This Is How They Tell Me the World Ends: The Cyberweapons Arms Race

by Nicole Perlroth

Putin laid down only two rules for Russia’s hackers. First, no hacking inside the motherland. And second, when the Kremlin calls in a favor, you do whatever it asks. Otherwise, hackers had full autonomy.

The crux of Putin’s foreign policy was to undercut the West’s grip on global affairs. With every hack and disinformation campaign, Putin’s digital army sought to tie Russia’s opponents up in their own politics and distract them from Putin’s real agenda: fracturing support for Western democracy and, ultimately, NATO—the North Atlantic Treaty Organization—the only thing holding Putin in check.

Russian hackers had infiltrated the Pentagon, the White House, the Joint Chiefs of Staff, the State Department, and Russia’s Nashi youth group—either on direct orders from the Kremlin or simply because they were feeling patriotic—knocked the entire nation of Estonia offline after Estonians dared to move a Soviet-era statue. In one cyberattack Russian hackers, posing as Islamic fundamentalists, took a dozen French television channels off the air. They were caught dismantling the safety controls at a Saudi petrochemical company—bringing Russian hackers one step closer to triggering a cyber-induced explosion. They bombarded the Brexit referendum, hacked the American grid, meddled with the 2016 U.S. elections, the French elections, the World Anti-Doping Agency, and the holy goddamn Olympics.

Starting in 2016, the U.S. National Security Agency’s own cyber arsenal—the sole reason the United States maintained its offensive advantage in cyberspace—was dribbled out online by a mysterious group whose identity remains unknown to this day. Over a period of nine months a cryptic hacker—or hackers; we still don’t know who the NSA’s torturers are—calling itself the Shadow Brokers started trickling out NSA hacking tools and code for any nation-state, cybercriminal, or terrorist to pick up and use in their own cyber crusades.

On June 27, 2017, Russia fired the NSA’s cyberweapons into Ukraine in what became the most destructive and costly cyberattack in world history. That afternoon Ukrainians woke up to black screens everywhere. They could not take money from ATMs, pay for gas at stations, send or receive mail, pay for a train ticket, buy groceries, get paid, or—perhaps most terrifying of all—monitor radiation levels at Chernobyl. And that was just in Ukraine. The attack hit any company that did any business in Ukraine.

The Russians had used the NSA’s stolen code as a rocket to propel its malware around the globe. The hack that circled the world would cost Merck and FedEx, alone, $1 billion.

The documents were littered with NSA claims that the agency's hackers had access to nearly every piece of commercial hardware and software on the market. The agency appeared to have acquired a vast library of ways into every major app, social media platform, server, router, firewall, antivirus software, iPhone, Android, BlackBerry, computer, and operating system.

Greenwald was still reeling from a Times decision a decade earlier to delay publication of a 2004 story detailing how the NSA was wiretapping American phone calls without the court-approved warrants ordinarily required for domestic spying. The Times had held the story for a year after the Bush administration argued that it could jeopardize investigations and tip off suspected terrorists. Like Greenwald, Snowden was also furious with the Times for holding the story. That was the reason, Snowden said, that he had not brought the stolen NSA documents to the Times in the first place. He falsely assumed we’d sit on the trove or sit idly by as the government thwarted publication. So when Snowden and Greenwald learned that we had been brought into the project, James and Ewan told us, they were apoplectic.

Stuxnet—as the computer worm came to be called—had been discovered in bits and pieces in 2010 as it slithered its way through computers around the globe, using an unheard-of number of zero-day exploits, seven to be precise. Some were clearly designed to infect hard-to-reach—even offline—computers. One Microsoft zero-day allowed the worm to invisibly spread from an infected USB flash drive onto a computer undetected. Others allowed it to crawl across the network from there, climbing ever higher up the digital chain of command in search of its final destination: Iran’s Natanz nuclear plant, where it burrowed deep into the offline, or “air-gapped,” computers that controlled the rotors that spun Iran’s uranium centrifuges. And then, by remote command, Stuxnet silently spun some of Iran’s centrifuges out of control, while stopping others from spinning entirely. By the time Iran’s nuclear scientists discovered that a computer worm was responsible for the destruction of their centrifuges, Stuxnet had already destroyed a fifth of Tehran’s uranium centrifuges and set Iran’s nuclear ambitions back years.

