Budapest Post

Cum Deo pro Patria et Libertate
Budapest, Europe and world news

U.S. Cyber Weapons Were Leaked - And Are Now Being Used Against Us, Reporter Says

U.S. Cyber Weapons Were Leaked - And Are Now Being Used Against Us, Reporter Says

New York Times reporter Nicole Perlroth says the U.S. went from having the world's strongest cyber arsenal to becoming most susceptible to attack. Her book is This is How They Tell Me The World Ends.

In December 2020, a U.S. cybersecurity company announced it had recently uncovered a massive cyber breach. The hack dates back to March 2020, and possibly even earlier, when an adversary, believed to be Russia, hacked into the computer networks of U.S. government agencies and private companies via SolarWinds, a security software used by many thousands of organizations in the U.S. and around the world.

New York Times cyber security reporter Nicole Perlroth calls the SolarWinds hack "one of the biggest intelligence failures of our time."

"We really don't know the extent of it," Perlroth says. "What we know is that this thing has hit the Department of Homeland Security — the very agency charged with keeping us safe — the Treasury, the State Department, the Justice Department, the Department of Energy, some of the nuclear labs, the Centers for Disease Control."

Perlroth says the fact that the breach went undetected for so long means that the hackers likely planted "back door" code, which would allow them to re-enter the systems at a later date.

"We're still trying to figure out where those back doors are," Perlroth says. "And that could take months, if not years, to get to the bottom of."

In her new book, This is How They Tell Me The World Ends, Perlroth writes about the global cyber weapons race and how the U.S. went from having the world's strongest cyber arsenal to becoming so vulnerable to attack.

"We are one of the most advanced, if not the most advanced cyber superpower in the world, but we are also its most targeted and its most vulnerable," she says.

Part of the problem, Perlroth says, is that the U.S. has spent more energy on hacking other countries than on defending itself.

"We really need to make a decision as a society and inside government to stop leaving ourselves vulnerable," she says. "We have to take our own security seriously. We also have to stop leaving gaping holes in software that could be used by adversaries to pull off some of these attacks."

Interview highlights


On SolarWinds, the cyber security company through which the hackers entered, which used the password "solarwinds123"

Their security was just not up to snuff. We learned that they had really basic passwords. We learned that they were warned as far back as two years before this attack began that if they didn't take their security more seriously, it could be catastrophic.

When I started calling up some of the victims of this attack, many of them didn't even know they used SolarWinds software until it came out that the company was breached. ... So what we were looking at really was a company that didn't have very good security, but that was touching some of the most sensitive systems we have. This was used inside the Pentagon. The NSA used that. We know that the Treasury used it and all the other victims that are coming out, including our utility companies.

On how the SolarWinds hackers may have accessed Black Start, the name of U.S. plans to restore power in the event of a catastrophic blackout

Originally when this hack was discovered, one of the bright spots was that they believed that the hackers had not made their way into classified systems. But what I kept hearing from security researchers and people who worked at these agencies was just how much vulnerable data was outside these classified systems. And one of those things was Black Start.

Black Start is just a very technical document. And it's essentially a to-do list. If we were able to have a major power failure, it says, you know, we're going to go turn on the power here first, then we're going to move over here and do this. And with that document in hand, that could be very valuable for an adversary because it would essentially give them the perfect hit list to make sure that the power stayed off.

On a recent cyber attack on the water supply in Oldsmar, Fla., in which hackers attempted to increase the amount of lye in the drinking water

I think it's just a wake-up call in general that a lot of these facilities allow contractors and engineers to get in, get remote access from miles away or across the country. And I think we need to start rethinking that access. Do we really want strangers being able to get into these systems from afar? And I think right now would be a good time to ask ourselves. And I think the answer is probably no.

This is really dangerous. You know, they increased the amount of lye in the water from 100 parts per million to 11,000 parts per million. It just so happened that there happened to be a software engineer sitting at his computer watching his cursor move around on his screen and then later watched someone go into these functions and upped the amount of chemical. Had that not happened, then we would have been looking at an attack that would have badly sickened a lot of people.

On what a "zero day" is

A zero day is just a hole in software that hasn't been discovered yet. And, you know, once these zero days are discovered, they get patched, and a patch gets rolled out via your software updates. But if a government discovers this hole first, then it can be used for espionage, it can be used for cyber weapons.

