Cybersecurity: Crime and Espionage

Shadow Brokers and Vault 7: Where Are the Arrests?

By Nicholas Weaver
Thursday, December 7, 2017, 9:00 AM

A recent opinion piece in The Hill concerning lack of arrests in the Shadow Brokers and Vault 7 cases argues that this primarily demonstrates the government’s general inability to stop insider leaks. Another piece in the New York Times flagged that there have only been three arrests, presumably Hal Martin, Nghia Huang Pho, and Reality Winner. These pieces miss an important point: there is a ton of evidence that should lead investigators to at least some of the sources of these catastrophic leaks. Despite this evidence, there haven’t even been credible rumors of resulting arrests. I find this confusing.

In March 2017, Wikileaks started releasing Vault 7 and Vault 8, collections of documentation (and eventually the source code for at least one actual tool) of CIA attack tools taken from an internal CIA development server. Most of these documents are marked SECRET but some are TOP SECRET. Within hours of the release, the CIA knew when the data was exfiltrated—February or March 2016—because of the implicit timestamps in the documents’ revision history. This means that the CIA likely knew how this data was stolen within hours of its release (unless it grossly misspent its money on insider threat detection). I expected an arrest within weeks of disclosure, but we are now going on eight months without even credible rumored intelligence that the FBI and CIA know who was responsible.

Similarly, the Shadow Brokers have publicly released four separate dumps of data in three waves: August 2016, January 2017, and April 2017, three “ops stations” (collections of tools used for ongoing attacks) and one containing information about a campaign to extract information concerning SWIFT bank transactions. Unlike Vault 7, the Shadow Brokers’ data could have been stolen—rather than exfiltrated by an insider—because the information existed on Internet-connected systems by necessity. But for three of the dumps there are sufficient clues, ranging from document metadata to internal notes and scripts, to know exactly whose ops stations and Windows workstation were compromised and when.

So why don’t we know more about the Vault 7 and Vault 8 releases or the Shadow Brokers’ sources?

I’m not sure I have an answer to that question. Instead we have rumors about Harold Martin, the former NSA contractor who was arrested for the theft of classified material, and Nghia Hoang Pho, an NSA software developer who had Kaspersky installed on his home computer. (And as far as we know, Reality Winner only took a single document.) But, none of these attributions explain the breadth or content of these leaks. The ops stations and Windows workstation each belonged to separate analysts working on separate projects. An analyst bringing her work home, or a data pack rat like Martin or Pho, is unlikely to have access to more than one, or perhaps two, of the datasets stolen by the Shadow Brokers. Furthermore, the SWIFT data was stolen from a Texas-based analyst’s system, not from someone in Maryland.

Leaks happen. But, years after Snowden—and with so much information embedded in the leaks themselves—it is baffling that we have yet to see any arrests. A simple explanation might be that there is an ongoing, leak-proof investigation. But given that there were public rumors of allegations against Pho for a couple of months before his arrest became public, I would be surprised if this was the case here. So consider me confused and disturbed.