Probe of NSA hacking tools leak points to an own goal

A United States investigation into a leak of hacking tools used by the country's National Security Agency found that one of the bureau's agents carelessly left them on a remote computer where they were discovered by Russian hackers.

The tools, which enable hackers to exploit software flaws in computer and communications systems from vendors such as Cisco Systems and Fortinet, were dumped onto public websites last month by a group calling itself Shadow Brokers.

Shadow Broker's public release of the hacking tools coincided with US officials saying that Russia or its proxies were responsible for hacking political party organisations in the run-up to the November 8 presidential election.

US politicians have accused Russia of being responsible for the hack.

Various explanations have been floated by officials in Washington as to how the tools were stolen. Some feared it was the work of a leaker similar to former agency contractor Edward Snowden, while others suspected the Russians might have hacked into NSA headquarters in Fort Meade, Maryland.

Officials heading the FBI-led investigation now discount both of those scenarios, four people with direct knowledge of the probe told Reuters.

NSA officials told investigators that an employee or contractor made the mistake about three years ago during an operation that used the tools, the sources said.

That person acknowledged the error shortly afterward.

The NSA did not however inform the companies of the danger when it first discovered the exposure of the tools, the sources said. Since the public release of the tools, the companies involved have issued patches in the systems to protect them.

Investigators have not ruled out the possibility that the former NSA worker, who has since departed the agency for other reasons, left the tools exposed deliberately. Another possibility, two of the sources said, is that more than one person at the headquarters or a remote location made similar mistakes or compounded each other's missteps.

After the discovery of the leak, the sources told Reuters the NSA tuned its sensors to detect the use of the tools by other parties, especially foreign adversaries with strong cyber espionage operations, such as China and Russia.

That could have helped identify rival powers’ hacking targets, potentially leading them to be defended better. It might also have allowed US officials to see deeper into rival hacking operations while enabling the NSA itself to continue using the tools for its own operations.

Because the sensors did not detect foreign spies or criminals using the tools on US or allied targets, the NSA did not feel obligated to immediately warn the American vendors, an official and one other person familiar with the matter said.

In this case, as in more commonplace discoveries of security flaws, US officials weigh what intelligence they could gather by keeping the flaws secret against the risk to American companies and individuals if adversaries find the same flaws.

Critics of the Obama administration's policies for making those decisions have cited the Shadow Brokers dump as evidence that the balance has tipped too far toward intelligence gathering.

The investigators have not determined conclusively that the Shadow Brokers group is affiliated with the Russian government, but that is the presumption, said one of the people familiar with the probe, as well as a fifth person.

One reason for suspecting government instead of criminal involvement, officials said, is that the hackers revealed the NSA tools rather than immediately selling them.

The publication of the code, on the heels of leaks of emails by Democratic Party officials and preceding leaks of emails by former US Secretary of State Colin Powell, could be part of a pattern of spreading harmful and occasionally false information to further the Russian agenda, said Jim Lewis, a cybersecurity expert at the Centre for Strategic and International Studies.

"The dumping is a tactic they've been developing for the last five years or so," Lewis said. "They try it, and if we don't respond they go a little further next time."

Representatives of the NSA, the Federal Bureau of Investigation and the office of the Director of National Intelligence all declined to comment.