December 10, 2021

This Is How They Tell Me the World Ends by Nicole Perlroth

This Is How They Tell Me the World Ends by Nicole Perlroth

[This book is about cyber attacks/hacks carried out by state-nation globally]

For years classified national intelligence estimates considered Russia and China to be America’s most formidable adversaries in the cyber realm. China sucked up most of the oxygen, not so much for its sophistication but simply because its hackers were so prolific at stealing American trade secrets. The former director of the NSA, Keith Alexander, famously called Chinese cyber espionage the greatest transfer of wealth in history. The Chinese were stealing every bit of American intellectual property worth stealing and handing it to their state-owned enterprises to imitate.

The Russians had used the NSA’s stolen code as a rocket to propel its malware around the globe. The hack that circled the world would cost Merck and FedEx, alone, $1 billion. On June 27, 2017, Russia fired the NSA’s cyber weapons into Ukraine in what became the most destructive and costly cyberattack in world history. By the time I visited Kyiv in 2019, the tally of damages from that single Russian attack exceeded $10 billion, and estimates were still climbing. Shipping and railway systems had still not regained full capacity. All over Ukraine, people were still trying to find packages that had been lost when the shipment tracking systems went down. They were still owed pension checks that had been held up in the attack. The records of who was owed what had been obliterated.

The biggest secret in cyberwar—the one our adversaries now know all too well—is that the same nation that maintains the greatest offensive cyber advantage on earth is also among its most vulnerable. 

It was also clear that the NSA didn’t need to crack those encryption algorithms when it had acquired so many ways to hack around them. The NSA successfully convinced Canadian bureaucrats to advocate for a flawed formula for generating the random numbers in encryption schemes that NSA computers could easily crack. The agency was even paying major American security companies, like RSA, to make its flawed formula for generating random numbers the default encryption method for widely used security products. When paying companies off didn’t do the trick, the NSA’s partners at the CIA infiltrated the factory floors at the world’s leading encryption chip makers and put backdoors into the chips that scrambled data. And in other cases still, the agency hacked its way into the internal servers at companies like Google and Yahoo to grab data before it was encrypted. 

The documents were littered with references to NSA backdoors in nearly every piece of commercial hardware and software on the market. The agency appeared to have acquired a vast library of invisible backdoors into almost every major app, social media platform, server, router, firewall, antivirus software, iPhone, Android phone, BlackBerry phone, laptop, desktop, and operating system.

Zero-days are the most critical tool in a hacker’s arsenal. Discovering one is like discovering the secret password to the world’s data. A first-rate zero-day in Apple’s mobile software allows spies and hackers with the requisite skills to exploit it, to remotely break into iPhones undetected, and glean access to every minutia of our digital lives. A series of seven zero-day exploits in Microsoft Windows and Siemens’ industrial software allowed American and Israeli spies to sabotage Iran’s nuclear program. Chinese spies used a single Microsoft zero-day to steal some of Silicon Valley’s most closely held source code. In the United States, government hackers and spies hoarded zero-days for the sake of espionage, or in the event, they might need to do what the Pentagon calls D5—deny, degrade, disrupt, deceive, or destroy—an adversary’s critical infrastructure in the event of war one day. Zero-days had become a critical component of American espionage and war planning. Government spies determined the best way to guarantee long-term access to data was a zero-day exploit. ​​ They were willing to pay hackers far more for that access And once they shelled out six figures for those zero-days, they weren’t about to blow their investment and access by disclosing the flaw’s existence to anyone.

Different agencies all wanted ways into the same systems, which played well from a bottom-line perspective, but not so much from the American taxpayer’s. His company was selling the same zero-day exploits two, three, four, times over to different agencies. The money provided plenty of incentive. In the mid-1990s, government agencies paid contractors roughly $1 million for a set of ten zero-day exploits.

With the breakup of the Soviet Union, you had a lot of people with skills, without jobs, Sabien explained. But the most talented hackers, he told me, were based in Israel, many of them veterans of Israel’s Unit 8200.

There was one well-known exploit in HP printers that for years, Sabien told me, was utilized by government agencies all over the world. The exploit allowed anyone with knowledge of its existence to scrape any files that passed through HP’s printers and offered spies a foothold in their target’s network, where IT administrators would least suspect.