The position most big companies—Hewlett-Packard, Microsoft, Oracle, Sun Microsystems—took at the time was that anyone who drew attention to a flaw in their products should be prosecuted or sued for tampering. Microsoft executives called it “information anarchy” and at one point compared hackers who dropped bugs on BugTraq and at hacking conventions to terrorists “who throw pipe bombs into children’s playgrounds.” That year, 2002, representatives from the major tech companies convened at the annual Def Con conference in Vegas to lay down the law. Since Def Con was founded in 1993, the conference had become a forum where hackers could present all the ways they could break into companies’ products. But recently the companies felt the hackers had gone too far. They were sick of getting called out and shamed on stage. That year, they banded together in Vegas to come up with a new approach to hackers and their bugs. It essentially boiled down to: “Give your bugs to us first. Or we’ll sue your ass.”

In late 1995 the CIA created a special working group to assess the agency’s readiness to utilize the web as an intelligence tool. The group’s principal finding was that the CIA was woefully underprepared for this brave new world. The same was true at the other intelligence agencies, who were even further behind, with significantly smaller budgets and few people on staff with the skills to find zero-days and code them into reliable exploits. A growing number of agencies started looking to buy their way into these capabilities.

Apple has always insisted that its strict vetting procedures keep malware, spyware, and spam out of its iTunes store. Charlie famously trashed that myth when he submitted a fake stock-ticker app with a glaring security hole that allowed it to infect other apps on the iPhone, just to see if Apple would notice. Apple’s vetters missed the hole, and when Apple learned from news articles that Charlie’s app was a Trojan horse, they blacklisted him. The episode earned Charlie infamy in hacker circles and a nickname, Zero-Day Charlie.

What Charlie found late one evening in 2006 was the type of bug most could spend a lifetime searching for and never find—the kind of zero-day that could have allowed him to run amok through NASA’s computer systems or hijack the password to a Russian oligarch’s trading account.

The account holder’s information—name, address, bank, even signature—had been redacted to protect the unnamed agency Charlie had sold his exploit to. But over the course of half an hour, Charlie relayed to an audience of economists and academics how he had gone about selling his zero-day to Uncle Sam. For the first time, the secret was out: the U.S. government was willing to pay hackers—quite a bit, as it turned out—to turn over vulnerabilities in the products and leave their customers—including American citizens—vulnerable in the process. And the government was doing so with money from taxpayers, the very people the government was charged with protecting.

From Redmond to Silicon Valley, technology executives at Microsoft, Adobe, Google, Oracle, and Cisco combed through Charlie’s paper with a mix of alarm and agitation. He had only confirmed what executives had long suspected: their own government was perfectly willing to throw them, and their customers, under the bus in the name of national security.

The conventional wisdom had always been that the iPhone—with its sleek design and closely held code—was more secure than the alternatives. But Charlie blew a hole right through that theory. He demonstrated before an audience of hundreds how easily he could remotely control anyone’s iPhone simply by steering their browser to a malicious website he created.

Another eight months later, he did it again, hacking Apple’s MacBook Air in less than two minutes. He changed his Twitter bio to “I’m that Apple 0day guy.” When Google unveiled a beta-version of its Android operating system that year, Charlie couldn’t help himself. He broke it almost immediately with an exploit that made it possible to remotely capture an Android user’s every keystroke, text, password, email, anything they did on their phone.

The big vendors—Google, for Christ’s sake—still had it wrong. They would rather bury their head in the sand and threaten hackers than work with them to secure their products. Charlie cut off communications with Google and took his exploit to the New York Times, which wrote about his discovery. And he vowed never to give Google, or anyone else for that matter, another free bug. Google’s Android executives had just started a movement, even if they didn’t know it yet.

February 1984, President Reagan personally approved what would come to be known as Project Gunman, a classified six-month NSA effort to remove every single piece of electrical equipment from the U.S. embassy in Moscow, bring it back to Fort Meade for examination, and replace it with equipment the agency could guarantee was not bugged.

