The Spooks Struggle with Reciprocity

I’ve written a lot about the norms (or lack thereof) that the US might set by indicting nation-state hackers for their spying. Notably, I was the first to formally note that Shadow Brokers had doxed some NSA hackers in his April release.

On Friday, along with details about previously unknown, very powerful Microsoft vulnerabilities and details on the 2013 hacking of the SWIFT financial transfer messaging system, ShadowBrokers doxed a number of NSA hackers (I won’t describe how or who it did so — that’s easy enough to find yourself). Significantly, it exposed the name of several of the guys who personally hacked EastNets SWIFT service bureau, targeting (among other things) Kuwait’s Fund for Arab Economic Development and the Palestinian al Quds bank. They also conducted reconnaissance on at least one Belgian-based EastNets employee. These are guys who — assuming they moved on from NSA into the private sector — would travel internationally as part of their job, even aside from any vacations they take overseas.

In other words, ShadowBrokers did something the Snowden releases and even WikiLeaks’ Vault 7 releases have avoided: revealing the people behind America’s state-sponsored hacking.

Significantly, in the context of the SWIFT hack, it did so in an attack where the victims (particularly our ally Kuwait and an apparent European) might have the means and the motive to demand justice. It did so for targets that the US has other, legal access to, via the Terrorist Finance Tracking Program negotiated with the EU and administered by Europol. And it did so for a target that has subsequently been hacked by people who might be ordinary criminals or might be North Korea, using access points (though not the sophisticated techniques) that NSA demonstrated the efficacy of targeting years earlier and which had already been exposed in 2013. Much of the reporting on the SWIFT hack has claimed — based on no apparent evidence and without mentioning the existing, legal TFTP framework — that these hacks were about tracking terrorism finance. But thus far, there’s no reason to believe that’s all that the NSA was doing, particularly with targets like the Kuwait development fund.

Yesterday, the spook site Cipher Brief considered the issue (though mostly by calling on CIA officers rather than NSA hackers).

But I was surprised by a number of things these men (seemingly, Cipher Brief couldn’t find women to weigh in) missed.

First (perhaps predictably given the CIA focus), there’s a bias here on anonymity tied to location, the concern that a hacker might have to be withdrawn, as in this comment from Former Acting Assistant Secretary of Defense for Homeland Defense and Americas’ Security Affairs Todd Rosenblum.

It can lead to the recall of exposed and vulnerable officers that are hard to train and embed in the first place.

And this, from John Sipher.

They can arrest or intimidate the officer, they can kick the officer out of the country or can look to publicly shame or embarrass the officer and his/her country.

But the former NSA spooks who’ve been most vocal about being outed — notably Jake Williams, whom Shadow Brokers exposed even before he released documents with more NSA hackers identified in the metadata, but also Dave Aitel — are concerned about traveling. They largely hacked from the comfort of the US, so being doxed primarily will implicate their freedom of movement going forward (which is directly analogous to Russian hackers, who keep getting arrested while on vacation in US friendly countries). In addition to making vacation planning more complicated, doxing former NSA hackers may limit their consulting options going forward.

These spooks struggle with reciprocity. Consider these two passages in the post:

Russian, Chinese and Iranian governments might seek to retaliate in-kind – which among authoritarian governments often rhymes, rather than duplicates, Western actions.


Perhaps most importantly, the intention is part of a larger attempt to create a false moral equivalence between U.S. offensive cyber operations and those perpetrated by adversarial nation-states such as Russia, whose cyber operations leading up Western elections have grabbed the media spotlight.

And this comment from former Chief of Station in Russia Steven Hall:

The Russians live and die by reciprocity. For them, that is one of the linchpins of how they deal with issues like these, and basic diplomatic and policy issues. Typically it has been that if we expel five of their guys, they are going to turn around and expel five of ours. They are always going to look for a reciprocal way to push back. But there are times were they do things that aren’t always clear to us why they consider it reciprocal. And this might be one of those things.

