Formes biologiques sauvages

L 'info autrement...

The Surreal Case of a C.I.A. Hacker’s Revenge

A hot-headed coder is accused of exposing the agency’s hacking arsenal. Did he betray his country because he was pissed off at his colleagues?

By Patrick Radden Keefe I The New Yorker

Nestled west of Washington, D.C., amid the bland northern Virginia suburbs, are generic-looking office parks that hide secret government installations in plain sight. Employees in civilian dress get out of their cars, clutching their Starbucks, and disappear into the buildings. To the casual observer, they resemble anonymous corporate drones. In fact, they hold Top Secret clearances and work in defense and intelligence. One of these buildings, at an address that is itself a secret, houses the cyberintelligence division of the Central Intelligence Agency. The facility is surrounded by a high fence and monitored by guards armed with military-grade weapons. When employees enter the building, they must badge in and pass through a full-body turnstile. Inside, on the ninth floor, through another door that requires badge access, is a C.I.A. office with an ostentatiously bland name: the Operations Support Branch. It is the agency’s secret hacker unit, in which a cadre of élite engineers create cyberweapons.

“O.S.B. was focussed on what we referred to as ‘physical-access operations,’ ” a senior developer from the unit, Jeremy Weber—a pseudonym—explained. This is not dragnet mass surveillance of the kind more often associated with the National Security Agency. These are hacks, or “exploits,” designed for individual targets. Sometimes a foreign terrorist or a finance minister is too sophisticated to be hacked remotely, and so the agency is obliged to seek “physical access” to that person’s devices. Such operations are incredibly dangerous: a C.I.A. officer or an asset recruited to work secretly for the agency—a courier for the terrorist; the finance minister’s personal chef—must surreptitiously implant the malware by hand. “It could be somebody who was willing to type on a keyboard for us,” Weber said. “It often was somebody who was willing to plug a thumb drive into the machine.” In this manner, human spies, armed with the secret digital payloads designed by the Operations Support Branch, have been able to compromise smartphones, laptops, tablets, and even TVs: when Samsung developed a set that responded to voice commands, the wizards at the O.S.B. exploited a software vulnerability that turned it into a listening device.

The members of the O.S.B. “built quick-reaction tools,” Anthony Leonis, the chief of another cyberintelligence unit of the C.I.A., said. “That branch was really good at taking ideas and prototypes and turning them into tools that could be used in the mission, very quickly.” According to the man who supervised the O.S.B., Sean, the unit could be “a high-stress environment,” because it was supporting life-or-death operations. (With a few exceptions, this piece refers to agency employees by pseudonyms or by their first names).

But, while these jobs were cutting edge and—at least vicariously—dangerous, the O.S.B. was, in other respects, just like any office. There was a bullpen of cubicle workstations. A dozen or so people clocked in every day. “We were kind of known as the social branch,” another O.S.B. employee, Frank Stedman, recalled. The experience of O.S.B. engineers bore some resemblance to the Apple TV+ drama “Severance,” in that each morning they entered a milieu with its own customs and camaraderie—one sealed off from the rest of their lives. Because of national-security concerns, they couldn’t take work home, or talk with anyone on the outside about what they did all day. Their office was a classified sanctum, a locked vault. Like the crew of a submarine, they forged strong bonds—and strong antagonisms.

There was banter, plenty of it, much of it jocular, some of it juvenile. The coders were mostly young men, and they came up with nicknames for one another. One unit member, who got braces as an adult, became known as Train Tracks. When another brought food into the office one day, but didn’t share it with some members of the team, his colleagues bestowed a new handle: Dick Move. The group’s ultimate manager was a more senior C.I.A. official, named Karen, who acknowledged that the members could get “boisterous,” adding, “Folks could get a little loud, a little bit back and forth.” Some O.S.B. guys brought Nerf guns to work—not mere pistols but big, colorful machine guns—and they would occasionally shoot darts at one another from their desks. Sometimes people got carried away, and work was paused for some sustained bombardment. But Silicon Valley was known for tricking out offices with foosball tables and climbing walls, and it’s likely that the C.I.A. wanted to foster a loose culture on the hacking team, to help engineers remain innovative and, when necessary, blow off steam.

