The intelligence community has been taking body blows lately – with Friday’s WikiLeaks dump of CIA hacking tools and a report in The New York Times discusses just how damaging the August 2016 Shadow Brokers thefts from NSA have turned out to be.
While there has been no acknowledgment by law enforcement officials on who was directly responsible for the 2016 attack – the perpetrator possibly being Russia, an NSA insider, or both – the tools revealed by the Shadow Brokers have since been used by a number of hostile actors, including possibly North Korea and Russia.
The Cipher Brief spoke with experts Rhea Siers, former deputy associate director for policy at the NSA and DoD cyber veteran Bob Gourley.
The news reports on the level of damage the Shadow Broker’s theft has had on the NSA coincides with new releases by WikiLeaks of what it purports to be the source code of CIA hacking capabilities – namely a backend command and control system for CIA malware implants called Hive. The prolonged flow of releases by WikiLeaks appears to be intentionally designed to harm the U.S. intelligence community.
Siers: “WikiLeaks was tarnished by allegations that it was working with the Trump campaign/Russia, so it is seeking to reclaim its credentials, especially among those who share their views on ‘the surveillance state.’ This is the gift that keeps giving for them so why not space out the releases?”
Gourley: “I believe Wikileaks is orchestrating the timing on this to make maximum use of the data they hold. By releasing some info earlier and then more technical details later they are able to keep attention on themselves….By manipulating the free press and leading disinformation campaigns while weaponizing stolen data, they are showing their alignment with geopolitical adversaries that operate against the interests of all free nations. Stretching out the release…is just part of their plan to make it hurt for as long as possible.
“As a technologist I believe there are other goals besides causing turmoil in the U.S. national security establishment. These leaks also hurt the U.S. economy by sowing distrust among global corporations and governments who currently turn to the U.S. for their high end (expensive) technology needs. Governments and corporations everywhere are probable targets of these information leaks, with the objective being to have non-U.S. suppliers of technology and tech services selected over U.S. corporations. This hurts our economy.”
Similarly, the Shadow Brokers have said that they will continue to release NSA source code as part of their monthly subscription service. Disclosed material such as NSA hacking tools and other classified intelligence could be purchased by malicious actors but also companies and foreign governments seeking to patch their systems before the capabilities are used against them. The extent of the material stolen remains uncertain, and that is worrisome.
Siers: “One hopes that NSA and CIA know the extent of the damage, but that seems to be unclear…and that is very worrying. What are the implications of the Shadow Brokers trying to sell the material? Is it a farce intended to make observers think it is a profit-motivated criminal group? If it’s a state actor, it’s pretty classic deception. Certainly not new behavior by the Russians.”
If it is true that Russia is behind both the Shadow Brokers leaks and the WikiLeaks releases, it is curious that the Kremlin has chosen to release NSA material through the Shadow Brokers moniker and CIA material through the WikiLeaks platform. It is possible the source of the stolen material in the Shadow Broker’s and WikiLeaks disclosure are one and the same, and the most likely candidate is probably Moscow.
Siers: “One wonders if Shadow Brokers and WikiLeaks are sharing the same source, but again, the evidence is not determinative. Do I think Russia is behind it? I’m not privy to the evidence, but I cannot come up with an alternative answer – while some have suggested a potential insider within NSA – the releases seem to emanate and be sourced from different NSA organizations.”
Gourley: “All the available open information I have seen, as well as statements by leaders in the IC and an awareness of the long history of Russian and Soviet methodologies points to Russia. The cynic may say we have no absolute proof, but in reality, we are at the point where our policy must assume this is the case, that Russia is manipulating WikiLeaks and is absolutely in control of the Shadow Brokers. The reason for the two separate outlets may be to provide more plausible deniability, or perhaps it points to multiple players inside Russia. But both clearly have the same objectives, to weaken the national security of the U.S. and to hurt all who cooperate and align themselves with U.S. security interests.”
In the instances of the Shadow Brokers and the Vault7/Vault8 releases, the identities of U.S. intelligence officers have been revealed, causing some, including Siers, to believe it is another factor for attributing the leaks to Russia.
Siers: “It shouldn’t surprise us that the leakers (and their mysterious source) would want to damage and disrupt NSA and CIA operations. Of course, it’s just this type of release of identities that drives us back to considering Russian involvement.”