And so for a long time, we have recognized the sort of espionage and battlefield potential of a zero day. And starting in the 1990s, I learned through the process of reporting out this book, that the U.S. government was actually actively paying hackers and defense contractors to find these zero days to write them into reliable exploits that they could use to spy on our adversaries. Or to essentially drop a cyber weapon into their systems if we needed to one day.

On the underground market for buying and selling cyber vulnerabilities

Hackers can find a zero day in a critical system like Microsoft or maybe your Apple iPhone software, and they have a decision — they can give that vulnerability to Microsoft or Apple, which these days will pay them small bounties for turning that over, or they can fetch much higher rates by giving that zero day to a digital arms broker essentially, or by selling it directly to a government.

Because governments recognize that these zero days have tremendous espionage potential, they're willing to pay as much as 2 million to 3 million dollars these days for a major zero day in your iPhone or Android phone software. And it's not just the United States, although the United States was the first government to essentially start paying hackers to turn over these zero days and then stay very quiet about them by forcing them to sign nondisclosure agreements. And later, many of these programs were classified.

But over the last 10 years, this is not just a U.S. government market anymore. ... It's a broker for the United Arab Emirates and Saudi Arabia that pays top dollar for a way to get into your iPhone. So this market's really drifted outside U.S. control or even, you know, the control of our Western allies.

On the U.S.'s reluctance to sign a treaty banning hacking

The United States has been very hesitant to sign on to any cyber treaty or even any norms that would prevent the United States from hacking into the infrastructure in other countries. And part of this is just that the United States for a long time has been the most advanced player in the space.

So by signing on to any kind of agreement to not hack each other's infrastructure, I think the theory was that we would be handcuffing ourselves. But right now, the problem has gotten so bad ... that I think there may be an opportunity here to come up with new rules of the game, to say maybe, OK, we won't agree to hack each other's critical infrastructure, but you cannot attack hospitals.

You cannot attack the controls at our nuclear plants without some kind of repercussions here or some kind of international repercussions. So that might be a good place to start.

But I would be very surprised if we came up with or agreed to some kind of treaty that held us back. And one of the things U.S. officials will say is, sure, we could agree to a treaty. But the fact is that here when we do our own attacks, they're done inside Cyber Command, at the Pentagon.

In China and Russia and Iran, they outsource that work to contractors, to cyber criminals. And so even if those countries agreed not to pull off a grid attack, for instance, there's not much keeping these sort of lower tier contractors and cyber criminals from doing those government's dirty work for them.

On why she prefers to live "off the grid" in a cabin

There's no smart fridges here. There's no Alexa. Our wireless system is really poor and there's no baby monitors here either. And that's not the case at my home in the Bay Area. And so I ended up just writing a lot of the book up here just because it was a peaceful place to get away from my two year old. But also, as I started to look around, I just felt a lot more safe here as I was sort of just diving into the vulnerabilities of our everyday software that we rely on.

When I first started covering this beat, everyone was warning me to worry about webcams and worry about this. And, yes, I have a piece of tape over my webcam. But what sadly happened over the last 10 years is I've covered an attack that's hit every one of these things. ...

These are no longer like hypothetical scenarios. You're not a tinfoil hat person to be suspicious of some of these devices. They have and will continue to be used for espionage and surveillance. And because I cover these things all the time, I just feel much safer in my cabin in the woods.

AI Disclaimer: An advanced artificial intelligence (AI) system generated the content of this page on its own. This innovative technology conducts extensive research from a variety of reliable sources, performs rigorous fact-checking and verification, cleans up and balances biased or manipulated content, and presents a minimal factual summary that is just enough yet essential for you to function as an informed and educated citizen. Please keep in mind, however, that this system is an evolving technology, and as a result, the article may contain accidental inaccuracies or errors. We urge you to help us improve our site by reporting any inaccuracies you find using the "Contact Us" link at the bottom of this page. Your helpful feedback helps us improve our system and deliver more precise content. When you find an article of interest here, please look for the full and extensive coverage of this topic in traditional news sources, as they are written by professional journalists that we try to support, not replace. We appreciate your understanding and assistance.
Newsletter

