NSA Zero Day Tools Likely Left Behind By Careless Operative

from the opsec-only-works-if-you-do-it-100%-of-the-time dept

More information is surfacing on the source of the NSA’s hacking tools discovered and published by the Shadow Brokers. Just as Ed Snowden pointed out shortly after the tools first appeared online, the problem with sticking a stash of hacking tools on equipment you don’t own is that others can access the tools, too… especially if an operative doesn’t follow through on the more mundane aspects of good opsec.

Here’s where it gets interesting: the NSA is not made of magic. Our rivals do the same thing to us — and occasionally succeed. Knowing this, NSA’s hackers (TAO) are told not to leave their hack tools (“binaries”) on the server after an op. But people get lazy.

Reuters has exclusive (but anonymous) interviews with personnel involved in the investigation which indicates other, more exculpatory theories are likely wrong.

Various explanations have been floated by officials in Washington as to how the tools were stolen. Some feared it was the work of a leaker similar to former agency contractor Edward Snowden, while others suspected the Russians might have hacked into NSA headquarters in Fort Meade, Maryland.

But officials heading the FBI-led investigation now discount both of those scenarios, the people said in separate interviews.

NSA officials have told investigators that an employee or contractor made the mistake about three years ago during an operation that used the tools, the people said.

And what a mistake it was. Tools purchased or developed by the NSA’s Tailored Access Operations (TAO) are now — at least partially — in the public domain. The other aspect of this unprecedented “mistake” being confirmed is the fact that the NSA couldn’t care less about collateral damage.

That person acknowledged the error shortly afterward, they said. But the NSA did not inform the companies of the danger when it first discovered the exposure of the tools, the sources said.

Three years of unpatched holes, one of them a zero day that affects a great deal of Cisco’s networking equipment. Not only was TAO’s operation security compromised, but so were any number of affected products offered by US tech companies.

However, investigators are still looking into the possibility that the tools were left behind deliberately by a disgruntled TAO operative. This theory looks far better on the NSA than another theory also being examined: that multiple operatives screwed up in small ways, compounding each other’s mistakes and (eventually) leading to a public showing of valuable surveillance tools.

As for the official, on-the-record comment… no comment. The FBI and Director of National Intelligence declined to provide Reuters with a statement.

The NSA has long refused to acknowledge the inherent dangers of hoarding exploits and deploying them with little to no oversight. It’s unclear whether this incident will change this behavior or make it a more-forthcoming partner in the Liability Equities Process. What is has proven is that the NSA makes mistakes like any other agency — whether the tools were left behind accidentally or deliberately. It’s just that when the NSA screws up, it exposes its willingness to harm American tech companies to further its own intelligence needs.

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “NSA Zero Day Tools Likely Left Behind By Careless Operative”

Subscribe: RSS Leave a comment
That One Guy (profile) says:

Trust building, government style

That person acknowledged the error shortly afterward, they said. But the NSA did not inform the companies of the danger when it first discovered the exposure of the tools, the sources said.

And yet somehow it’s the fault of the tech industry that the relationship between it and the government isn’t as cozy as the government would like it to be. That the tech companies are to blame for not trusting the government and granting their every request, requests which would of course serve only to benefit them, the government, and especially the public, and could never have any unfortunate downsides or ulterior motives.


DannyB (profile) says:

Re: Re:

Can a president create a new form of press conference called the “You’re Fired!” press conference? The purpose of calling one of these particular press conferences would be to make a public spectacle of someone who disagrees with an administration policy, or who failed to show deep enough submission and respect, or who has done the unthinkable and submitted a resignation.

This type of press conference would be held in a different press facility that has suitable lighting and pyrotechnic effects in order to give the proper reality tv show dignity that such a presidential function deserves.

Anonymous Coward says:

Most likely scenario

that multiple operatives screwed up in small ways, compounding each other’s mistake

This is how most problems occur. Rarely do they happen for any single given cause but a compounding of errors. Sadly, for all the risk they put tech companies in, and our own government, they haven’t prevented a single attack. Not 1. So we should be asking if all the risk is worth it?

William Null says:

These tools were left pretty much on purpose

Ed Snowden is not the only one. There are multiple people like him working in various intelligence agencies all over the world. The thing is that the intelligence community had became drunk with power and as such, corrupt.

At first, this was just bunch of random operatives doing stuff like sending docs to wikileaks, but as spies tend to do, they’ve created network. Data is mostly transmitted over modulated radio frequencies that aren’t wifi and can travel pretty damn far (no connection with so-called number stations).

There’s in fact a pretty huge leak incoming, regarding some space stuff and also more survelliance tools. Most intelligence agencies that matter have been infiltrated by the network, American, Russian, British, German, you name it. And even if an operative is caught, they can’t reveal any valuable info as most of network operatives don’t even know who others are, for their own protection. While those who know, are at or near the top of their respective agency so they are well-protected and can arrange escape in case operative of the network is caught.

cryophallion (profile) says:

Supposedly were watching to see who used them

I read in some article on this that the NSA was “watching the internet closely” to see if anyone else started using these tools, to try and use it to see if whoever did it would out themselves, so they could track them down.

