A message from Vladimir Putin can take many forms.
It can be as heavy-handed as a pair of Russian bombers buzzing the Alaska coast, or as lethal as the public assassination of a defector on the streets of Kiev. Now Putin may be sending a message to the American government through a more subtle channel: an escalating series of U.S. intelligence leaks that last week exposed a National Security Agency operation in the Middle East and the identity of an agency official who participated.
The leaks by self-described hackers calling themselves “the Shadow Brokers” began in the final months of the Obama administration and increased in frequency and impact after the U.S. bombing of a Syrian airfield this month—a move that angered Russia. The group has not been tied to the Kremlin with anything close to the forensic certitude of last year’s election-related hacks, but security experts say the Shadow Brokers’ attacks fit the pattern established by Russia’s GRU during its election hacking. In that operation, according to U.S. intelligence findings, Russia created fictitious Internet personas to launder some of their stolen emails, including the fake whistleblowing site called DCLeaks and a notional Romanian hacker named “Guccifer 2.0.”
“I think there’s something going on between the U.S. and Russia that we’re just seeing pieces of,” said security technologist Bruce Schneier, chief technology officer at IBM Resilient. “What happens when the deep states go to war with each other and don’t tell the rest of us?”
The Shadow Brokers made their debut in August, appearing out of nowhere to publish a set of secret hacking tools belonging to the “Equation Group”—the security industry’s name for the NSA’s elite Tailored Access Operations program, which penetrates foreign computers to gather intelligence. At that time, the Shadow Brokers claimed to be mercenary hackers trying to sell the NSA’s secrets to the highest bidder. But they went on to leak more files for free, seemingly timed with the public thrusts and parries between the Obama administration and the Russian government.
From the start, outside experts had little doubt that Russian intelligence was pulling the strings. “Circumstantial evidence and conventional wisdom indicates Russian responsibility,” exiled NSA whistleblower Edward Snowden tweeted last August. “Why did they do it? No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the [Democratic National Committee] hack.”
The FBI started investigating, and in August agents arrested an NSA contractor named Hal Martin after discovering that Martin had been stockpiling agency secrets in his house for two decades. But even as Martin cooled his heels in federal custody, the Shadow Brokers continued to post messages and files.
Snowden and other experts speculated that the Russians obtained the code without the help of an insider. As a matter of tradecraft, intelligence agencies, including the NSA, secretly own, lease, or hack so-called staging servers on the public internet to launch attacks anonymously. By necessity, those machines are loaded up with at least some of the agency’s tools. Snowden theorized that the Russians penetrated one of those servers and collected an NSA jackpot. “NSA malware staging servers getting hacked by a rival is not new,” he wrote.
Whatever their origin, the leaks dried up on Jan. 12, when the Shadow Brokers announced their “retirement” 10 days before Donald Trump’s swearing-in. The group didn’t reemerge until this month, after the Syrian military’s deadly chemical-weapons attack in Ghouta. Reportedly moved by images of the Syrian children injured or killed in the attack, Trump responded by ordering the launch of 59 Tomahawk missiles at a Syrian government air base—departing drastically from the will of Putin, who considers Syrian President Bashar al-Assad a strategic ally.
The Russian government immediately condemned the U.S. response. Two days later, so did the Shadow Brokers. The group broke its months-long silence and released another tranche of NSA secrets along with a lengthy open letter to Trump protesting the Syrian missile strike. Abandoning any pretense of a profit motive, the Shadow Brokers claimed now to be disillusioned U.S. voters—“the peoples who getting you elected,” as they put in, using phrasing that holds dual meaning coming from a suspected Kremlin operation.
The Shadow Brokers have been playing hardball ever since. Their most recent release, on Friday, exposed the code for a sophisticated NSA toolkit targeting Windows machines, putting some of the agency’s capabilities, circa 2013, in the hands of every newbie hacker able to use a keyboard.