There on the X-ray film, he could see that inside an unassuming metal bar that ran the length of the typewriter was the most sophisticated exploit he, hell, anyone at the agency, had ever seen. The bar contained a tiny magnetometer, a device that measures the slightest distortions in the earth’s magnetic field. The magnetometer was converting the mechanical energy from each typewritten keystroke into a magnetic disturbance. And next to it was a tiny electronic unit recording every disturbance, cataloging the underlying data, and transmitting the results in short bursts via radio to a nearby Soviet listening post. The entire implant could be controlled by remote control and had been specifically designed to allow the Soviets to turn it off when American inspectors were in the area.

Organizations can’t stop the world from changing. The best they can do is adapt. The smart ones change before they have to. The lucky ones manage to scramble and adjust, when push comes to shove. The rest are losers, and they become history.

In the mid-fifties, the CIA and their British counterpart, the MI6, undertook a monumental effort known as Operation Regal to intercept a buried Soviet cable in East Berlin. They managed to covertly build a 1,400-foot tunnel underneath Berlin, where they accessed East European and Soviet communications for more than a year before the Russians discovered it. Later, in a joint NSA-CIA-Navy operation in the seventies, Operation Ivy Bells, American divers successfully tapped a Soviet communications cable on the sea floor, just north of Japan. Believing the cable was out of American reach, the Soviets barely bothered to encrypt anything that funneled through it. For years the NSA was able to filch Soviet secrets off their cable tap, until a double agent—one of the NSA’s own analysts—tipped the KGB off to the American’s deep-sea intelligence program in 1981.

Little Boy—the very first nuclear weapon America dropped in war—killed eighty thousand people on Hiroshima. But the destruction could have been much worse—only 1.38 percent of its nuclear core fissioned. Three days later, when Americans dropped their second bomb—codename “Fat Man”—on Nagasaki, it accidentally detonated one mile off target, though it still managed to kill forty thousand. A 1954 test of a hydrogen bomb in the Bikini atoll produced a yield of fifteen megatons—triple the amount America’s nuclear scientists anticipated—blanketing hundreds of square miles in the Pacific—and, as a result, America’s own weapons observers—with lethal radioactive fallout.

In 1967—nine years before the first email would traverse the internet—a computer pioneer by the name of Willis H. Ware outlined the myriad vulnerabilities in modern computer systems and all the ways they could lead to classified information leaks or be exploited for espionage. His so-called Ware Report proved a catalyst for the Pentagon to convene a Defense Science Board task force to study computer security. That task force came to several ominous conclusions, chief among them: “Contemporary technology cannot provide a secure system in an open environment.”

The Anderson Report concluded that computers provided would-be attackers with a “unique opportunity for attempting to subvert” their systems and access their underlying data. “Coupled with the concentration of the application (data control systems, etc.) in one place” (the computer system), that capability “makes computers a uniquely attractive target for malicious (hostile) action.” The design of hardware and software systems was “totally inadequate to withstand attack,” the report concluded; and if one malicious user could control a single computer node, “the entire network may be compromised.” The only limits to attack were attackers’ own imagination and skill.

Compared to the outsize role Snowden would come to play in the public’s imagination, his role, and access, inside NSA was actually quite limited. “Snowden was a low-level admin,” one former TAO hacker told me. “The NSA’s capabilities were far, far more expansive than what Snowden revealed.”

But nothing changed the surveillance game more than Apple’s unveiling of the first iPhone in 2007. TAO hackers developed ways to track an iPhone user’s every keystroke, text message, email, purchase, contact, calendar appointment, location, and search, and even capture live audio and video feeds of her life by hijacking her phone camera or hot-miking her microphone. The NSA swallowed up mobile alerts from travel companies—flight confirmations, delays, and cancellations—and cross-matched them with itineraries of other targets. An automated NSA program called Where’s My Node? sent analysts an email anytime an overseas target moved from one cell tower to another. TAO was now conducting instant, total invasion of privacy with minimal effort. And, until Snowden, iPhone users seemed blissfully oblivious to their invisible NSA ankle bracelet.

Americans only caught their first glimmer of what the NSA was up to when San Antonians started complaining on neighborhood forums that their garage doors were opening and closing at random. Some filed police reports, believing neighborhood thieves were to blame. But the cops were at a loss. The incidents forced the NSA to make a rare admission that a rogue agency antenna was to blame. It was inadvertently interacting with old makes of garage door openers.

