Gray Day
Page 26
I thought I knew what Hanssen had meant when he spoke of the spy in the worst possible place. But as I reread my OPM letter, the same one received by millions of current and former government employees, I realized I hadn’t fully grasped his insights. That half sheet of paper changed everything.
In March 2014, the US Computer Emergency Readiness Team (US-CERT) notified OPM that data was bleeding from its network. US-CERT is the organization in the Department of Homeland Security responsible for analyzing and reducing cyber threats, providing threat warnings, and coordinating incident response to attacks. When US-CERT calls, you listen.
Over the next few weeks, OPM and US-CERT worked together to monitor an attacker in OPM’s systems and gather counterintelligence. Unfortunately, while our cyber pros thought they had the breach contained, they missed an accomplice. On May 7, 2014, a second attacker posed as an employee of an OPM background investigations contractor and used the contractor’s credentials to slip into the OPM system. The virtual trusted insider installed malware and created a network backdoor, all unnoticed by OPM. By the end of May, OPM pulled the plug on monitoring the first attacker, kicked them out of the system, and patted itself on the back for a job well done, not knowing they’d only taken out a sacrificial lamb. Meanwhile, the virtual trusted insider had free rein.
Cyberattackers aren’t all cold, calculating criminals. Most have a sense of humor. The virtual trusted insider registered a domain named opmsecurity.org that they used as a command-and-control center to manage malware operations against OPM. The domain was registered to Steve Rogers, aka comic book superhero Captain America.
With a little help from Captain America, the virtual trusted insider stole detailed files and personal background reports on more than 22 million current and former federal employees, plus 5.6 million fingerprint records. These records included SF86 forms, used for background investigations into those seeking a security clearance. Imagine writing down your entire life story, including everything that you might say about yourself but that you’d rather no one ever find out. You’ve just completed a 127-page SF86 employment application. The form reviews thirteen adjudicative criteria that the government uses to decide whether to trust an employee with classified information, including supporting documentation and the notes a background investigator takes during an interview. These criteria include not only information about the applicant’s allegiance to the United States and any friends or business contacts in foreign countries but also information about criminal history, sexual behavior—especially criminal or extramarital—how lousy your finances are, how much booze you drink and whether you’ve experimented with drugs, and even if you’ve ever downloaded music illegally. In any case, not the sorts of things you’d like in the hands of a foreign intelligence service.
It took OPM until April 2015 to spot the virtual trusted insider, and only after an OPM contractor notified US-CERT about suspicious network traffic related to opmsecurity.org. By then, Chinese intelligence service attackers had used OPM’s servers like a public library for nearly three years. The earliest malware detected on OPM’s network dated back to 2012. They’d been hiding in the worst possible place.
Hollywood would have us believe that hackers work alone, striking from dark basements and cold warehouses in places like Belarus, penetrating servers with magic codes that knife through defenses like little silver cyber ninjas. Others in our government paint a similar picture, conjuring an overweight man in his twenties sitting in a basement (probably his mother’s), hammering away at a computer while pounding energy drinks and munching on bags of Fritos.
These representations are dangerously misleading. The hackers of yore are gone. Most of them have joined tech companies to help find and fix vulnerabilities in networks and systems—what’s known as “white hat” hacking. Those who remain aren’t lone-wolf anarchists. They’re spies: intelligence service experts trained to use traditional spy craft to recruit individuals at targeted organizations and steal their access to information. These spies are sophisticated, devious, and well funded—and they’re behind all of the major security breaches we’ve experienced this century.
We once filed documents in towering cabinets, coded and organized by secretaries who held the keys to the kingdom. Spies would loiter in bars outside government buildings, waiting with a friendly ear for evening alcoholics looking to complain about the boss or bureaucracy. They would search out highly placed individuals who had a secret they wanted buried, those who had lost faith in America or those in financial distress who needed fast cash to make ends meet. After long recruitment periods that involved sham friendships, bribes, and often threats, these marks became the perfect inside men to extract the paper that held the secrets. But, as businesses and government agencies began to trade the file cabinets for computer systems and servers, cell phones and laptops, thumb drives and cloud-based computing, spies had to evolve.
Which is exactly what the Russians did. While the United States, stunned by the 9/11 attacks, focused on counterterrorism, Russian military and intelligence services invested in cyberwarfare. As early as 1999, Russia’s state security services used cyberattacks to spread propaganda and disinformation. In 2013, Russia’s Ministry of Defense established a cyber unit responsible for offensive and defensive cyber operations such as using malware to compromise critical infrastructure command and control systems. Today Russian intelligence often contracts out these attacks to nongovernmental freelance proxies, including criminal groups, mercenaries, and unemployed students. When the attacks are inevitably traced to Russian soil, the government enjoys deniability. In the last few years, computer-security experts have caught attackers with ties to the Kremlin sneaking around in systems that manage US electric power grids, air-traffic control, mass-transit systems, and oil and gas networks, to rattle off a few.