From its founding in 1952, the nation’s preeminent spy agency, the NSA—No Such Agency or Never Say Anything, in the old joke—was America’s chief eavesdropper and codebreaker. For the NSA’s first three decades, the agency’s sole mission was snatching intelligence as it flew through the atmosphere. At Fort Meade thousands of brilliant PhDs, mathematicians, and codebreakers would cull through messages, decrypting, translating, and analyzing them for critical nuggets that informed America’s next move in the Cold War.

It was no longer the case that Americans used one set of typewriters, while our adversaries used another. Thanks to globalization, we now all rely on the same technology. A zero-day exploit in the NSA’s arsenal could not be tailored to affect only a Pakistani intelligence official or an al-Qaeda operative. American citizens, businesses, and critical infrastructure would also be vulnerable if that zero-day were to come into the hands of a foreign power, cybercriminal, or rogue hacker.

Increasingly, the only way to acquire the same capabilities the agency once developed in-house was to buy them from hackers and contractors. And once the intel agencies started allocating more of their budgets for zero-day exploits and attack tools off the private market, there was even less incentive to turn over the underlying zero-day flaws to vendors for patching. Instead, they started upping the classification levels and secrecy around these programs.

A highly secretive Israeli spyware company called NSO Group that I had only heard of in passing whispers. NSO did not have a corporate website. I could find only a passing mention of it in a single entry on Israel’s Ministry of Defense website, in which the company claimed to have developed cutting-edge spyware.NSO’s surveillance technology was originally developed by graduates of Israel’s Intelligence Unit 8200. What NSO offered law enforcement was a powerful workaround, a tool to keep from going blind. 

By hacking the endpoints of the communication—the phones themselves—NSO’s technology gave authorities access to data before and after it was encrypted on their target’s device. They called the tool Pegasus, and like the mythological winged horse it was named for, it could do the seemingly impossible: capture vast amounts of previously inaccessible data—phone calls, text messages, email, contacts, calendar appointments, GPS location data, Facebook, WhatsApp and Skype conversations—from the air without leaving a trace. Pegasus could even do what NSO called room tap: gather sounds and snapshots in and around the room using the phone’s microphone and video camera. It could deny targets access to certain websites and applications, grab screenshots off their phones, and record their every search and browsing activity. The leaked contracts showed that NSO had already sold tens of millions of dollars worth of hardware, software, and interception capabilities to two eager customers in Mexico and the UAE, and were now marketing Pegasus to other customers in Europe and the Middle East.

It appeared that NSO was the one company in this space that still managed to keep a low profile, even as its spyware was clearly some of the best on the market. NSO’s prices alone were a good sign that the Israelis’ spyware was top-shelf; the company was now charging double Hacking Team’s asking price. They charged a flat $500,000 installation fee, then another $650,000 to hack just ten iPhones or ten Android phones. Their clients could hack an additional hundred targets for $800,000; fifty extra targets cost $500,000; twenty, $250,000; and ten extra cost $150,000. But what this got you, NSO told customers, was priceless: you could remotely and covertly collect information about your target’s relationships, location, phone calls, plans, and activities—whenever and wherever they are. And, their brochures promised, Pegasus was a ghost that leaves no traces whatsoever.

Legion Yankee was among the murkiest—and most prolific—of the more than two dozen Chinese hacking groups that NSA hackers tracked, as they raided the intellectual property, military secrets, and correspondence from American government agencies, think tanks, universities, and now the country’s most vibrant technology companies.

Chinese cyber theft took two tacks. The majority of hacking crusades were conducted by China’s People’s Liberation Army’s Second and Third Departments. It was clear from their targets that various PLA units were assigned to hack foreign governments and ministries in specific geographic locales or to steal intellectual property in distinct industries that benefited China’s state-owned enterprises and economic plans. The other approach was less direct and more episodic. Increasingly, high-ranking Chinese officials at China’s Ministry of State Security started outsourcing attacks on high-profile targets—political dissidents like the Dalai Lama, Uighur and Tibetan ethnic minorities, and high-profile defense contractors in the United States—to freelance hackers at Chinese universities and internet companies.

The state identified these hackers for their skills, which often far exceeded those of their PLA counterparts. Plus, if anyone ever traced back the attacks to these individuals, Beijing could claim ignorance. It was Putin’s playbook through and through. The Kremlin had successfully outsourced cyberattacks to Russian cybercriminals for years. 