This time, the Shadow Brokers didn’t stop with code. For the first time in their short history, they also released internal NSA spreadsheets, documents, and slide decks, some bedecked with the insignia and “Top Secret” markings familiar to anyone who’s browsed the Snowden leaks.
The leak exposes in detail a 2013 NSA hacking operation called Jeep Flea Market that gained deep access to Dubai-based EastNets, a company that handles wire transfers for a number of Middle East banks, something of obvious interest to U.S. intelligence. (EastNets denies the breach.) But the Shadow Brokers exposed more than just an NSA operation. Metadata left in the files identified the full name of a 35-year-old NSA worker in San Antonio who was apparently involved in the hack. (The Daily Beast was unable to reach him for comment.)
NSA hackers don’t face the same danger as CIA officers working undercover in a foreign country, but the likelihood that Russia has begun exposing them by name, while linking them to specific operations, raises the stakes for the intelligence community. If nothing else, the San Antonio NSA worker could plausibly face criminal and civil charges in the United Arab Emirates, just as hackers working for Russian and Chinese intelligence have been indicted in the U.S.
It’s conceivable that the Shadow Brokers included the name by mistake. Groups like WikiLeaks and the journalists with the Snowden cache are accustomed to scrubbing identifying metadata from documents. But a less-experienced hand might overlook it. Schneier is doubtful. “If we’re assuming an intelligent and strategic actor, which I think we are, then you have to assume that they did that on purpose,” he said.
Nothing is certain; the Shadow Brokers are a puzzle with missing pieces. But Friday’s Shadow Brokers release obliterated one theory on the spot. The NSA would never have put classified spreadsheets and PowerPoint slides on a staging server. They could only have come from inside the NSA.
Which sets the stage for a revival of a storied Cold War intelligence ritual, with the declining agency morale that comes with it: the Russian mole hunt. “I think we’re most likely looking at someone who went rogue from within, or a contractor who had access to this information,” said Eric O’Neill, national-security strategist for Carbon Black. “Either way, we have someone in the intelligence community that’s a pretty high-placed spy.”
A former FBI surveillance specialist, in 2001 O’Neill helped bring down Robert Hannsen, a double agent in the bureau who’d been secretly spying for Russia. “The FBI must be scrambling right now,” he said. “There’s so many leaks going on: this leak, the CIA Vault7 leaks, and at the same time there’s the investigation into any administration ties to Russia, and the DNC intrusion, and all these leaks coming out of the White House. There’s only so much that the FBI’s national security agents can do.”
If Russia did have a mole inside the NSA in 2013, the most recent date of the documents, Schneier thinks it unlikely that it does now, or else the Shadow Brokers wouldn’t exist. “You only publish when it’s more useful as an embarrassment than as intelligence,” he said. “So if you have a human asset inside the NSA, you wouldn’t publish. That asset is too important.”
It’s also possible, though unprecedented in the public record, that Russia found a way into the NSA’s classified network. A competing theory focuses on the FBI’s early suspect, Hal Martin. He’s not the Shadow Brokers, but he reportedly worked in the NSA’s Tailored Access Operations program and had 50,000 gigabytes of classified material in his home. Might he himself have been hacked? Martin is charged in Maryland with 20 counts of willful retention of national defense information, but prosecutors have not made any accusation that his trove slipped into enemy hands.
As Snowden demonstrated when he walked out of the NSA with a thumb drive of secrets, it’s comparatively easy now to steal and smuggle classified information. But O’Neill says the FBI’s counterintelligence mission is easier too, because of the rampant audit trails and server logs in classified networks.
“It’s much easier getting the secrets out now, but on the flip side, it’s also easier for law enforcement and the FBI to track down who had access to the data,” he says. “I like to think this mole hunt is going to be a little easier than it was in the past.”
Until then, expect the Shadow Brokers to stick around. In their Friday dump, they hinted at more revelations this week: “Who knows what we having next time?”