According to the US intelligence community’s 2015 Worldwide Threat Assessment Report, Russia is one of the “most sophisticated nation-state actors” in cyberwarfare, and Russian hackers are renowned for their inventiveness and sheer programming power. The report goes on to warn that “Russia is taking information warfare to a new level, working to fan anti-US and anti-Western sentiment both within Russia and globally.” By using Russian state-controlled media to publish false and misleading stories that discredit the United States and build sympathy for Russian positions, Putin gets to control the narrative—to devastating effect.
There are no hackers; there are only spies. Hacking is the necessary evolution of espionage. Just as the FBI had looked in all the wrong places for Hanssen, the United States and our allies had missed the mark in preventing cyberattacks. The Russians still have spies in the worst possible place. But today, many of those spies don’t even know that they’re compromised.
CHAPTER 27
THERE ARE NO HACKERS, ONLY SPIES
On Friday, May 12, 2017, North Korea started a pandemic that made the world look up and listen. Bright-red screens popped up on more than 200,000 infected computers worldwide, with a mocking message demanding that users pay $300 in Bitcoin to the attackers before a countdown timer expired and all their data disappeared forever. Those who did pay quickly learned that the ransom demand was a hoax: all the data was already gone. More than 150 countries desperately fought the attack, but resistance was futile. The malware leapt across borders at the speed of thought, worming its way through businesses and government agencies, wreaking havoc in banks and universities, shutting down airports and bringing hospitals to a standstill.
After infecting a Windows computer, the WannaCry ransomware worm encrypted files on the hard drive, making them impossible to access, then demanded a ransom payment in order to decrypt them. WannaCry was so deadly in part because it relied on some of the best hacking tools that exist—tools that were created by the US government. As espionage has evolved, American spy agencies have evolved with it. The FBI has focused on defending against the new threats. But th
e NSA and the CIA are on the offensive, developing secret attack tools that exploit vulnerabilities and flaws in computer operating systems to quietly infiltrate, disrupt, and collect information. Together, they create a virtual arsenal that complements the United States’ kinetic military might.
Unfortunately, it’s much easier to steal a few thousand lines of code than a nuclear warhead. In 2016, a group called the Shadow Brokers raided the NSA’s Tailored Access Operations (TAO) program, which attacks foreign computers to gather intelligence. On April 8, 2017, they published the password to access some of TAO’s secret hoard of attack tools within a ranting political post. Less than a year later, the CIA lost the keys to what WikiLeaks named Vault 7—the CIA’s cyberoffensive stockpile. In one of the largest document leaks in the CIA’s history, WikiLeaks released thousands of pages outlining sophisticated tools and techniques the agency allegedly used to break into mobile phones, Internet of Things (IoT) devices, and computers. The leaks are a catalog of offensive hacking tools that include instructions for compromising a wide range of common devices and computer programs, including Skype, Wi-Fi networks, PDFs, and even virus scanners. If you believe WikiLeaks, the entire archive of stolen CIA material consists of several hundred million lines of computer code. It was like putting a virtual gun in the hand of every angry hacker on the planet.
One software vulnerability lost in the NSA hack was named EternalBlue. EternalBlue works by exploiting the Microsoft Windows operating system Server Message Block, a network file-sharing protocol that allows applications on a computer to read and write to files and to request services that are on the same network. In other words, attackers could use the vulnerability not only to install malicious software on vulnerable computers but also to use that malware to “talk” to other computers on the same network and spread itself like the viruses our children routinely bring home from school. It was EternalBlue that had made WannaCry spread so quickly and effectively.
The NSA knew that EternalBlue would likely come back to haunt it. As soon as it discovered the attack, it informed Microsoft, which immediately solved the problem by releasing an inoculation, what’s typically called a “patch,” which fixes the vulnerability that the virus was designed to exploit. But even though the patch was released well before the WannaCry attack took place, at least 200,000 computers hadn’t installed it.
In fact, the vast majority of data breaches result from out-of-date software. In June 2017, havoc struck Ukraine. On Ukraine’s Constitution Day, the country’s government, banks, and largest power companies scrambled to work around computer systems locked by black screens with red letters stating “Oops, your important files are encrypted.” The Ukrainian Interior Ministry called the attack, dubbed NotPetya, the biggest cyberattack in Ukraine’s history. Cyber spies had launched the attack by compromising a software update mechanism built into M.E.Doc, an accounting program used by firms working with the Ukrainian government, and spread it by using the same EternalBlue exploit that WannaCry deployed. Ukraine’s security service immediately accused Russia, which had begun making military incursions into Ukraine in 2014, of starting the second pandemic. The CIA later agreed with “high confidence” that the Russian GRU had launched the attack, one of many to occur after the Russian annexation of Crimea. But the damage wasn’t limited to Ukraine. Nearly 100,000 computer systems fell prey to NotPetya, including systems in both Ukraine and Russia, throughout Europe and North America, and as far away as Australia.
