a cage on the back of a flatbed truck, and paid an actress to dress up as Clinton and sit in the cage at a rally while crowds chanted, “Lock her up.” When that took off, they promoted rallies in Pennsylvania, New York, and California. By the time the IRA campaign was fully revealed, years later, Putin’s trolls had reached 126 million Facebook users and received 288 million Twitter impressions—a staggering number, given that there are only 200 million registered voters in the United States, and only 139 million voted in 2016.

That March, Fancy Bear’s Russian hackers had sent John Podesta, Hillary Clinton’s campaign chairman, a fake Google alert, declaring that he had to change his Gmail password. Podesta had forwarded the email to the DNC’s IT staff for vetting, and in what would become the most tragic typo in American election history, a campaign aide wrote back, “This is a legitimate email.” He had intended to type “illegitimate,” but the damage was done.

Guccifer 2.0’s hacking alias and Illuminati reference were all part of an elaborate Russian cover story. The original Guccifer (pronounced GUCCI-fer) was a real person: Marcel Lazar Lehel, a Romanian cybercriminal who used the pseudonym to hack members of the Bush family, Hillary Clinton’s Benghazi memos, and Colin Powell’s website. He made headlines with his leak of paintings George W. Bush had painted of himself in the shower. Lehel was known for fixating on the Illuminati, a shadowy “deep state” that conspiracy theorists believe controls the world. Lehel had been arrested in Romania two years earlier and extradited to Virginia to face hacking charges. While awaiting sentencing, Lehel claimed to have hacked Clinton’s private server. Now Guccifer 2.0 claimed that he was just picking up where Lehel’s efforts had left off.

A number of longstanding voting trends either reversed or stalled in 2016. Black voter turnout—the very constituency Russian trolls aggressively targeted—declined sharply in 2016 for the first time in twenty years.

Of course, conservative political strategists argue Democrats vastly underestimated how deeply disliked Clinton was to begin with. But we’ll likely never know how much Russia’s daily barrage of anti-Clinton memes, simulated rallies, and bots kept would-be Clinton voters at home or created such a dark cloud over her candidacy that it pushed them to vote third-party.

The Twitter account claimed to have intercepted cyberweapons belonging to the “The Equation Group.” The Equation Group—like CrowdStrike’s silly naming convention for Russian hacking units Cozy Bear and Fancy Bear—was the Russian firm Kaspersky’s name for the NSA’s elite hacking squad, TAO. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyberweapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files.

But as NSA operators, security researchers, and hackers all over the world started teasing the file apart, it became clear this was the real deal. The trove contained zero-day exploits that could invisibly break through the firewalls sold by Cisco, Fortinet, and some of the most widely used firewalls in China. I immediately called up every former TAO employee who would pick up their phone.