NSA ‘Shadow Brokers’ Hack Shows SpyWar With Kremlin Is Turning Hot

This won’t be the last time Putin and his spies have us over a barrel

Russian President Vladimir Putin makes a speech during a meeting with his Azerbaijani counterpart Ilham Aliyev and Iranian leader Hassan Rouhani in Baku on August 8, 2016. The talks between Russian President Vladimir Putin, his Azerbaijani counterpart Ilham Aliyev and Iranian leader Hassan Rouhani are focused on the North-South Transport Corridor -- the ship, rail, and road route for freight between India, Russia, Iran, Europe and Central Asia -- and more generally on economy and trade as well as anti-terrorism cooperation.
Russian President Vladimir Putin.

The National Security Agency can’t catch a break. Over three years ago, Edward Snowden, an IT contractor for the agency, defected to Moscow with more than a million classified documents. Since then, Snowden’s vast trove has been used to embarrass NSA about the extent of its global espionage reach.

I’ve been warning from Day One that the Snowden Operation was a Russian propaganda ploy aimed at inflicting pain on NSA, America’s most important spy agency, and its global alliance of espionage partnerships that’s been the backbone of the powerful Western intelligence system since it helped defeat the Nazis and Japan in World War II.

Western intelligence bosses recently have become open about stating what they’ve known for years, that Snowden is a Kremlin pawn designed to inflict pain on Russia’s adversaries in the SpyWar. There’s no doubt that’s the case, especially since the Kremlin now has admitted that Snowden is their agent.

For more than three years NSA has been subjected to an unprecedented stream of leaks about myriad Top Secret intelligence programs. Although Snowden claimed his motivation was to protect the civil liberties of fellow Americans by exposing secrets, it’s impossible to miss that well over 95 percent of the programs he’s compromised are purely involved with foreign intelligence. The impact of all this on agency morale has been devastating and NSA is in a state of crisis thanks to Snowden.

This week things took a marked turn for the worse, however, with the exposure of highly sensitive NSA hacking tools on the Internet by a murky group calling itself “The Shadow Brokers” which announced it planned to sell programs purloined from the agency. Like clockwork, NSA’s public website crashed and stayed down for almost a full day. Although there’s no indication this was linked to The Shadow Brokers, the optics for NSA were terrible.

First, some explanation is needed of what’s been compromised. The crown jewel here is a 300-megabyte file containing “exploits”—that is, specialized sophisticated cyber tools designed to burrow through firewalls to steal data. What The Shadow Brokers has, which it claims it stole from an alleged NSA front organization termed the Equation Group, appears to be legitimate.

Here we are, three years after Snowden, dealing with the consequences of allowing Russian moles to run amok inside NSA.

These exploits—or at least some of them—appear to come from NSA’s elite office of Tailored Access Operations, which is the agency’s hacking group. Arguably the world’s most proficient cyber-warriors, the shadowy TAO excels at gaining access to the computer systems of foreign adversaries. TAO veterans have confirmed that, from what they’ve seen of what The Shadow Brokers has revealed, they’re bona fide NSA exploits.

This represents a security disaster for an agency that really didn’t need another one. How this happened, given the enormous security that’s placed on all NSA Top Secret computer systems, raises troubling questions about what’s going on, since the agency instituted much more strenuous online security after Snowden’s defection, which revealed how slipshod NSA counterintelligence really was.

However, significant questions loom over this new scandal.  In the first place, what really is The Shadow Brokers? They appear to be a transparent front for Russian intelligence. Indeed, they’re not really hiding that fact, given the broken English they used in their online auction notice asking for bitcoin in exchange for NSA information. From his Russian exile, even Snowden admitted on Twitter that this was pretty obviously a Kremlin spy game.

Pro-Russian sources have pointed to the Equation Group as an NSA front for more than a year. In early 2015, Kaspersky Labs, one of the world’s leading cybersecurity firms, announced the discovery of the Equation Group and fingers were quickly pointed at NSA as being the culprit behind those hackers. It should be noted that Kaspersky Labs has a very cozy relationship with the Kremlin and is viewed by most espionage experts in the West as an extended arm of Russian intelligence. The firm’s founder, Eugene Kaspersky, was trained in codes and ciphers by the KGB in the waning days of the Soviet Union, even meeting his first wife at a KGB resort.