Mike McConnell, the former director of national intelligence, would later tell me, “In looking at any computers of consequence—in government, in Congress, at the Department of Defense, aerospace, companies with valuable trade secrets—we’ve not examined one yet that has not been infected,” by China.

lives.” By 2008 the NSA feverishly began removing human decision-making—and with it any complicated moral calculus—from their work. A highly classified NSA software program code-named Genie began aggressively embedding implants not just in foreign adversaries’ systems but in nearly every major make and model of internet router, switch, firewall, encryption device, and computer on the market.

By 2013 Genie was managing 85,000 implants—four times the number of implants it had managed five years earlier—according to U.S. intelligence budgets, with plans to push that number into the millions. While three-quarters of those implants still prioritized targets in Iran, Russia, China, and North Korea, TAO had become far less discriminate. In a secret post to an internal NSA message board, leaked by Snowden, an NSA operative described the new high-priority target: foreign IT systems administrators whose administrative credentials gave them broad access to hundreds of thousands, if not millions, of more potential targets still. Each NSA implant began pulling back huge volumes of foreign secrets in the form of text messages, emails, and voice recordings, previously unimaginable to digital exploitation pioneers like Gosler.

Even as American officials were publicly accusing China of embedding trapdoors in Huawei’s products, my Times colleague David Sanger and I learned from leaked classified documents that the NSA had pried its way into Huawei’s headquarters in Shenzhen, years ago, stolen its source code, and planted its own backdoors in the company’s routers, switches, and smartphones.

But the NSA did not stop at Huawei. Shotgiant expanded into the hacking of two of China’s largest cellular networks, which were now riddled with NSA implants too. At the time our story broke in 2014, classified documents made clear that the NSA was still working on new implants and malware—tools that could sniff out voices of interest on Chinese cell networks, capture select cuts of their conversations, and siphon them back to Fort Meade, where teams of NSA translators, decoders, and analysts broke them down for critical intelligence. In short, the NSA was doing everything it accused Beijing of doing, and then some. By 2017 the agency’s voice recognition and selection tools had been widely deployed across Chinese mobile networks. And the United States was not just hacking into China. Hundreds of thousands of NSA implants were deeply embedded in other foreign networks, routers, switches, firewalls, computers, and phones around the globe. Many were actively siphoning texts, emails, and conversations back to the agency’s server farms every day. Many others were sleeper cells, dormant until called upon for a rainy day or some future shutdown—or all-out cyberwar.

The world was now using the same Microsoft operating systems, Oracle databases, Gmail, iPhones, and microprocessors to power our daily lives. Increasingly, NSA’s work was riddled with conflicts of interest and moral hazards. Nobody seemed to be asking what all this breaking and entering and digital exploitation might mean for the NSA’s sponsors—American taxpayers—who now relied on NSA-compromised technology not only for communication but for banking, commerce, transportation, and health care. And nobody apparently stopped to ask whether in their zeal to poke a hole and implant themselves in the world’s digital systems, they were rendering America’s critical infrastructure—hospitals, cities, transportation, agriculture, manufacturing, oil and gas, defense; in short, everything that undergirds our modern lives—vulnerable to foreign attacks. There are no patents on vulnerabilities, exploits, and malware. If NSA found a way to exploit a digital system, there was a good chance that one day, months or years down the road, other bad actors would discover and exploit those very same weaknesses.

American companies, towns, and cities were proving themselves to be massively vulnerable. Even a short list of recent cyberattacks—the Russian compromise of the Pentagon’s classified and unclassified networks in 2008; a series of 2009 North Korean attacks that jammed the websites of the Treasury Department, the Secret Service, the Federal Trade Commission, the Department of Transportation, the Nasdaq, and the New York Stock Exchange; the nonstop Chinese raids on American military and trade secrets—illustrated the problem. Any adversary that wanted to do U.S. interests harm in the cyber realm was achieving its goals. America’s vulnerabilities were manifold, its defenses inadequate, and the attack surface was only expanding with every new computer, phone, and PLC coming online.