Related Articles

0:00
0:00
Close
Vatican hosts first Catholic LGBTQ pilgrimage
Apple Unveils iPhone 17 Series, iPhone Air, Apple Watch 11 and More at 'Awe Dropping' Event
France joins Eurozone’s ‘periphery’ as turmoil deepens, say investors
France Faces New Political Crisis, again, as Prime Minister Bayrou Pushed Out
Nayib Bukele Points Out Belgian Hypocrisy as Brussels Considers Sending Army into the Streets
France, at an Impasse, Heads Toward Another Government Collapse
The Country That Got Too Rich? Public Spending Dominates Norway Election
EU Proposes Phasing Out Russian Oil and Gas by End of 2027 to End Energy Dependence
More Than 150,000 Followers for a Fictional Character: The New Influencers Are AI Creations
EU Prepares for War
Trump Threatens Retaliatory Tariffs After EU Imposes €2.95 Billion Fine on Google
Tesla Board Proposes Unprecedented One-Trillion-Dollar Performance Package for Elon Musk
Gold Could Reach Nearly $5,000 if Fed Independence Is Undermined, Goldman Sachs Warns
Uruguay, Colombia and Paraguay Secure Places at 2026 World Cup
Trump Administration Advances Plans to Rebrand Pentagon as Department of War Instead of the Fake Term Department of Defense
Big Tech Executives Laud Trump at White House Dinner, Unveil Massive U.S. Investments
Tether Expands into Gold Sector with Profit-Driven Diversification
‘Looks Like a Wig’: Online Users Express Concern Over Kate Middleton
Florida’s Vaccine Revolution: DeSantis Declares War on Mandates
Trump’s New War – and the ‘Drug Tyrant’ Fearing Invasion: ‘1,200 Missiles Aimed at Us’
"The Situation Has Never Been This Bad": The Fall of PepsiCo
At the Parade in China: Laser Weapons, 'Eagle Strike,' and a Missile Capable of 'Striking Anywhere in the World'
The Fashion Designer Who Became an Italian Symbol: Giorgio Armani Has Died at 91
Putin Celebrates ‘Unprecedentedly High’ Ties with China as Gazprom Seals Power of Siberia-2 Deal
China Unveils New Weapons in Grand Military Parade as Xi Hosts Putin and Kim
Rapper Cardi B Cleared of Liability in Los Angeles Civil Assault Trial
Google Avoids Break-Up in U.S. Antitrust Case as Stocks Rise
Couple celebrates 80th wedding anniversary at assisted living facility in Lancaster
Information Warfare in the Age of AI: How Language Models Become Targets and Tools
The White House on LinkedIn Has Changed Their Profile Picture to Donald Trump
"Insulted the Prophet Muhammad": Woman Burned Alive by Angry Mob in Niger State, Nigeria
Trump Responds to Death Rumors – Announces 'Missile City'
Druzhba Pipeline Incident Sparks Geopolitical Tensions
Cost of Opposition Leader Péter Magyar's Economic Plan Revealed
Germany in Turmoil: Ukrainian Teenage Girl Pushed to Death by Illegal Iraqi Migrant
United Krack down on human rights: Graham Linehan Arrested at Heathrow Over Three X Posts, Hospitalised, Released on Bail with Posting Ban
Asian and Middle Eastern Investors Avoid US Markets
Ray Dalio Warns of US Shift to Autocracy
Eurozone Inflation Rises to 2.1% in August
Russia and China Sign New Gas Pipeline Deal
Von der Leyen's Plane Hit by Suspected Russian GPS Interference in an Incident Believed to Be Caused by Russia or by Pro-Peace or by Anti-Corruption European Activists
China's Robotics Industry Fuels Export Surge
Suntory Chairman Resigns After Police Probe
Gold Price Hits New All-Time Record
UK Fintechs Explore Buying US Banks
Greece Suspends 5% of Schools as Birth Rate Drops
Apollo to Launch $5 Billion Sports Investment Vehicle
Bolsonaro Trial Nears Close Amid US-Brazil Tension
European Banks Push for Lower Cross-Border Barriers
Poland's Offshore Wind Sector Attracts Investors
×