It’s clear they’d like to distinguish what Russia does from what US hackers do. But aside from noting that US doxing of foreign nation-state hackers comes in indictments rather than leaked documents, nothing in this post presents any explanation, at all, about what would distinguish our hackers. That’s remarkable especially since there is one distinction: except where the FBI flips criminal hackers (as in the case of Sabu), our former spook hackers generally don’t use their skills for their own profit while also working for the state. Though perhaps that’s because defense contractors make such a killing in this country: why steal when Congress will just hand over the money?

Other than that, though, I can think of no distinction. And until our spooks and policy makers understand that, we’re going to be the ones impeding any norm-setting about this, not other countries.

But I’m most struck by the rather thin conclusions about the purpose of Shadow Brokers’ doxing, which the post sees as about fear.

If the Shadow Brokers are in fact linked to the Kremlin, then the doxing of NSA hackers is designed to similarly impede current and former U.S. cyber operators from traveling and engaging in clandestine operations abroad – particularly should targeted countries, including allies, take legal action against the individuals for their past involvement in NSA operations. It is also designed to instill fear, as the information could potentially inspire violence against the individuals and their families.

I’m sure the doxing is about fear — and also making it even more difficult for the Intelligence Community to recruit skilled hackers.

But there are at least two other purposes the Shadow Brokers doxing appears to have served.

First, as I noted, the release itself revealed that the US continued to hack SWIFT even after Edward Snowden’s leaks. It hacked SWIFT in spite of the fact that the US has front-door access to SWIFT data under the TFTP agreement with the US. Hypothetically, the US is only supposed to access the data for counterterrorism purposes, but I’ve been assured that the US is in violation of the agreement with the EU on that front. That is, NSA was hacking SWIFT even after the international community had capitulated to the US on access.

By IDing the hackers behind one of the SWIFT hacks, the NSA may have made it easier for other entities to target SWIFT themselves, which has increasingly happened.

More important, still, by doxing NSA hackers, Shadow Brokers likely influenced the direction of the investigation, leading the NSA and FBI to focus on individuals doxed, distracting from other possible modes of compromise (such as the Kaspersky aided third person hacks that appears to have happened with Nghia Hoang Pho and possible even Hal Martin).

More than seven months have passed since Shadow Brokers doxed some NSA hackers, even as he bragged that he had gone nine months by that point without being caught. We still have no public explanation (aside from the Pho plea, if that is one) for how Shadow Brokers stole the NSA’s crown jewels, much less who he is. I’d suggest it might be worth considering whether Shadow Brokers’ doxing — on top of whatever else it did to support Russia’s bid for reciprocity — may have served as incredibly effective misdirection that fed on America’s obsession about insider threats.

9 replies
  1. earlofhuntingdon says:

    “False moral equivalence”.  Nice framing.  Not that what we do isn’t equivalent, or worse, than what other nation state and non-state actors do, but that we have such nice reasons for doing it that no one could reasonably object.  American exceptionalism.  In honor of the season, “Bah, humbug.”

  2. orionATL says:

    chapter 1

    it all began with federal judges without backbone. doj lawyers and nsa, cia, and fbi administrator-lawyers discovered that scary national security scenarios would produce malleable federal judges who would not protect and defend the 4th amendment to the constitution. judge scalia’s ballyhoed baloney, “originalism”, disappeared from natsec arguments; where the 4th amendment was concerned, judges respecting the literal meaning of the text of the constitution ducked out of sight. thus it was that national security institutional demands presented as the nation’s actual security necessities became the backdoor to the constitution.

    it did not hinder this development at all that the congressional oversight committees whose responsibility these intelligence agencies were had become too intellectually dim, incurious, and politically authoritarian to pose an effective limit to invasion of citizen privacy thru electronic surveillance.

