The National Security Agency’s hackers have a problem.
Last week, multiple outlets reported that its elite Tailored Access Operations unit—tasked with breaking into foreign networks—suffered another serious data breach. The theft of computer code and other material by an employee in 2015 allowed the Russian government to more easily detect U.S. cyber operations, according to The Washington Post. It’s potentially the fourth large-scale incident at the NSA to be revealed in the last five years.
Now, multiple sources with direct knowledge of TAO’s security procedures in the recent past tell The Daily Beast just how porous some of the defenses were to keep workers from stealing sensitive information—either digitally or by simply walking out of the front door with it.
One source described removing data from a TAO facility as “child’s play.” The Daily Beast granted the sources anonymity to talk candidly about the NSA’s security practices.
TAO is not your average band of hackers. Its operations have included digging into China’s networks, developing the tools British spies used to break into Belgium’s largest telecom, and hacking sections of the Mexican government. While other parts of the NSA may focus on tapping undersea cables or prying data from Silicon Valley giants, TAO is the tip of the NSA’s offensive hacking spear, and could have access to much more sensitive information ripped from adversaries’ closed networks. The unit deploys and creates sophisticated exploits that rely on vulnerabilities in routers, operating systems, and computer hardware the general population uses—the sort of tools that could wreak havoc if they fell into the wrong hands.
That doesn’t mean those tools are locked down, though. “TAO specifically had a huge amount of latitude to move data between networks,” the first source, who worked at the unit after Edward Snowden’s mega-leak, said. The former employee said TAO limited the number of USB drives—which could be used to steal data—after that 2013 breach, but he still had used several while working at TAO.
“Most operators knew how they could get anything they wanted out of the classified nets and onto the internet if they wanted to, even without the USB drives,” the former TAO employee said.
A second source, who also worked at TAO, told The Daily Beast, “most of the security was your co-workers checking to see that you had your badge on you at all times.”
The NSA—and recently TAO in particular—has suffered a series of catastrophic data breaches. On top of the Snowden incident and this newly scrutinized 2015 breach, NSA contractor Hal Martin allegedly hoarded a trove of computer code and documents from the NSA and other agencies in the U.S. intelligence community. Martin worked with TAO, and he ended up storing the material in his car and residence, according to prosecutors. Like Snowden, Martin was a contractor and not an employee of the NSA, as was Reality Winner, who allegedly leaked a top-secret report about Russian interference in the U.S. election to news site The Intercept.
Then there’s the incident now in the news. Israeli operatives broke into the systems of the Russian cybersecurity firm Kaspersky Lab, officials told The Washington Post. On those systems were samples of sophisticated NSA hacking tools; a TAO employee had brought them home and placed them on his home computer. That machine was running Kasperky software, which allegedly sent the NSA tools back to Moscow.
It’s not totally clear how the breach overlaps with any others, but in 2016, a group called The Shadow Brokers started publishing full NSA exploit and tool code. Various hackers went on to incorporate a number of the dumped exploits in their own campaigns, including some designed to break into computers and mine digital currency, as well as the WannaCry ransomware, which crippled tens of thousands of computers around the world. (A handful of other, smaller NSA-related disclosures, including a catalogue of TAO hacking gear from 2007 and 2008, as well as intelligence intercepts, were not attributed to the Snowden documents, and the public details around where that information came from are muddy.)
Although not a data breach per se, in 2015 Kaspersky publicly revealed details on the history and tools of the so-called Equation Group, which is widely believed to be part of the NSA. A third source, who worked directly with TAO, said the fallout from that exposure meant the hacking unit entered a “significant shutdown,” and “ran on minimum ops for months.”
Nevertheless, a report by the Defense Department’s inspector general completed in 2016 found that the NSA’s “Secure the Net” project—which aimed to restrict access to its most sensitive data after the Snowden breach—fell short of its stated aims. The NSA did introduce some improvements, but it didn’t effectively reduce the number of user accounts with “privileged” access, which provide more avenues into sensitive data than normal users, nor fully implement technology to oversee these accounts’ activities, the report reads.
Physical security wasn’t much better, at least at one TAO operator’s facility. He told The Daily Beast that there were “no bag checks or anything” as employees and contractors left work for the day—meaning, it was easy smuggle things home. Metal detectors were present, including before Snowden, but “nobody cared what came out,” the second source added. The third source, who visited TAO facilities, said bag checks were random and weak.
“If you have a thumb drive in your pocket, it’s going to get out,” they said.
Unsurprisingly, workers need to swipe keycards to access certain rooms. But, “in most cases, it’s pretty easy to get into those rooms without swipe access if you just knock and say who you’re trying to see,” the third source added.
To be clear, The Daily Beast’s sources described the state of security up to 2015—not today. Things may have improved since then. And, of course, the NSA and TAO do of course have an array of security protections in place. TAO operators are screened and people on campus are already going to have a high-level clearance, some of the sources stressed. The part of the NSA network that TAO uses, and which contains the unit’s tools, can only be accessed by those with a designated account, according to the source who worked with TAO. Two of the sources believed in the NSA’s ability to track down where a file came from after a breach.
Indeed, the system TAO members use to download their hacking tools for operations has become more heavily audited over the years too, although the network did have a known security issue, in which users could make their own account and automatically gain access to additional information, the source who worked with TAO said.
“The NSA operates in one of the most complicated IT environments in the world,” an NSA spokesperson told The Daily Beast in a statement. “Over the past several years, we have continued to build on internal security improvements while carrying out the mission to defend the nation and our allies.”
“We do not rely on only one initiative. Instead, we have undertaken a comprehensive and layered set of defensive measures to further safeguard operations and advance best practices,” the spokesperson added.
The problem of securing this data from the inside is not an easy one to solve. If the NSA was to lock down TAO systems more ferociously, that could hamper TAO’s ability to effectively build tools and capabilities in the first place, and two of the sources emphasized that excessive searches would likely create a recruiting problem for the agency. “It’s not prison,” one of the former TAO employees said.
“The security is all predicated on you having a clearance and being trusted,” the source who has worked with TAO said.
“The system is just not set up to protect against someone with a clearance who is determined to go rogue,” they added.