NSA Zero Day Tools Likely Left Behind By Careless Operative

from the opsec-only-works-if-you-do-it-100%-of-the-time dept

More information is surfacing on the source of the NSA's hacking tools discovered and published by the Shadow Brokers. Just as Ed Snowden pointed out shortly after the tools first appeared online, the problem with sticking a stash of hacking tools on equipment you don't own is that others can access the tools, too… especially if an operative doesn't follow through on the more mundane aspects of good opsec.

Here's where it gets interesting: the NSA is not made of magic. Our rivals do the same thing to us -- and occasionally succeed. Knowing this, NSA's hackers (TAO) are told not to leave their hack tools ("binaries") on the server after an op. But people get lazy.

Reuters has exclusive (but anonymous) interviews with personnel involved in the investigation which indicates other, more exculpatory theories are likely wrong.

Various explanations have been floated by officials in Washington as to how the tools were stolen. Some feared it was the work of a leaker similar to former agency contractor Edward Snowden, while others suspected the Russians might have hacked into NSA headquarters in Fort Meade, Maryland.

But officials heading the FBI-led investigation now discount both of those scenarios, the people said in separate interviews.

NSA officials have told investigators that an employee or contractor made the mistake about three years ago during an operation that used the tools, the people said.

And what a mistake it was. Tools purchased or developed by the NSA's Tailored Access Operations (TAO) are now -- at least partially -- in the public domain. The other aspect of this unprecedented "mistake" being confirmed is the fact that the NSA couldn't care less about collateral damage.

That person acknowledged the error shortly afterward, they said. But the NSA did not inform the companies of the danger when it first discovered the exposure of the tools, the sources said.

Three years of unpatched holes, one of them a zero day that affects a great deal of Cisco's networking equipment. Not only was TAO's operation security compromised, but so were any number of affected products offered by US tech companies.

However, investigators are still looking into the possibility that the tools were left behind deliberately by a disgruntled TAO operative. This theory looks far better on the NSA than another theory also being examined: that multiple operatives screwed up in small ways, compounding each other's mistakes and (eventually) leading to a public showing of valuable surveillance tools.

As for the official, on-the-record comment… no comment. The FBI and Director of National Intelligence declined to provide Reuters with a statement.

The NSA has long refused to acknowledge the inherent dangers of hoarding exploits and deploying them with little to no oversight. It's unclear whether this incident will change this behavior or make it a more-forthcoming partner in the Liability Equities Process. What is has proven is that the NSA makes mistakes like any other agency -- whether the tools were left behind accidentally or deliberately. It's just that when the NSA screws up, it exposes its willingness to harm American tech companies to further its own intelligence needs.

Filed Under: carelessness, hacking tools, nsa, surveillance, zero day

Reader Comments

Subscribe: RSS

View by: Time | Thread

  1. icon
    cryophallion (profile), 26 Sep 2016 @ 5:55am

    Supposedly were watching to see who used them

    I read in some article on this that the NSA was "watching the internet closely" to see if anyone else started using these tools, to try and use it to see if whoever did it would out themselves, so they could track them down.

    On the other hand, I can also see that these tools were sold to other parties, so that couldn't be the sole identifier (unless there were code fingerprints). That is, unless there are bidding wars by different nations to the companies that sell the tools, requiring that only they hold that zero day. Which could also be why they didn't want to report it: they spent a lot to outbid everyone, they don't want to lose their tool. But I've seen other articles which seem to indicate that tools are sold to multiple parties, so take that for what it is worth.

    Either way, in their zeal to catch whoever got the tools, they failed to realize that maybe, just maybe, those people would be better at covering their tracks, perhaps by not trying to hack everyone on the face of the earth with them so they wouldn't be so likely to leave traces.

    This just goes to show: When your motivation is retaliation or face saving, you almost never win. When you own up, it almost always goes better for you. Everyone makes mistakes, so people are (generally) understanding of making mistakes. It's when people lie, blame someone else, make excuses, etc that people start to get really annoyed. When will corporations and politicians finally understand this? It's almost never the mistake that causes all the issues. If Hillary had just said "Yup, I ran a private server, that was dumb of me, I am sorry", then seriously, I doubt we'd still be talking about it. If Clinton and Bush had said "Yup, we thought there were WMD's, but we were wrong, we are sorry", people wouldn't be quite so pissed off.

    I used to love deflating my boss storming in mad by admitting I was wrong, and owning it. I told him I'd go back to being perfect tomorrow, but I'd try to fix this issue today. Half his bluster was lost because he knew he'd made mistakes too, but he expected me to throw someone else under the bus or make excuses. Then I'd call the customer, admit I was wrong, make it right, and then shockingly, the next time they needed something, they'd call me since I treated them right and was honest.

    So instead of just owning it, they hid and were looking at the internet to "catch them". They should have come out. But then again, we just expect this narrative now, don't we?

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here

Subscribe to the Techdirt Daily newsletter

Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Copying Is Not Theft
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.