One of the Nerf gunfighters was Joshua Schulte—his real name. A skinny Texan in his twenties, he had a goatee and a shaved head. In what may have been a preëmptive gambit, Schulte gave himself the nickname Bad Ass, going so far as to make a fake nameplate and stick it on his cubicle. But others in the office called him Voldemort—a reference to the hairless villain in the Harry Potter books. Schulte and his colleagues worked on sophisticated malware with such code names as AngerQuake and Brutal Kangaroo. The hackers christened their exploits with names that reflected personal enthusiasms. Several programs were named for brands of whiskey: there was Wild Turkey, and Ardbeg, and Laphroaig. One was called McNugget. Though there was something dissonantly adolescent about naming highly classified digital hacking tools in such a fashion, it seemed harmless enough: if the tools worked as planned, none of the code would ever be detected. And, if the target of an operation did discover that some nasty bit of malware had infiltrated her device, a silly name would offer no clue that it had been created by the United States government. Deniability was central to what the O.S.B. did.

On March 7, 2017, the Web site WikiLeaks launched a series of disclosures that were catastrophic for the C.I.A. As much as thirty-four terabytes of data—more than two billion pages’ worth—had been stolen from the agency. The trove, billed as Vault 7, represented the single largest leak of classified information in the agency’s history. Along with a subsequent installment known as Vault 8, it exposed the C.I.A.’s hacking methods, including the tools that had been developed in secret by the O.S.B., complete with some of the source code. “This extraordinary collection . . . gives its possessor the entire hacking capacity of the C.I.A.,” WikiLeaks announced. The leak dumped out the C.I.A.’s toolbox: the custom-made techniques that it had used to compromise Wi-Fi networks, Skype, antivirus software. It exposed Brutal Kangaroo and AngerQuake. It even exposed McNugget.

In the days after this colossal breach became public, the C.I.A. declined to comment on the “authenticity or content of purported intelligence documents.” Internally, however, there was a grim realization that the agency’s secrets had been laid bare. “I was sick to my stomach,” Karen, the O.S.B. supervisor, later recalled. “That information getting out into a forum like that can hurt people and impact our mission. It’s a huge loss to the organization.” Malicious code that had originated at the C.I.A. could now be attributed to the agency. And the potential fallout extended beyond the digital realm: a foreign target who had been hacked might now be able to identify the malware, determine when it had been placed on a device, and even deduce which trusted member of the inner circle had engaged in betrayal. In the estimation of another senior C.I.A. official, Sean Roche, the leak amounted to “a digital Pearl Harbor.”

But who could have stolen the data? In a statement, WikiLeaks suggested that the person who shared the intelligence wished “to initiate a public debate” about the use of cyberweapons. But WikiLeaks had also shown, quite recently, a willingness to be a mouthpiece for foreign intelligence services: in 2016, the site had released e-mails from the Democratic National Committee which had been stolen by hackers working on behalf of the Kremlin. Vault 7, some observers speculated, might also be the work of a hostile government. James Lewis, of the Center for Strategic and International Studies, told the Times, “A foreign power is much more likely the source of these documents than a conscience-stricken C.I.A. whistle-blower.” Perhaps Russia was again the culprit. Or might it be Iran?

Given that the software exposed in Vault 7 had been maintained on a proprietary C.I.A. computer network that was not connected to the Internet, the spectre of espionage raised another alarming possibility. Might a foreign adversary have obtained “physical access”—smuggling a tainted thumb drive into the C.I.A.? Had the agency’s own modus operandi been used against it?

As the intelligence community mobilized to identify the source of the leak, the federal government found itself in an awkward position—because Donald Trump, shortly before being elected President, had celebrated the hacking of Democratic officials, declaring, “I love WikiLeaks.” Nevertheless, this new breach was perceived as such an egregious affront to U.S. national security that the Administration was determined to get to the bottom of it. The F.B.I. began an investigation, and agents worked around the clock. But an atmosphere of paranoia enshrouded the inquiry. One F.B.I. agent described how a C.I.A. officer who was approached for an interview reacted with reflexive suspicion, pointing out that anyone “can say they’re an F.B.I. agent.”

The Bureau was pursuing what it calls an