With Stuxnet under way in June 2009, the Obama administration created a dedicated Cyber Command at the Pentagon for offensive cyberattacks. More hacking—not better defenses—was the Pentagon’s response to the Russian attacks on its own classified networks. The success of Stuxnet, however short-lived, meant there was no going back. By 2012 the U.S.’s three-year-old Cyber Command’s annual budget had tripled from $2.7 billion to $7 billion (plus another $7 billion for cyberactivities across the Pentagon), while its ranks swelled from nine hundred dedicated personnel to four thousand, and eventually fourteen thousand by 2020. Starting in 2012, Obama ordered his senior intelligence officials to produce a list of foreign targets—“systems, processes and infrastructures”—for cyberattack, according to classified directives leaked by Snowden the following year. It is not clear whether the command planned to attack those targets, or if the Pentagon was just “preparing the battlefield,” but the directive made evident that attacking those targets could provide “unique and unconventional” ways “to advance national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging.”

As the Trump administration would later learn first-hand—in its losing battle to blackball Huawei from next-generation mobile networks—no amount of government lobbying can halt globalization when it came to technology.

The NSA’s answer to this problem was a system called Nobody But Us (NOBUS). The premise behind NOBUS was that low-hanging fruit—vulnerabilities that could easily be discovered and abused by American adversaries—should be fixed and turned over to vendors for patching. But more advanced exploitation—the kind of advanced zero-days the agency believed only it had the power, resources, and skills to exploit—would remain in the agency’s stockpile and be used to spy on American enemies or degrade their systems in the case of a cyberwar.

With Trump’s strange affinity for dictators, his inability to hold Russia’s feet to the fire for its 2016 election interference, his abandonment of the Kurds, one of America’s closest allies, and his refusal to clearly condemn the Saudis’ gruesome killing of Washington Post columnist Jamal Khashoggi, America was losing its moral authority. (Even after a CIA assessment concluded that Saudi crown prince Mohammed bin Salman personally ordered the hit on Khashoggi, Trump responded, “Maybe he did and maybe he didn’t.”) With these cases piling up, one former VRL employee told me in late 2019, “It’s getting harder to know if you’re selling these tools to the good guys or enabling the bad.”

The closest the United States has ever gotten to controlling the export of hacking tools and surveillance technology is the Wassenaar Arrangement. Named for the Dutch town where the arrangement was originally signed in 1996, the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies was designed to replace the previous set of Cold War norms used by Western states to keep weapons and military technology from making their way to Russia, China, and their communist satellites. Wassenaar’s goal was to control the sale of conventional weapons systems and dual-use technologies—sophisticated computers, centrifuges, drones—from reaching despots in Iran, Iraq, Libya, and North Korea. Its original signatories included the United States and forty-one other countries, including most of Europe, Argentina, Australia, Canada, India, Japan, Mexico, New Zealand, Russia, South Africa, South Korea, Switzerland, Turkey, Ukraine, and the United Kingdom, and though the arrangement is nonbinding, member-states agree to establish and enforce their own domestic laws to control the sale of items on Wassenaar’s control list, which they update every December.

What NSO offered law enforcement was a powerful workaround, a tool to keep them from going blind. By hacking the “end points” of the communication—the phones themselves—NSO’s technology gave authorities access to data before and after it was encrypted on their target’s device. Not long after Caproni testified to Congress, Hulio and Lavie pivoted and began pitching their remote access technology as a surveillance tool. They called the tool Pegasus, and like the mythological winged horse it was named for, it could do the seemingly impossible: capture vast amounts of previously inaccessible data—phone calls, text messages, email, contacts, calendar appointments, GPS location data, Facebook, WhatsApp and Skype conversations—from the air without leaving a trace. Pegasus could even do what NSO called “room tap”: gather sounds and snapshots in and around the room using the phone’s microphone and video camera. It could deny targets access to certain websites and applications, grab screenshots off their phones, and record their every search and browsing activity. One of the biggest selling points was that the spyware was “battery conscious.” One of the few tells that you may have spyware on your device is a constantly draining battery. All that spying and siphoning can be a battery hog. But Pegasus came with a nifty trick. It could sense when it was killing battery life, shut itself down, and wait for a target to connect to WiFi before extracting any more data. This was, as far as ...