WannaCry and NotPetya—indeed, most of the most damaging cyberattacks we’ve seen in the past few years—are both examples of what’s called ransomware, a cunning malware that encrypts digital files and demands a ransom to unlock them. Often the attacker tricks human targets into infecting their own computer systems by enticing them to open an infected attachment or click on a malicious link. Ransomware attacks are so successful that they have grown faster than any other cybercrime in the last five years, rising from an estimated $350 million in damage costs in 2015 to $1 billion in 2016 and $5 billion in 2017. We are not stopping the problem. Cybersecurity Ventures, a global cybersecurity researcher, predicts that global ransomware damage costs will exceed $11.5 billion annually by 2019.
Successful ransomware attackers target soft targets, those with inferior security and the most to lose if their computer systems are locked away. Small and medium-sized businesses in the health-care, technology, energy, and banking sectors are often primary targets. These attacks can break a company. According to a 2017 IBM and Ponemon Institute study, the average cost of a data breach is $3.62 million. Cybersecurity Ventures estimates cybercrime will be responsible for $6 trillion in damage annually by 2021. If data is the primary currency of our lives, cyberattackers have their eyes on the vault.
In the last two years, the most critical and devastating cyberattacks have targeted individuals via email. These “spearphishing” attacks are often highly personal, requiring dedicated analysis and research of the target, which they then leverage in order to socially engineer a person into providing account access without their knowledge. Infiltration, subterfuge, disruption, and recruitment: the tools of a spy.
* * *
On a Saturday morning in March 2016, John Podesta, chairman of the Hillary Clinton for President Campaign, received an email from the Gmail Team telling him to change his password immediately. Podesta used his john.podesta@gmail account to run the business of the campaign, weigh in on critical decisions, influence and set strategy, and occasionally call out people for foolishness or join in on attacks against Republican rivals and stubborn constituents. Like many people with an email account, Podesta used his Gmail as a kind of second brain. If someone were to read through the 50,000 or so emails of his within Google’s hidden vaults, they would find a rapidly searchable catalog of his thoughts as he wrote them.
The email from the Google Team would cause even the most dispassionate person to feel a sinking sense of dread.
From: Google
Date: March 19, 2016 at 4:34:30 AM EDT
To: john.podesta@gmail.com
Subject: Someone has your password
Hi John
Someone just used your password to try to sign in to your Google Account john.podesta@gmail.com.
Details:
Saturday, 19 March, 8:34:30 UTC
IP Address: 134.249.139.239
Location: Ukraine
Google stopped this sign-in attempt. You should change your password immediately.
CHANGE PASSWORD https://bit.ly/1PibSU0
Best,
The Gmail Team
You received this mandatory email service announcement to update you about important changes to your Google product or account.
The thought that someone might have tried to hack into his account probably didn’t surprise him. The FBI had briefed the campaign about the possibility that the Chinese or Russians might try to steal their information. None of this was news to Podesta, who had written a 2014 report on cyber privacy for President Barack Obama. He knew his way around a cyberattack or two.
Anyone with a little cybersecurity training would think the email looked fishy. The account came from no-reply@accounts.googlemail.com, which looked a lot like a legitimate address, but the location was off. Ukraine. Russia had it in for those guys, and the political fallout from Ukraine’s decision to turn its back on Mother Russia had turned Ukraine into a hot zone for hackers and cyberwarfare. It was possible that this warning email was a Ukrainian attempt to compromise the email of the most I’m with Her of Clinton’s cadre. The email looked legitimate, but appearances were deceptive. Podesta ignored the email’s instructions.
Then Podesta did what all executives with far too many responsibilities have done since the beginning of time: he handed the problem off to someone else. Podesta forwarded the email to Sara Latham, his chief of staff, and before ten a.m., his e
fficient staff had forwarded the email twice and received the counsel of Charles Delavan, the IT helpdesk manager for the Hillary campaign. Latham and Podesta received Delavan’s reply:
This is a legitimate email. John needs to change his password immediately, and ensure that two-factor authentication is turned on [for] his account.
He can go to this link: https://myaccount.google.com/security to do both. It is absolutely imperative that this is done ASAP.
Delavan meant to say “this is not a legitimate email,” but damn you, autocorrect. Had he picked up the phone and had a conversation with Sara Latham or, better yet, gotten in his car and driven over to Podesta’s house, no one would have clicked on the link. In Delavan’s defense, had Podesta’s team followed Delavan’s instructions to the letter, Clinton’s chief of staff would have changed his password from within Google’s secure website. Had the Clinton campaign pursued sufficient cybersecurity, Podesta would have used an internal and monitored hillaryclinton.com address that leveraged two-factor authentication and robust encryption rather than a personal Gmail account. Instead, one click changed everything. Latham included Milia Fisher, Podesta’s special assistant, on the chain, and although it is unclear whether Podesta, Fisher, or another staffer clicked on the link in the original email, the act transformed Podesta from a kingmaker to a virtual trusted insider—a compromised mole who had no knowledge of his treachery.