NSA Zero Day Tools Likely Left Behind By Careless Operative

from the opsec-only-works-if-you-do-it-100%-of-the-time dept

More information is surfacing on the source of the NSA's hacking tools discovered and published by the Shadow Brokers. Just as Ed Snowden pointed out shortly after the tools first appeared online, the problem with sticking a stash of hacking tools on equipment you don't own is that others can access the tools, too… especially if an operative doesn't follow through on the more mundane aspects of good opsec.

Here's where it gets interesting: the NSA is not made of magic. Our rivals do the same thing to us -- and occasionally succeed. Knowing this, NSA's hackers (TAO) are told not to leave their hack tools ("binaries") on the server after an op. But people get lazy.

Reuters has exclusive (but anonymous) interviews with personnel involved in the investigation which indicates other, more exculpatory theories are likely wrong.

Various explanations have been floated by officials in Washington as to how the tools were stolen. Some feared it was the work of a leaker similar to former agency contractor Edward Snowden, while others suspected the Russians might have hacked into NSA headquarters in Fort Meade, Maryland. But officials heading the FBI-led investigation now discount both of those scenarios, the people said in separate interviews. NSA officials have told investigators that an employee or contractor made the mistake about three years ago during an operation that used the tools, the people said.

And what a mistake it was. Tools purchased or developed by the NSA's Tailored Access Operations (TAO) are now -- at least partially -- in the public domain. The other aspect of this unprecedented "mistake" being confirmed is the fact that the NSA couldn't care less about collateral damage.

That person acknowledged the error shortly afterward, they said. But the NSA did not inform the companies of the danger when it first discovered the exposure of the tools, the sources said.

Three years of unpatched holes, one of them a zero day that affects a great deal of Cisco's networking equipment. Not only was TAO's operation security compromised, but so were any number of affected products offered by US tech companies.

However, investigators are still looking into the possibility that the tools were left behind deliberately by a disgruntled TAO operative. This theory looks far better on the NSA than another theory also being examined: that multiple operatives screwed up in small ways, compounding each other's mistakes and (eventually) leading to a public showing of valuable surveillance tools.

As for the official, on-the-record comment… no comment. The FBI and Director of National Intelligence declined to provide Reuters with a statement.

The NSA has long refused to acknowledge the inherent dangers of hoarding exploits and deploying them with little to no oversight. It's unclear whether this incident will change this behavior or make it a more-forthcoming partner in the Liability Equities Process. What is has proven is that the NSA makes mistakes like any other agency -- whether the tools were left behind accidentally or deliberately. It's just that when the NSA screws up, it exposes its willingness to harm American tech companies to further its own intelligence needs.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: carelessness, hacking tools, nsa, surveillance, zero day