A screenshot of the WannaCry ransomware demand. Since Friday, the National Security Agency has watched as malicious software based on its creations spread across the world, spurring frustration and chaos in some 150 countries. REUTERS PIC

SINCE August, when a mysterious group calling itself the Shadow Brokers announced that it was auctioning off highly classified National Security Agency (NSA) hacking tools, a low-grade panic seized the nation’s largest intelligence agency.

In April, when the Shadow Brokers dumped dozens of the agency’s software exploits on the web, free to criminals and foreign spies alike, the clock began ticking towards inevitable calamity. And, since Friday, the agency has watched as malicious software based on its creations spread across the world, shutting down hospitals, disrupting rail traffic and spurring frustration and chaos in some 150 countries.

“For half a century, NSA pried into other people’s secrets,” said Amy B. Zegart, a Stanford University professor who studies intelligence agencies. “Now they’re suddenly sitting ducks who have their secrets stolen and used around the world.”

The weekend’s ransomware attack is only the latest in a series of trials for the agency. In 2005, the revelation by The New York Times that the NSA was eavesdropping inside the United States without court orders set off a year-long debate over privacy and led to new legal limits on surveillance.

In 2013, Edward Snowden gave journalists hundreds of thousands of NSA documents he had taken as a contractor, igniting a global debate over the agency’s targeting of allies as well as foes. Last August, shortly after the Shadow Brokers’ debut, a veteran intelligence contractor, Harold T. Martin III was charged with walking out of the NSA and other agencies with a staggering 50 terabytes of confidential
data.

Michael V. Hayden, the director of the NSA from 1999 to 2005, said he had defended it for years in debates over civil liberties. “But I cannot defend an agency having powerful tools if it cannot protect the tools and keep them in its own hands,” he said.

He said the loss of the so-called malware, and the damage it has caused, “poses a very serious threat to the future of the agency”.

The latest nightmare for the agency, which is responsible for eavesdropping, code breaking and cyberespionage, appears to be far from over. Early Tuesday, a post purportedly from the Shadow Brokers announced that it was starting a sort of hack-of-the-month club.

“TheShadowBrokers is launching new monthly subscription model,” said the post, in the faux broken English that the group has repeatedly used in public statements. “Is being like wine of month club. Each month peoples can be paying membership fee, then getting members only data dump each month. What members doing with data after is up to members.”

The mocking tone — the post’s title, “OH LORDY! Comey Wanna Cry Edition,” referred to President Donald Trump’s firing of the Federal Bureau of Intelligence (FBI) director, James Comey, and the ransomware known as WannaCry — could not disguise the deadly serious nature of the threat. Software experts said that the group’s dump of NSA tools in April included additional exploits that are “wormable” — meaning they could spread rapidly, like the ransomware attack — and that it might well have more NSA malware it has not yet released.

The Shadow Brokers saga began in mid-August with a cryptic announcement on Pastebin.com of an online auction of hacking tools taken from the Equation Group, a tech industry name for the NSA’s hacking division, officially called Tailored Access Operations. A few samples were listed to encourage bids.

“We auction best files to highest bidder,” the note said.

The announcement created a scramble in the intelligence world to assess the damage and to find the source.

There were at least three theories: that Russian hackers had somehow swiped the tools from the agency or a contractor; that NSA operators had inadvertently left them unguarded on a “staging server” used to conduct espionage; or that a disgruntled insider had leaked or sold the malware.

The last scenario — an insider leak from among the 35,000 NSA employees and thousands more contractors — is now in the lead, officials say. About the time the leak hunt began, the FBI arrested Martin, a veteran intelligence contractor who had worked at the NSA, including in its Tailored Access Operations unit.

An NSA employee was arrested in 2015 but never identified, according to officials who spoke on the condition of anonymity. That employee’s possible role in leaks remains unclear.

Martin was not charged with sharing the tools. It is uncertain what charges have been filed against the second person.

The Shadow Brokers found few bidders for their stolen wares. They offered a few more announcements, including screenshots of computer code, without stirring up sales.

Then, in March, apparently after being tipped off by the NSA, Microsoft offered customers a patch that would protect against some of the NSA exploits. Fearing that the window for using the stolen malware was closing, on April 14, the Shadow Brokers simply dumped a list of dozens of the NSA files on github.com, a site for programmers. The group gave the password to find the malware on a cloud site, Yandex Disk, and issued an announcement on steemit.com.

“Is being too bad nobody deciding to be paying theshadowbrokers for just to shutup and going away,” the notice said. “TheShadowBrokers rather being getting drunk with McAfee,” an apparent reference to the anti-virus company, “on desert island with hot babes.”

BinaryEdge, a Zurich cybersecurity company, began picking up machines around the world infected with an NSA exploit called DoublePulsar.

The total reached 106,000 on April 21; 244,000 on April 25; and, 429,000 on April 27.

“It was a prewarning of what was to come,” said Tiago Henriques, the chief executive of BinaryEdge.

Using another exploit, called EternalBlue, attackers began targeting vulnerable machines with a self-replicating software “worm” that locked files and posted a ransom demand.

Even the April release of NSA exploits is not close to exhausted, according to several cyberspecialists. On the underground dark web, they said, another NSA tool has been weaponised and offered for sale, and hackers are discussing how to use another dozen agency exploits.

The writer is a reporter in the Washington bureau of The New York Times, where he has written about national security and other topics.

273 reads