In Modern Cyber War, the Spies Can Become Targets, Too
In Modern Cyber War, the Spies Can Become Targets, Too
Former intelligence officials fear hackers are taking a new tack: exposing the identities of the NSA computer-hacking team
By Robert McMillan and Shane Harris May 24, 2017 5:30 a.m. ET
The mysterious hacking group that supplied a critical component of the WannaCry “ransomware” software attack that spread across the globe in mid-May has been releasing alleged National Security Agency secrets for the past eight months.
Former intelligence officials now fear that the hackers, who go by the name Shadow Brokers, are taking a new tack: exposing the identities of the NSA’s computer-hacking team. That potentially could subject these government experts to charges when traveling abroad.
The Shadow Brokers on April 14 posted on a Russian computer file-sharing site what they said were NSA files containing previously unknown attack tools and details of an alleged NSA hack affecting Middle Eastern and Panamanian financial institutions.
But something went largely unnoticed outside the intelligence community. Buried in the files’ “metadata”—a hidden area that typically lists a file’s creators and editors—were four names. It isn’t clear whether the names were published intentionally or whether the files were doctored. At least one person named in the metadata worked for the NSA, a person familiar with the matter said.
Additionally, the hacking group in April sent several public tweets that seemingly threatened to expose the activities of a fifth person, former NSA employee Jake Williams, who had written a blog post speculating the group has ties to Russia.
The U.S. government hasn’t commented on the authenticity of the Shadow Brokers’ releases. Security experts who have examined the documents believe they contain legitimate information, including code that can be used in hacks, as well as the names of the files’ creators and editors.
An NSA spokesman declined to say whether the names, documents and tools released by the Shadow Brokers came from the agency.
NORTH KOREAN CONNECTION?
WannaCry Malware Has Strong Links to Group Tied to North Korea, Symantec Says
For people who work in the intelligence community, having their identities or the work they have done outed is a significant concern, said Robert M. Lee, chief executive of cybersecurity firm Dragos Inc. and a former member of the intelligence community.
Because nation-state hackers might run afoul of other countries’ laws while discharging their duties, they could, if identified, face charges when outside their country. So, to keep their own people safe, governments for decades have abided by a “gentleman’s agreement” that allows government-backed hackers to operate in anonymity, former intelligence officials say.
The Shadow Brokers “made this personal,” Mr. Lee said. He believes the group left names in the metadata either because the group doesn’t care about redacting sensitive information, or because they wanted the names public.
Attempts to contact the Shadow Brokers weren’t successful. In blog posts, the group has denied any government affiliation, presenting themselves as anarchic hackers cut in the mold of the Anonymous collective. They first appeared in August of last year, releasing purported NSA documents.
Some former intelligence officials suggested the U.S. prompted the outing of state-sponsored hackers when it indicted five Chinese military hackers by name in 2014, and more recently brought charges against two officers with Russia’s Federal Security Service over a 2014 Yahoo Inc. breach.
By exposing cyberagents, the Shadow Brokers appear to be taking a page from the U.S. playbook, said Mr. Williams, who worked for the NSA’s Tailored Access Operations hacking group until 2013. An NSA spokesman said the agency doesn’t comment about “most individuals’ possible current, past or future employment with the agency.”
“We’ve fired first,” Mr. Williams said, referring to the U.S. charging the alleged Chinese hackers by name. “This is us taking flak.”
Current and former Justice Department officials said the 2014 indictment and a 2015 cyber pact between the U.S. and China were meant to serve as a line in the sand to deter nation-state hackers from breaking into U.S. companies for economic gain. The point was to say “this type of behavior was not and should not be condoned,” said Marc Raimondi, a U.S. Justice Department spokesman.
Government investigators are treating the Shadow Brokers documents as authentic, according to people familiar with the matter. Earlier this month, Microsoft ’s chief lawyer, Brad Smith, asserted the computer code used in the WannaCry worm, a ransomware attack that held hundreds of thousands of computer files hostage, was “stolen from the National Security Agency.”
While the Shadow Brokers claim to be anarchic hackers, many intelligence experts, including Mr. Williams and NSA leaker Edward Snowden, believe they are backed by Russia. “Circumstantial evidence and conventional wisdom indicates Russian responsibility,” Mr. Snowden wrote in an Aug. 16 Tweet.
A spokesman for the Russian Embassy declined to comment on the allegation. Russia previously said allegations that it has hacked the U.S. government are false.
The documents revealed jealously guarded tactics and techniques the NSA uses to access computer systems, said people familiar with the government investigation, who described the damage to intelligence operations as significant.
For example, the files include source code for software designed to give its creators remote access to hacked machines, and to evade detection from antivirus software. If the code was created by the NSA, it now gives security professionals a digital fingerprint they can use to track the NSA’s activities prior to the leak.
That could prove disruptive to NSA activities, forcing the agency to consider pulling its software from others’ networks and taking other steps to erase its tracks. And while the information could help companies determine whether they have been hacked by the NSA, it could also be used to create more malicious software. The Shadow Brokers tools, for example, are now being used to install malicious software such as WannaCry on corporate networks.
Mr. Williams initially thought the Shadow Brokers had access only to a limited set of NSA tools. His assessment changed after three tweets directed at him April 9 included terms suggesting the group had “a lot of operational data or at least operational insight” into his work at the NSA, he said.
The tweets, which are public, are cryptic. They express displeasure over an article Mr. Williams wrote attempting to link the Shadow Brokers to Russia. They also mention apparent software code names, including “OddJob” and “Windows BITS persistence.”
Mr. Williams declined to comment on the specifics of his former NSA job, but said some of the terms in the Shadow Brokers’ tweets reflected an understanding of the work he did there, and therefore a threat to expose his activities.
OddJob is a reference to software released by the Shadow Brokers five days after the tweets. “Windows BITS persistence” is a term whose meaning isn’t publicly known.
In one tweet to Mr. Williams, the Shadow Brokers said the group isn’t in the “habit of outing” NSA hackers but had singled out Mr. Williams “for big mouth.”
“I did a lot of stuff for them [the NSA] that I always assumed would remain not in the public view,” Mr. Williams said.
With the Shadow Brokers threatening to release new documents in June, those worries aren’t abating. Based on an online post from the hacking group last week, “I’m concerned that they do have additional data about me and others that they may be about to release,” Mr. Williams said.