No American company had ever publicly called out Beijing for a cyberattack, even as Chinese hackers were pillaging American intellectual property in what Keith Alexander, the NSA director at the time, later called the greatest transfer of wealth in history. Three years after Google’s attack, James Comey, then head of the FBI, put it this way: There are two kinds of big companies in the United States. There are those who’ve been hacked by the Chinese, and those who don’t know they’ve been hacked by the Chinese.

The Guardian dropped Snowden’s first NSA leaks that month, detailing an NSA program called Prism. One NSA slide appeared to show that Microsoft, and the other tech companies, gave the NSA direct access to their servers. Some leaks described Prism as a team sport between the tech companies, the NSA, the FBI, and the CIA. The trust that Microsoft had spent years building was in danger of evaporating. It started bleeding customers, ranging from Germans, who likened Prism to the Stasi, to the entire government of Brazil. Foreigners demanded that they move their data centers overseas, where—the illusion went—their data would be safe from the prying eyes of the U.S. government. Analysts projected that U.S. tech companies could lose a quarter of their revenues over the next few years to foreign competitors in Europe and South America. 

The U.S. Office of Personnel Management—the very agency that stores the most sensitive data for the one million or so federal employees and contractors, including detailed personal, financial, and medical histories, Social Security numbers, even fingerprints—revealed that it had been hacked by Chinese hackers on a scale the government had never seen before. The Chinese had been inside OPM’s systems for more than a year by the time they were discovered in 2015.

For years, I’d heard some of the best exploits on the market hailed from Argentina. Every year small teams of college students from over a hundred countries convene at the International Collegiate Programming Contest (ICPC), the oldest and most prestigious contest of its kind. Two decades ago, American teams from Berkeley, Harvard, and MIT dominated the top ten finalists. These days the winners were Russian, Polish, Chinese, South Korean, and Taiwanese. In 2019 a team from Iran beat Harvard, Stanford, and Princeton, which didn’t even break into the top twenty. America’s pool of cyber talent was shrinking.

We arrived in one piece at an old open-air oil factory on the outskirts of town. More than a thousand young Argentine hackers were lined up around the block. Some looked as young as thirteen, like teenagers at the skate park. Interspersed among them were foreigners—some Asian, some European or American, several Middle Easterners. They were here to recruit, perhaps, or broker the latest and greatest in Argentine spy code. Ekoparty (Latin America’s largest hacking conference) was a mecca for hackers all over South America, and more recently zero-day brokers who came from all over the world in search of digital blood diamonds. This was my best chance of glimpsing the world’s new exploit labor market. The agenda listed hacks of encrypted medical devices to e-voting systems, cars, app stores, Androids, PCs, and the Cisco and SAP business apps that could enable attackers to take remote control of computers at the world’s biggest multinationals and government agencies. The United States still had the biggest offensive cyber budgets, but compared to conventional weapons, exploits were cheap. Foreign governments were now willing to match American prices for the best zero-days and cyberweaponry. The Middle East’s oil-rich monarchies would pay just about anything to monitor their critics. And in Iran and North Korea, which could never match the United States in conventional warfare, leaders saw cyber as their last hope of leveling the playing field. If the NSOs, Zerodiums, and Hacking Teams of the world wouldn’t sell them their wares, well, they could just hop on a plane to Buenos Aires.

Three years after the United States and the Israelis reached across Iran’s borders and destroyed its centrifuges, Iran launched a retaliatory attack, the most destructive cyberattack the world had seen to date. On August 15, 2012, Iranian hackers hit Saudi Aramco, the world’s richest oil company—a company worth more than five Apples on paper—with malware that demolished thirty thousand of its computers, wiped its data and replaced it all with the image of the burning American flag. All the money in the world had not kept Iranian hackers from getting into Aramco’s systems. Iran’s hackers had waited until the eve of Islam’s holiest night of the year—The Night of Power, when Saudis were home celebrating the revelation of the Koran to the Prophet Muhammad, to flip a kill switch and detonate malware that not only destroyed Aramco’s computers, data, and access to email and internet but upended the global market for hard drives. 