On the other hand, I can also see that these tools were sold to other parties, so that couldn’t be the sole identifier (unless there were code fingerprints). That is, unless there are bidding wars by different nations to the companies that sell the tools, requiring that only they hold that zero day. Which could also be why they didn’t want to report it: they spent a lot to outbid everyone, they don’t want to lose their tool. But I’ve seen other articles which seem to indicate that tools are sold to multiple parties, so take that for what it is worth.

Either way, in their zeal to catch whoever got the tools, they failed to realize that maybe, just maybe, those people would be better at covering their tracks, perhaps by not trying to hack everyone on the face of the earth with them so they wouldn’t be so likely to leave traces.

This just goes to show: When your motivation is retaliation or face saving, you almost never win. When you own up, it almost always goes better for you. Everyone makes mistakes, so people are (generally) understanding of making mistakes. It’s when people lie, blame someone else, make excuses, etc that people start to get really annoyed. When will corporations and politicians finally understand this? It’s almost never the mistake that causes all the issues. If Hillary had just said “Yup, I ran a private server, that was dumb of me, I am sorry”, then seriously, I doubt we’d still be talking about it. If Clinton and Bush had said “Yup, we thought there were WMD’s, but we were wrong, we are sorry”, people wouldn’t be quite so pissed off.

I used to love deflating my boss storming in mad by admitting I was wrong, and owning it. I told him I’d go back to being perfect tomorrow, but I’d try to fix this issue today. Half his bluster was lost because he knew he’d made mistakes too, but he expected me to throw someone else under the bus or make excuses. Then I’d call the customer, admit I was wrong, make it right, and then shockingly, the next time they needed something, they’d call me since I treated them right and was honest.

So instead of just owning it, they hid and were looking at the internet to “catch them”. They should have come out. But then again, we just expect this narrative now, don’t we?

Michael (profile) says:

Re: Supposedly were watching to see who used them

the NSA was “watching the internet closely” to see if anyone else started using these tools

You must be confusing the 3 letter acronym agencies. It’s the FBI that crafts conspiracies, provides tools to conduct illegal activity, and then waits for some unsuspecting idiot to follow them into a jail sentence.

The NSA simply waits for something bad to happen and then complains that they need more power to prevent this from happening again in the future.

Anonymous Coward says:

But people get lazy

Spoken like somebody who has never configured themselves out of a remote machine.

These hacks, are by definition experimental. The likelyhood of things going wrong in a way that breaks network connectivity is actually quite high.

Not to mention that simply pulling the CAT5 out of the machine, is often the first move made by admins when they detect a compromise.

Yes, the binaries are often left behind. That is not necessarily within the control of the hacker. It is a known risk.

And since the risk is known, doing so makes the accidental dissemination of their tools criminal negligence. They knew that there would be side effects. They did it anyway. The side effects caused a loss. The parties who have experienced a loss have a case.

The fact that the source refers to binaries being left behind as being the result of “lazy” people, is telling. This is either an attempt to obfuscate the situation, or the source isn’t close enough to the metal to know much.

My understanding is that national security does not mitigate the related liability.

However the area 51 chemical burning case seems to suggest that the POTUS may just declare the NSA’s activities legal by presidential order, as Bill Clinton did when workers were poisoned by burning dioxin at groom lake.

SpaceLifeForm says:

Re: pulling the ne6work cable(s)

“Not to mention that simply pulling the CAT5 out of the machine, is often the first move made by admins when they detect a compromise.”


Even then, that may be a mistake.
It may be better to capture packets
on the next upstream router to try to
identify where the malware is calling
home to.

Of course, you may not have any
way to access the next upstream
router or obtain any tech support
from those that manage the next
upstream router. Even worse, that
upstream router may already be
compromised also, so you could not
trust any packet capture there either.

All your packets are belong to us.

AC720 (profile) says:

There will be casualties

The point lost in all of this is that the NSA does not care at all if American companies are damaged by this or American citizen’s data is compromised.

The NSA’s mission is to preserve and defend the nation. If companies or even citizens have to go down as part of the NSA’s job, so be it.

Not one company or person is more important than their mission, probably not even the President.

The ONLY agency with an even higher mission than the NSA is the MJ-12 group, if they even exist at all. Those people put the nation second after whatever is their prime mission.

That One Guy (profile) says:

Re: There will be casualties

The NSA’s mission is to preserve and defend the nation. If companies or even citizens have to go down as part of the NSA’s job, so be it.

Maybe on paper, but in practice it’s more along the lines of:

The NSA’s mission is to preserve the NSA’s power and budget. If companies or even citizens have to go down as part of the NSA’s job, so be it.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...