Sandworm Read online

  “!!! Attention government sponsors of cyber warfare and those who profit from it !!!!” the message began. “How much you pay for enemies cyber weapons?”

  The post went on to present an extraordinary offer. The hackers claimed to have pulled off something almost no one had achieved before—at least not publicly: They had breached the NSA and stolen some of its most sensitive files. Specifically, they wrote that they’d hacked “Equation Group,” using the name the Russian security firm Kaspersky had given to the creators of Stuxnet. The Shadow Brokers, whoever they were, were claiming not simply to have hacked the NSA but to have hacked the NSA’s top hackers, the most elite team of American government cyberspies, known as Tailored Access Operations. And now they were selling their stolen loot to the highest bidder:

  We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files.

  Below that message, the post included links to download sites where they had uploaded free “proof” files as samples, along with another encrypted file that supposedly contained a collection of secret hacking tools that they bragged were “better than Stuxnet.” The Shadow Brokers demanded that anyone who wanted to see the contents of that file send bitcoin bids to a certain address. None of those bids, they stipulated, would be refunded. And only the highest bidder would be given the key to decrypt this purported holy grail of hacking. In another bizarre note, the Shadow Brokers said that if bidding reached one million bitcoins—at the time well over half a billion dollars—they’d release all the secret files to the public.

  Finally, the message ended with a strange paragraph about “wealthy elites” whom the Shadow Brokers seemed to be simultaneously threatening with their stolen NSA hacking tools and targeting with a hard-sell pitch. “Let us spell out for Elites. Your wealth and control depends on electronic data,” they wrote. “If electronic data go bye bye where leave Wealthy Elites? Maybe with dumb cattle? ‘Do you feel in charge?’ Wealthy Elites, you send bitcoins, you bid in auction, maybe big advantage for you?”

  On its face, nothing about the post looked like the work of hackers skilled enough to have actually hacked the NSA. The almost deliberately shoddy English, the sloppy auction system, even the name “the Shadow Brokers”—apparently a reference to a character from the video game Mass Effect—seemed more like the work of bored teenagers than the likes of a state-sponsored group such as Sandworm or even Fancy Bear.

  But Jake Williams downloaded the sample files anyway. And when he opened them on his PC, he was surprised to see they included a set of tools capable of silently breaking into a handful of common firewalls, including some sold by Cisco and Fortinet.

  In fact, these were not just any firewall-hacking programs. For Williams, they had special significance. Four years earlier, Williams had left the NSA, where he had himself served as a hacker on its Tailored Access Operations team. Even now, the highly classified nature of that work means he couldn’t explicitly tell me whether he recognized the hacking tools from his own time inside the agency. But suffice it to say, Williams knew they were as powerful as the Shadow Brokers claimed. “I did not doubt their authenticity,” he said.

  The tools the Shadow Brokers had offered up as mere free samples were not just any crude hacking programs but the rarest commodities of the cybersecurity world: Many had been designed to exploit zero-day vulnerabilities. Though the files appeared to be dated to 2013, some of the software flaws they targeted had remained secret for all those years until the Shadow Brokers’ release. Cisco, for instance, would eventually warn its customers that they needed to change the configuration of eleven different Cisco products to protect them from one of the leaked hacking tools, which might otherwise give intruders full control over those devices. In some cases, that could mean the ability to fully intercept or tamper with the traffic going into and out of networks used by millions of people around the world.

  Each of the leaked sample tools, Williams could immediately see, was appallingly dangerous in its own right, and they were being cast out together onto the public internet, where any miscreant could use them to inflict mayhem. If the Shadow Brokers were to be believed, they had far more in store.

  As the Rendition team examined the files inside their makeshift war room, temporarily distracted from the work of dissecting the client’s breach, Williams exchanged a look with one of his staffers, a man who had also worked with him at the NSA and who seemed equally dismayed at what they were watching unfold.

  For the better part of a decade, as the world’s state-sponsored hackers slowly progressed toward cyberwar, the apex of that arms race had been Stuxnet. That specimen of rarefied malware had proved the promise of digital dark arts to achieve the impossible in U.S. intelligence and military operations, as well as the peril posed by America’s adversaries, like Sandworm, should they employ those same weapons.

  But the disaster taking shape that August morning would be expressed in far more literal form. Instead of an abstract fear that U.S. cyberweapons would inspire adversaries to develop their own, America’s hacking arsenal had fallen, suddenly and directly, into enemy hands.

  * * *

  ■

  In the early days after the Shadow Brokers’ post, it appeared that the group’s operation might be a bust. They did not get their one-million-bitcoin jackpot. Instead, in the first twenty-four hours of their auction, they received a grand total of $937.15, according to the Bitcoin blockchain’s public record of transactions.

  But the auction nonetheless served to create buzz around the NSA’s security breach. Experts largely agreed the profit motive was likely a cover story, that the Shadow Brokers were probably state-sponsored hackers, not cybercriminals, and they were seeking above all to embarrass the NSA. Jake Williams, for his part, immediately suspected Russia. “There’s only one government capable of doing this,” he said flatly.

  Another, less expected former NSA figure offered a similar suggestion. Edward Snowden, the NSA whistle-blower who’d leaked a top secret trove of the agency’s documents three years earlier, posted a series of messages on Twitter outlining a larger theory. He guessed that the Shadow Brokers were indeed Russian, that they’d stolen the NSA tools from a “staging server” used as a kind of field outpost for the agency’s hacking operations, and that the thieves’ primary motive was to shame the NSA and broadcast a specific message: We know what you’re up to. “Circumstantial evidence and conventional wisdom indicates Russian responsibility,” Snowden wrote. “This may be an effort to influence the calculus of decision-makers wondering how sharply to respond to the DNC hacks.”

  The Shadow Brokers’ first appearance, after all, came just two months after the news that Russia had hacked the Democratic National Committee. Snowden posited that Russia was using its breach of the NSA to put a mirror up to American accusations of reckless hacking, to warn the United States that Russia, too, could call out its adversary’s intrusion operations.

  That this theory was first articulated by the man behind the other largest violation of the NSA’s secrets in recent memory—and one who had taken refuge from American law enforcement in Moscow—might have seemed ironic. But for all the damage the NSA had claimed resulted from Snowden’s disclosures, he had never released actual zero-day vulnerabilities or hacking tools. In the coming months, the Shadow Brokers’ data dumps would prove to be vastly more damaging than anything Snowden had revealed—not just to U.S. intelligence agencies, but to the world.

  * * *

  ■

  The hackers seemed to savor their torture of the NSA. Over the following months, the Shadow Brokers would disappear for long stretches and then reappear spontaneously to promote new leaks
, prolonging the chaos and anxiety they were creating as they disemboweled the agency and threw its radioactive entrails across the internet.

  The second of their leaks was, in some senses, a smaller one—perhaps a mere reminder to the NSA that its problem was not going away. Two months after their splashy debut, the Shadow Brokers published another sample of their stolen data the day before Halloween, titling their blog post “Trick or Treat?” This time they offered up a collection of IP addresses representing computers that, they said, the NSA had used as staging servers, exposing a broad map of the agency’s secret hacking operations across the world.

  The new leak was presented along with a message responding to statements Vice President Joe Biden had made days earlier, naming Russia as the source of the Democratic National Committee hack and promising some sort of retaliatory measures to be carried out by the CIA. “We’re sending a message,” Biden told the NBC show Meet the Press. “It will be at the time of our choosing—and under the circumstances that have the greatest impact.”

  “Why is DirtyGrandpa threating CIA cyberwar with Russia?” the Shadow Brokers responded. “Oldest control trick in book, yes? Waving flag, blaming problems on external sources, not taking responsibility for failures. But neverminding, hacking DNC is way way most important than EquationGroup losing capabilities.” The barbed sarcasm couldn’t hide the Shadow Brokers’ defensiveness about Russia’s meddling in the U.S. election.

  After another six weeks, the Shadow Brokers seemed to be losing patience. “TheShadowBrokers is trying auction. Peoples no like,” they wrote. “Now TheShadowBrokers is trying direct sales.” They had decided to sell their pilfered zero-day hacking techniques à la carte. This time their post included screenshots of a collection of files, giving a glimpse at a broad catalog of secret hacking wares they still held.

  Perhaps the Shadow Brokers’ sketchy auction setup had scared off buyers. Or perhaps their entire moneymaking venture had been elaborate theater. Either way, by January, they suddenly declared that their sales routine had failed and that they were calling it quits. “So long, farewell peoples. TheShadowBrokers is going dark, making exit: Continuing is being much risk and bullshit, not many bitcoins,” they wrote. “Despite theories, it always being about bitcoins for TheShadowBrokers. Free dumps and bullshit political talk was being for marketing attention.”

  For another three months, the group seemed to have vanished. Some in the security industry speculated that the group’s work had always been designed as a distraction from Russia’s hacking of election-related targets and with the inauguration of Donald Trump as president in early 2017 their work was done. “The fun is over,” wrote the tech news site Motherboard.

  But if NSA officials felt any relief that the bleeding had stopped, it was premature. In April 2017, three months later, the Shadow Brokers appeared yet again, posting the thirty-two-character password to the original encrypted file they’d first released, the one they’d originally claimed was “better than Stuxnet.”

  When hackers around the world decrypted that file, they found a vast collection of hacking tools, all targeting operating systems like Linux, Unix, and Solaris rather than Windows. Many were more than a decade old. The secret programs were not, it seemed, better than Stuxnet. But they meant that the NSA’s nightmare continued, with no clear end in sight.

  Along with that release, the Shadow Brokers this time posted a fifteen-hundred-word rambling open letter pleading with Trump to stay in touch with his far-right nationalist base, and not to give in to the “deep state” and “globalists.” The hackers criticized Trump’s decision to launch air strikes in Syria in retaliation for chemical weapons used by the country’s Russia-backed dictator, Bashar al-Assad. They now claimed that despite theories of their Russian origin they were actually former U.S. intelligence officers who had become conscientious objectors. They railed against Goldman Sachs, Zionists, socialists, and Russia critics:

  We recognize Americans’ having more in common with Russians than Chinese or Globalist or Socialist. Russia and Putin are nationalist and enemies of the Globalist, examples: NATO encroachment and Ukraine conflict. Therefore Russia and Putin are being best allies until the common enemies are defeated and America is great again.

  Jake Williams, like almost anyone with ties to the NSA, had continued to watch the Shadow Brokers fiasco with a mixture of fascination and deep anxiety. After the group resurfaced, he posted a quick analysis to the security industry social media site Peerlyst, stating what he by then considered obvious: The Shadow Brokers were, among other things, clearly another Kremlin influence operation. “Russia is likely using the latest Shadow Brokers release to attempt to control the news cycle and take coverage away from the Syria conflict,” he wrote.

  The next morning, he woke up in a hotel room in Orlando, where he was scheduled to teach a training course, and looked at Twitter. He immediately discovered that the Shadow Brokers had responded to his blog post. Now they were calling out him, Jake Williams, by name. “@malwarejake You having big mouth for former #equationgroup member,” they wrote on Twitter, using his handle. “The Shadow Brokers ISNOT in habit of outing #equationgroup members but had make exception for big mouth.”

  Williams had never publicly revealed that he was a former NSA staffer, no less a member of the Tailored Access Operations team that the Shadow Brokers called Equation Group. He had carefully quarantined that part of his career and described his background to associates and clients only as having worked for the Department of Defense.

  He had just been outed. His breath stopped. “It was like being punched in the gut,” he said.

  The message was accompanied by vague references to code names like “OddJob,” “CCI,” “Windows BITS persistence,” and an investigation involving “Q Group,” the NSA’s counterintelligence arm. Williams declined to say what all of that meant. But he explained that by including those references, the Shadow Brokers were signaling to him that they were aware not just of his NSA affiliation but of highly specific details of his career inside the agency. “The message was, ‘This is not a guess,’ ” he said. “ ‘We know.’ ”

  That leak of Williams’s secrets would change his life. Now that he’s a known former TAO hacker, he no longer travels to places where he might be vulnerable to legal or personal attacks from a country like Russia or China. In the months after his outing by the Shadow Brokers, he canceled work trips to the Czech Republic, Singapore, and Hong Kong. Even today, he lives in fear of foreign indictments for his past hacking, just as the United States has sought to sow fear in foreign hackers, from Iran to North Korea, with its own criminal charges.

  But in that first moment of seeing his secrets spilled, Williams had a less rational and more visceral reaction: He felt the same kind of violation that the NSA had been undergoing for eight months, only now on a personal level. He sensed that the Shadow Brokers knew vastly more about him than he knew about them and that he was entirely at their mercy. They could release the rest of his private history at any time.

  The same, of course, was true of the rest of the NSA’s secrets. The worst was yet to come.

  22

  ETERNALBLUE

  When the Shadow Brokers finally decided to unleash the most damaging leak of their short, strange career, they explained their actions with neither political manifestos nor profiteering but pure nihilism.

  “Last week theshadowbrokers be trying to help peoples,” they wrote in a new message on April 14, 2017, referring back to their political rant from the week before. “This week theshadowbrokers be thinking fuck peoples.”

  Per usual, they posted a link to a download. “Theshadowbrokers not wanting going there. Is being too bad nobody deciding to be paying theshadowbrokers for just to shutup and going away,” they concluded. “Maybe if all suviving WWIII theshadowbrokers be seeing you next week.”

  Perhaps the World War III quip related to e
scalating tensions between the United States and North Korea; the latter had revealed that it would soon have the capability to launch a nuclear missile that could strike anywhere in the United States. Or perhaps it was referring to the contents of the file they had just leaked, which offered, in essence, the digital equivalent.

  The new collection of files was the mother lode of immensely powerful hacking tools that the Shadow Brokers had promised from the start. After eight months of taunts and games, they had finally dropped an assortment of the NSA’s crown jewels. Cybersecurity analysts who downloaded the files counted more than twenty distinct hacking tools, all polished, professional, and ready to cause mayhem in the hands of even unskilled hackers.

  But it was one program in particular, which the NSA had code-named EternalBlue, that sent the cybersecurity community into an immediate frenzy. EternalBlue was designed to exploit a zero-day vulnerability in practically every version of Windows prior to Windows 8, a flaw in an old, obscure feature of Windows known as Server Message Block, or SMB. SMB allowed computers to share information, such as files and access to printers, directly from one to the next. And it contained multiple critical bugs that let anyone send SMB messages to a computer and gain full remote code execution on the target machine.

  With EternalBlue, the NSA’s hackers had coded that exploitation into a simple program capable of penetrating millions upon millions of computers around the world. Then they’d lost control of it.

  “This is as big as it gets,” Matthew Hickey, a British security analyst who had been analyzing the Shadow Broker leaks for months, told me at the time. “It’s internet God mode.” Or, as my Wired colleague Lily Hay Newman described it, “a sophisticated, top-secret US cyber espionage tool is now the people’s crowbar.”