In some cases Pegasus still required a target to click on a malicious link, image, or message to download onto the phone, but increasingly it required no interaction at all. Digging through NSO’s pitch decks and proposals, the company marketed a new zero-click infection method that executives called “over the air stealth installation.” NSO did not detail how exactly it had accomplished this. In some cases they alluded to rigging public WiFi hot spots, but it appeared they could also hijack a target’s phone from long distances. However they did it, NSO’s zero-click infection method was clearly their secret sauce. And the Italians were petrified that it would put them out of business.

NSO had already installed Pegasus at three Mexican agencies: the country’s Center for Investigation and National Security, its attorney general’s office, and its department of defense. All told, the firm had sold the Mexicans $15 million worth of hardware and software, and they were now paying NSO some $77 million to track a wide array of targets. The UAE was locked in, too. And custom NSO proposals, brochures, and pitch decks made clear there was a long and growing waiting list of interested parties.

Chinese cyber theft took two tacks. The majority of hacking crusades were conducted by the China’s People’s Liberation Army’s Second and Third Departments. It was clear from their targets that various PLA units were assigned to hack foreign governments and ministries in specific geographic locales, or to steal intellectual property in distinct industries that benefited China’s state-owned enterprises and economic plans. The other approach was less direct and more episodic. Increasingly, high-ranking Chinese officials at China’s Ministry of State Security started outsourcing attacks on high-profile targets—political dissidents like the Dalai Lama, Uighur and Tibetan ethnic minorities, and high-profile defense contractors in the United States—to freelance hackers at Chinese universities and internet companies.

the most sophisticated attackers want the source code, the hieroglyphics created and admired by the engineering class. Source code is the raw matter for software and hardware. It is what tells your devices and apps how to behave, when to turn on, when to sleep, who to let in, who to keep out. Source code manipulation is the long game. Code can be stolen and manipulated today and, like an invisible hole in the wall of the Oval Office, bear fruit immediately or years into the future.

Everywhere the Chinese hackers had gone—high-tech companies, defense contractors—they were disturbingly successful at cracking source code repositories. With that access, they could surreptitiously change the code that made its way into commercial products and attack any customers who used the software.

The software needed to run all of Google’s services—from Google Search to Gmail to Google Maps—runs to an estimated two billion lines of code. By comparison, Microsoft’s Windows operating system, one of the most complex software tools ever built for a single computer, is estimated to contain some fifty million lines of code. McAfee never found hard evidence that China’s attackers altered the source code at any of their targets. But with so many of China’s victims in denial that they had been hacked, the only certainty was uncertainty.

The Chinese could have easily cracked those accounts by spraying them with possible passwords. But passwords can be changed. Hackers can be locked out after a series of wrong tries. The Chinese were looking for more permanent access. By stealing Google’s source code, China’s hackers could potentially implant backdoors into Gmail software, guaranteeing long-term access to any Gmail account of their choosing. And it became clear they were after their usual targets. Along with prodemocracy activists, China considers Tibetans, Uighur Muslims, pro-independence Taiwanese, and Falun Gong practitioners to be what the state calls the Five Poisons—groups the Chinese Communist party deems the biggest threat to their standing. China had reserved its best zero-day exploits and its top hackers to menace its own people.

Almost immediately after Google entered China in 2006, Brin found the compromise hard to stomach. Chinese officials demanded that Google sanitize search results for any mention of the Falun Gong, the Dalai Lama, and the bloody 1989 massacre at Tiananmen Square. That much Google had anticipated. But soon that list grew to include anything that offended the Chinese Communist Party’s taste and “socialist values”—talk of time travel, reincarnation, and later even Winnie-the-Pooh made the blacklist. When Mountain View didn’t move fast enough to block offensive content, Chinese officials took to calling Google “an illegal site.”

Compromising on censorship was one thing; being an unwitting accomplice to Chinese government surveillance was another. When Google entered China, Brin and Page had intentionally decided not to make its email or blogging platforms available to Chinese customers, out of fear that they would be forced to turn over a user’s personal information to the secret police. Two years earlier Yahoo had handed over a Chinese journalist’s personal information to the state, after he leaked details on Chinese press restrictions to a prodemocracy site run by Chinese exiles in New York. Yahoo’s former customer was now serving out a ten-year prison sentence.