That said, if even some of the leaked exploits are real, NSA has a big problem on its hands. The exploits seem to date from mid-2013, around the time Snowden fled to Moscow, so it’s difficult to see how he had anything to do with this.

It’s certainly possible that an NSA hacker goofed massively and left files in the wrong place at the wrong time. Human error can never be ruled out. Russian cybersleuths carefully watch for possible NSA operations online—just as we look for theirs—and even a single slip-up with Top Secret hacking tools could invite a disastrous compromise.

However, it’s far more likely that this information was stolen by an insider. There’s something fishy about the official story here. It’s far-fetched to think a small group of unknown hackers could infiltrate NSA. Furthermore, explained a former agency scientist, the set-up implied in the account given by The Shadow Brokers makes little sense: “No one puts their exploits on a [command-and-control] server…That’s not a thing.” In other words, there was no “hack” here at all.

It’s much more plausible that NSA has a Kremlin mole (or moles) lurking in its ranks who stole this information and passed it to Russian intelligence for later use. This isn’t surprising, since NSA has known since at least 2010 of one or more Russian moles in its ranks and agency counterintelligence has yet to expose them. In truth, Snowden—a mere sysadmin, never the “spy” he claimed to be—was a Kremlin patsy, giving Russian intelligence cover to protect its actual moles lurking inside America’s most powerful intelligence agency.

NSA has a dismal counterintelligence record—its ranks having been penetrated by Kremlin moles over and over again since its establishment in 1952. I know because I used to work for agency counterintelligence and I located such moles. NSA leadership was never very eager to find them, knowing the bad headlines their exposure would bring, and repeated warnings from security experts led to no real action. So here we are, three years after Snowden, dealing with the awful consequences of allowing Russian moles to run amok inside NSA.

The information that the Russians have placed online through The Shadow Brokers is more embarrassing to NSA than operationally significant. Though highly classified, it’s three years out of date—an eternity in the fast-moving world of cyber-intelligence. The point of this, then, is to cause pain and embarrassment to Washington, and here Moscow has succeeded.

It’s not difficult to determine why this is happening now. As I’ve explained, the SpyWar between America and Russia has heated up over the last year on all fronts, with increasingly brazen Moscow moves against our spies at home and abroad. The Kremlin is playing for keeps.

The current Russian effort to influence our presidential election, using more-or-less open Kremlin cut-outs like Wikileaks to hurt the Democrats, represents an upping of the espionage ante. Here the deep tentacles of Russian intelligence in the Republican campaign matter too, and with each passing day it looks like Vladimir Putin is setting the tone to which American politicians are dancing.

American intelligence knows what the Russians are up to, and Intelligence Community leaders have let the media know that they’ve been wise to Kremlin spy games for some time. Here NSA is vital, since it’s the agency that monitors foreign cyber operations against the United States. Therefore, this latest Russian effort to embarrass NSA before the world should be viewed as a warning shot across the agency’s bow not to reveal too much of what it knows to the public about Russian cyber-espionage and covert action—since NSA has plenty of secrets it wants to hide too.

“May we read about you in the newspapers!” is a joke-cum-curse among Israeli spies, reflecting the reality that it’s never a good day in the spy business when your operations wind upon the front page. After this latest Russian secret offensive, our Intelligence Community will be sorely tempted to inflict payback on the Kremlin in the shadows. However, our spy agencies, especially NSA, need to be careful, since until they get serious about counterintelligence and purge their ranks of moles, this won’t be the last time Putin and his spies have us over a barrel.

John Schindler is a security expert and former National Security Agency analyst and counterintelligence officer. A specialist in espionage and terrorism, he’s also been a Navy officer and a War College professor. He’s published four books and is on Twitter at @20committee.

NSA ‘Shadow Brokers’ Hack Shows SpyWar With Kremlin Is Turning Hot