What oil is to the Saudis, so finance is to the American economy. A little more than a month after the Aramco attacks, Iranian hackers put U.S. banks in their crosshairs. Executives at Bank of America, J.P. Morgan, Citigroup, Fifth Third Bank, Capital One, and the New York Stock Exchange could only watch helplessly as, one by one, their banking sites crumbled or were forced offline by a deluge of Iranian internet traffic. 

Most of the US infrastructure is in private hands, Michael Chertoff, the former secretary of homeland security, told me at the time. The government is not going to be able to manage this like the air traffic control system. Just a few months earlier, Panetta had delivered the first major warning of a cyberattack by a U.S. defense secretary, an attack he said would be as destructive as the terrorist attack of 9/11. America was once again in a pre 9/11 moment: An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches, Panetta told an audience on the USS Intrepid in New York. They could derail passenger trains, or even more dangerous, derail passenger trains loaded with lethal chemicals. They could contaminate the water supply in major cities or shut down the power grid across large parts of the country.

By now, Russian hackers were so deeply embedded in the American grid and critical infrastructure, they were only one step from taking everything down. This was Putin’s way of signaling the United States. If Washington intervened further in Ukraine, if it pulled off a Stuxnet-like attack in Russia, they would take us down. Our grid was no less vulnerable than Ukraine’s; the only difference is we were far more connected, far more dependent, and in far greater denial.

And there they were: the crown jewels, the code for twenty of the NSA’s most coveted zero-day exploits, exploits they had spent months building and honing, tools that netted the best counterintelligence the agency could get. But these weren’t just espionage tools, they had the power to inflict incalculable destruction. Some of the exploits were wormable, meaning that anyone could pick them up and bolt-on code that would self-replicate malware around the world. The cyberweapon of mass destruction.

The NSA, meanwhile, had been shaken to its core. The agency regarded as the world’s leader in breaking into foreign computer networks had failed to protect its own As hackers and security experts began to parse through the latest leaks, one TAO exploits stood above the rest: EternalBlue, the exploit that could invisibly penetrate millions upon millions of Windows machines and leave barely a speck of digital dust behind. When researchers scanned the web, tens of thousands of infected machines the world over pinged back. Now, with the NSA’s tools in everyone’s hands, the number of infected systems would explode. One week later, the number of infected machines topped 100,000. Two weeks later, 400,000 victims were infected.

Three years after the NSA lost control of its tools, the long tail of EternalBlue was everywhere. The underlying Microsoft bugs were no longer zero-days—a Microsoft patch had been available for two years—and yet EternalBlue had become a permanent feature in cyberattacks on American towns, cities, and universities, where local IT administrators oversee tangled, cross-woven networks made up of older, expired software that stopped getting patched long ago. Not a day went by in 2019, Microsoft’s security engineers told me when they did not encounter the NSA’s cyberweapons in a new attack. As it turned out, the shadow of the NSA’s stolen exploits was longer and stranger than any of us knew. Months before the Shadow Brokers first leaked the NSA’s tools in 2016—and more than one year before North Korea and Russia used them to wreak global havoc—China had discovered the NSA’s exploits on their own systems, snatched them, and used them for their own stealth attacks. It took three years for anyone to sort this out. If the NSA knew China was hacking American allies using its tools, that intelligence never made it into the hallowed halls of the VEP, where deliberators might have seized the opportunity to get the bugs fixed long before the Shadow Brokers, North Korea, or Russia could use them for chaos.

By 2019, ransomware attacks were generating billions of dollars for Russian cybercriminals and were becoming more lucrative. Even as cybercriminals raised their ransom demands to unlock victims’ data from three figures to six, to millions of dollars, local officials—and their insurers—calculated it was still cheaper to pay their digital extortionists than to rebuild their systems and data from scratch. The ransomware industry was booming and—with all that loot pouring into Russia—intelligence officials found it inconceivable that the Kremlin was not aware of, exploiting, or coercing criminals’ access for their own political ends.

As of this writing, foreign states and cybercriminals are hitting American networks from so many sides that, from my quarantined perch, it has become nearly impossible to keep track. Our adversaries are basically seeing that we have systems of interest that are vulnerable. The tools to exploit them have been thrown in their lap, and they’re willing to take some modest level of risk to use them because of the anonymity of the internet. You’re only going to see a growing level of these attacks as time goes on.


No comments: