Robbing the NSA, of course, is not easy. The agency's elite hacking unit, called Tailored Access Operations, has an internal network known as the "high side" that is physically segregated from the Internet (the "low side"). Data diodes, devices that allow data to flow one way only, like water from a faucet, make it nearly impossible to hack high-side computers from the low side. When TAO hackers want to attack an adversary, they move their tools from the high side to a server on the low side, navigate through a series of addresses that make their tracks difficult to trace, and install malware on their target. To steal the NSA's malware, the Shadow Brokers had to compromise a low-side machine that the TAO was using to hack its targets. The Shadow Brokers likely got lucky: Some analysts believe that an NSA operator mistakenly uploaded a whole set of tools to a staging computer the hackers were already watching. The alternative theory: an old-fashioned mole passed on the tools.
After going to all that trouble, why publish the results? A possible answer is suggested by a surprising discovery made by the U. S. intelligence community around the time Putin was addressing the journalists in St. Petersburg. American investigators had long known that the Russians were doing more than spear-phishing, but sometime around April they learned that the intruders were using commercial cloud services to "exfiltrate" data out of American corporations and political targets. Cozy Bear, the hacking group believed to be affiliated with the FSB, used some two hundred Microsoft OneDrive accounts to send data from its victims back to Moscow.
Using cloud services such as OneDrive was a clever but risky move—it was a little like taking the bus to make off with stolen goods from a burglary. Though the widespread use of the services by legitimate users offered a degree of cover for the hackers, data provided by Microsoft also helped America's elite digital spies identify the DNC intruders "with confidence" as Russian. It is even possible that the U. S. government has been able to identify the names and personal details of individual operators. The Russians knew they'd been caught. On July 30, an FSB press release announced that twenty government and defense organizations had been hit by high-powered spying tools.
Some intelligence analysts believe that the Shadow Brokers' publication of the NSA spy kit was a message from one group of professionals to another. "You see us?" the Russians seemed to be saying, perhaps in reference to ongoing U. S. efforts to investigate the DNC breach. "Fine, but we see you, too." Similarly, the announcement of an auction—all but certainly phony—was probably intended as a warning that the hackers were prepared to publish a key that would unlock an encrypted container holding a second batch of stolen tools. Like a severed ear in an envelope, the announcement told the Americans: Don't mess with us.
Like a severed ear in an envelope, the announcement told the Americans: Don't mess with us.
Meanwhile, the kompromat campaign proceeded apace. August and September each saw six data dumps, including files from the Democratic Congressional Campaign Committee, which had also been hacked. In October, as the presidential election drew near, Guccifer published a massive cache, more than twenty-one hundred files. Three days later, WikiLeaks began publishing thousands of emails stolen from John Podesta's account.
On the day WikiLeaks published the first batch of Podesta's emails, the U. S. government took the unprecedented step of announcing that it was "confident" Russia's "seniormost officials" had authorized the DNC hacks. So far U. S. investigators have not said publicly who was responsible for the Podesta hack, but the data harvested by SecureWorks makes it clear that Fancy Bear broke into the Clinton chairman's account as early as late March. The CIA briefed Trump about the origin of the kompromat, but he continued to cite the material, telling a Pennsylvania crowd, "I love WikiLeaks!"
On October 12, Putin appeared at another forum, this time with more than five hundred guests in Moscow. Sitting comfortably in front of a giant banner that said russia calling! he answered an audience question about the hacks. "Everyone is talking about who did it," Putin said. "Is it so important?" The former KGB officer, proving his full command of U. S. political intrigue, suggested that the Democrats had "supported one intraparty candidate at the expense of the other." Any talk of the hacks being in Russia's interest, he said, was "hysteria" intended to distract Americans from what the hackers discovered: "the manipulation of public opinion." When the audience applauded, a smirk returned to Putin's face. "I think I answered your question," he said.
Thomas Rid (@RidT) is a professor at King's College London and author of Rise of the Machines.