In Modern Cyber War, the Spies Can Become Targets, Too
In Modern Cyber War, the Spies Can Become Targets, Too
Former intelligence officials fear hackers are taking a
new tack: exposing the identities of the NSA computer-hacking team
By Robert McMillan and
Shane Harris May 24, 2017 5:30 a.m. ET
The mysterious hacking group that supplied a critical
component of the WannaCry “ransomware” software attack that spread across the
globe in mid-May has been releasing alleged National Security Agency secrets
for the past eight months.
Former intelligence officials now fear that the hackers,
who go by the name Shadow Brokers, are taking a new tack: exposing the
identities of the NSA’s computer-hacking team. That potentially could subject
these government experts to charges when traveling abroad.
The Shadow Brokers on April 14 posted on a Russian
computer file-sharing site what they said were NSA files containing previously
unknown attack tools and details of an alleged NSA hack affecting Middle
Eastern and Panamanian financial institutions.
But something went largely unnoticed outside the
intelligence community. Buried in the files’ “metadata”—a hidden area that
typically lists a file’s creators and editors—were four names. It isn’t clear
whether the names were published intentionally or whether the files were
doctored. At least one person named in the metadata worked for the NSA, a
person familiar with the matter said.
Additionally, the hacking group in April sent several
public tweets that seemingly threatened to expose the activities of a fifth
person, former NSA employee Jake Williams, who had written a blog post
speculating the group has ties to Russia.
The U.S. government hasn’t commented on the authenticity
of the Shadow Brokers’ releases. Security experts who have examined the
documents believe they contain legitimate information, including code that can
be used in hacks, as well as the names of the files’ creators and editors.
An NSA spokesman declined to say whether the names,
documents and tools released by the Shadow Brokers came from the agency.
NORTH KOREAN CONNECTION?
WannaCry Malware Has Strong Links to Group Tied to North
Korea, Symantec Says
For people who work in the intelligence community, having
their identities or the work they have done outed is a significant concern,
said Robert M. Lee, chief executive of cybersecurity firm Dragos Inc. and a
former member of the intelligence community.
Because nation-state hackers might run afoul of other
countries’ laws while discharging their duties, they could, if identified, face
charges when outside their country. So, to keep their own people safe,
governments for decades have abided by a “gentleman’s agreement” that allows
government-backed hackers to operate in anonymity, former intelligence
officials say.
The Shadow Brokers “made this personal,” Mr. Lee said. He
believes the group left names in the metadata either because the group doesn’t
care about redacting sensitive information, or because they wanted the names
public.
Attempts to contact the Shadow Brokers weren’t
successful. In blog posts, the group has denied any government affiliation,
presenting themselves as anarchic hackers cut in the mold of the Anonymous
collective. They first appeared in August of last year, releasing purported NSA
documents.
Some former intelligence officials suggested the U.S.
prompted the outing of state-sponsored hackers when it indicted five Chinese
military hackers by name in 2014, and more recently brought charges against two
officers with Russia’s Federal Security Service over a 2014 Yahoo Inc. breach.
By exposing cyberagents, the Shadow Brokers appear to be
taking a page from the U.S. playbook, said Mr. Williams, who worked for the
NSA’s Tailored Access Operations hacking group until 2013. An NSA spokesman
said the agency doesn’t comment about “most individuals’ possible current, past
or future employment with the agency.”
“We’ve fired first,” Mr. Williams said, referring to the
U.S. charging the alleged Chinese hackers by name. “This is us taking flak.”
Current and former Justice Department officials said the
2014 indictment and a 2015 cyber pact between the U.S. and China were meant to
serve as a line in the sand to deter nation-state hackers from breaking into
U.S. companies for economic gain. The point was to say “this type of behavior
was not and should not be condoned,” said Marc Raimondi, a U.S. Justice
Department spokesman.
Government investigators are treating the Shadow Brokers
documents as authentic, according to people familiar with the matter. Earlier
this month, Microsoft ’s chief lawyer, Brad Smith, asserted the computer code
used in the WannaCry worm, a ransomware attack that held hundreds of thousands
of computer files hostage, was “stolen from the National Security Agency.”
While the Shadow Brokers claim to be anarchic hackers,
many intelligence experts, including Mr. Williams and NSA leaker Edward
Snowden, believe they are backed by Russia. “Circumstantial evidence and
conventional wisdom indicates Russian responsibility,” Mr. Snowden wrote in an
Aug. 16 Tweet.
A spokesman for the Russian Embassy declined to comment
on the allegation. Russia previously said allegations that it has hacked the
U.S. government are false.
The documents revealed jealously guarded tactics and techniques
the NSA uses to access computer systems, said people familiar with the
government investigation, who described the damage to intelligence operations
as significant.
For example, the files include source code for software
designed to give its creators remote access to hacked machines, and to evade
detection from antivirus software. If the code was created by the NSA, it now
gives security professionals a digital fingerprint they can use to track the
NSA’s activities prior to the leak.
That could prove disruptive to NSA activities, forcing
the agency to consider pulling its software from others’ networks and taking
other steps to erase its tracks. And while the information could help companies
determine whether they have been hacked by the NSA, it could also be used to
create more malicious software. The Shadow Brokers tools, for example, are now
being used to install malicious software such as WannaCry on corporate
networks.
Mr. Williams initially thought the Shadow Brokers had
access only to a limited set of NSA tools. His assessment changed after three
tweets directed at him April 9 included terms suggesting the group had “a lot
of operational data or at least operational insight” into his work at the NSA,
he said.
The tweets, which are public, are cryptic. They express
displeasure over an article Mr. Williams wrote attempting to link the Shadow
Brokers to Russia. They also mention apparent software code names, including
“OddJob” and “Windows BITS persistence.”
Mr. Williams declined to comment on the specifics of his
former NSA job, but said some of the terms in the Shadow Brokers’ tweets
reflected an understanding of the work he did there, and therefore a threat to
expose his activities.
OddJob is a reference to software released by the Shadow
Brokers five days after the tweets. “Windows BITS persistence” is a term whose
meaning isn’t publicly known.
In one tweet to Mr. Williams, the Shadow Brokers said the
group isn’t in the “habit of outing” NSA hackers but had singled out Mr.
Williams “for big mouth.”
“I did a lot of stuff for them [the NSA] that I always
assumed would remain not in the public view,” Mr. Williams said.
With the Shadow Brokers threatening to release new
documents in June, those worries aren’t abating. Based on an online post from
the hacking group last week, “I’m concerned that they do have additional data
about me and others that they may be about to release,” Mr. Williams said.
Comments
Post a Comment