  3. orionATL says:

    ew writes:

    “… Yesterday, the spook site Cipher Brief considered the issue (though mostly by calling on CIA officers rather than NSA hackers)….”

    i laughed out loud when i saw this. the super-sneaky, super-quiet guys (and apparently guys is all they got) had resorted to creating their own internet site and publication, and created psuedonymns for themselves just so they could meet their felt need to engage in a little public relations offensive – in public and loud.

    the world turned upside down 😜

  4. Rayne says:

    It’s enlightening how much the Cipher Brief’s article exposes an entrenched and narrow mindset set.

    Take the characterization of ‘doxing’ as “[r]evealing the identities of intelligence officials.” Doxing isn’t a threat limited to the intelligence community — unless there’s something more they’re hinting at with regard to the myriad trolls who regularly dox women/POC/LGBT/other minority groups on the internet, or the intelligence community’s perspective about them.

    Besides the lack of NSA sources and the dearth of women cited or contributing to this article, there’s another point which particularly annoyed me in its insularity: the notion that the “Russians live and die by reciprocity.” What has and and continues to happen to the U.S. is NOT reciprocity; it is asymmetric warfare, warfare by other than traditional military means. I think Tobias Stone’s piece in Medium nails this well — calling it ‘sleep walking’ is accurate.

    Of course Putin might say that his response is proportional to U.S. interference in Russia and satellite countries, or in the fossil fuel market — if we looked at the totality of U.S. action taken to protect NATO and U.S.’ economic reliance on fossil fuels, he may be right. But a policy of seeing discrete actions on a one-by-one basis and blindly expecting corresponding equal and opposite reactions year after year, decade after decade, becomes a weak point which can be leveraged.

    It particularly chaffs me when we were literally warned about the rise of asymmetric warfare by Chinese colonels back in 1999, and yet our intelligence community remains in a 1970s mindset about Russia.

    I suppose they also analyzed over-narrowly the purpose for which Putin said the Illegals Program spy ring was to become operational, “in crisis periods, say, in case of a breakup of the diplomatic relations.” Emphasis mine; what exactly does a ‘crisis period’ period look like, and why were they anticipated in plural in the U.S. by Putin before 2010?

  5. orionATL says:

    i’m curious about the strange use of a word – very strange in my experience:

    “… Russian, Chinese and Iranian governments might seek to retaliate in-kind – which among authoritarian governments often rhymes, rather than duplicates, Western actions….”

    what meaning does “rhyme” have in this context. what meaning does “rhymes rather than duplicates” have.?

    • Rayne says:

      Try an example of rhyming closer to home. Turkey’s Erdogan, for example, shut down media outlets critical of his presidency and jailed journalists. Putin assassinates Russian journalists, as did Yeltsin and Medvedev. These actions aren’t identical, but they rhyme. So does the U.S. president’s denigration of media and jailing of a journalist covering a Trump inauguration protest.

      Not exact copies of other repressive countries’ actions, but similar and to the same ends. What similar ends were the spooks suggesting the subject countries seek through parallel but not identical actions?

  6. SpaceLifeForm says:

    Spy vs Spy

    Still have found no reasons to refute:

    CIA hacked NSA which led to SB.

    NSA hacked (back) CIA which led to Vault7 (and 8).

    Tor involved.

  7. greengiant says:

    “Kaspersky aided third person hacks”  I think crowd sourcing would say Kaspersky may have been involved as a vector  as used by a number of actors.  Not said yet, just rumors,  whether actors hacked the Kaspersky consumer software,  the TOR or other networks/servers Kaspersky used to phone home, the Kaspersky physical servers or cloud computers/data files, or in Pho’s case blew right on by either Kaspersky anti virus before or after he turned it off,  etc.. The French taking the TOR exit nodes physical computers and data on their soil gives an example of what authorities might do. You trolls want to mess with our election?

    All these blogs are likely honeypots for one and more big data types.  Makes one wonder who is blackmailing whom.

Comments are closed.