Beautiful Virgin Islands

Monday, Oct 06, 2025

U.S. Cyber Weapons Were Leaked - And Are Now Being Used Against Us, Reporter Says

U.S. Cyber Weapons Were Leaked - And Are Now Being Used Against Us, Reporter Says

New York Times reporter Nicole Perlroth says the U.S. went from having the world's strongest cyber arsenal to becoming most susceptible to attack. Her book is This is How They Tell Me The World Ends.

In December 2020, a U.S. cybersecurity company announced it had recently uncovered a massive cyber breach. The hack dates back to March 2020, and possibly even earlier, when an adversary, believed to be Russia, hacked into the computer networks of U.S. government agencies and private companies via SolarWinds, a security software used by many thousands of organizations in the U.S. and around the world.

New York Times cyber security reporter Nicole Perlroth calls the SolarWinds hack "one of the biggest intelligence failures of our time."

"We really don't know the extent of it," Perlroth says. "What we know is that this thing has hit the Department of Homeland Security — the very agency charged with keeping us safe — the Treasury, the State Department, the Justice Department, the Department of Energy, some of the nuclear labs, the Centers for Disease Control."

Perlroth says the fact that the breach went undetected for so long means that the hackers likely planted "back door" code, which would allow them to re-enter the systems at a later date.

"We're still trying to figure out where those back doors are," Perlroth says. "And that could take months, if not years, to get to the bottom of."

In her new book, This is How They Tell Me The World Ends, Perlroth writes about the global cyber weapons race and how the U.S. went from having the world's strongest cyber arsenal to becoming so vulnerable to attack.

"We are one of the most advanced, if not the most advanced cyber superpower in the world, but we are also its most targeted and its most vulnerable," she says.

Part of the problem, Perlroth says, is that the U.S. has spent more energy on hacking other countries than on defending itself.

"We really need to make a decision as a society and inside government to stop leaving ourselves vulnerable," she says. "We have to take our own security seriously. We also have to stop leaving gaping holes in software that could be used by adversaries to pull off some of these attacks."

Interview highlights


On SolarWinds, the cyber security company through which the hackers entered, which used the password "solarwinds123"

Their security was just not up to snuff. We learned that they had really basic passwords. We learned that they were warned as far back as two years before this attack began that if they didn't take their security more seriously, it could be catastrophic.

When I started calling up some of the victims of this attack, many of them didn't even know they used SolarWinds software until it came out that the company was breached. ... So what we were looking at really was a company that didn't have very good security, but that was touching some of the most sensitive systems we have. This was used inside the Pentagon. The NSA used that. We know that the Treasury used it and all the other victims that are coming out, including our utility companies.

On how the SolarWinds hackers may have accessed Black Start, the name of U.S. plans to restore power in the event of a catastrophic blackout

Originally when this hack was discovered, one of the bright spots was that they believed that the hackers had not made their way into classified systems. But what I kept hearing from security researchers and people who worked at these agencies was just how much vulnerable data was outside these classified systems. And one of those things was Black Start.

Black Start is just a very technical document. And it's essentially a to-do list. If we were able to have a major power failure, it says, you know, we're going to go turn on the power here first, then we're going to move over here and do this. And with that document in hand, that could be very valuable for an adversary because it would essentially give them the perfect hit list to make sure that the power stayed off.

On a recent cyber attack on the water supply in Oldsmar, Fla., in which hackers attempted to increase the amount of lye in the drinking water

I think it's just a wake-up call in general that a lot of these facilities allow contractors and engineers to get in, get remote access from miles away or across the country. And I think we need to start rethinking that access. Do we really want strangers being able to get into these systems from afar? And I think right now would be a good time to ask ourselves. And I think the answer is probably no.

This is really dangerous. You know, they increased the amount of lye in the water from 100 parts per million to 11,000 parts per million. It just so happened that there happened to be a software engineer sitting at his computer watching his cursor move around on his screen and then later watched someone go into these functions and upped the amount of chemical. Had that not happened, then we would have been looking at an attack that would have badly sickened a lot of people.

On what a "zero day" is

A zero day is just a hole in software that hasn't been discovered yet. And, you know, once these zero days are discovered, they get patched, and a patch gets rolled out via your software updates. But if a government discovers this hole first, then it can be used for espionage, it can be used for cyber weapons.

And so for a long time, we have recognized the sort of espionage and battlefield potential of a zero day. And starting in the 1990s, I learned through the process of reporting out this book, that the U.S. government was actually actively paying hackers and defense contractors to find these zero days to write them into reliable exploits that they could use to spy on our adversaries. Or to essentially drop a cyber weapon into their systems if we needed to one day.

On the underground market for buying and selling cyber vulnerabilities

Hackers can find a zero day in a critical system like Microsoft or maybe your Apple iPhone software, and they have a decision — they can give that vulnerability to Microsoft or Apple, which these days will pay them small bounties for turning that over, or they can fetch much higher rates by giving that zero day to a digital arms broker essentially, or by selling it directly to a government.

Because governments recognize that these zero days have tremendous espionage potential, they're willing to pay as much as 2 million to 3 million dollars these days for a major zero day in your iPhone or Android phone software. And it's not just the United States, although the United States was the first government to essentially start paying hackers to turn over these zero days and then stay very quiet about them by forcing them to sign nondisclosure agreements. And later, many of these programs were classified.

But over the last 10 years, this is not just a U.S. government market anymore. ... It's a broker for the United Arab Emirates and Saudi Arabia that pays top dollar for a way to get into your iPhone. So this market's really drifted outside U.S. control or even, you know, the control of our Western allies.

On the U.S.'s reluctance to sign a treaty banning hacking

The United States has been very hesitant to sign on to any cyber treaty or even any norms that would prevent the United States from hacking into the infrastructure in other countries. And part of this is just that the United States for a long time has been the most advanced player in the space.

So by signing on to any kind of agreement to not hack each other's infrastructure, I think the theory was that we would be handcuffing ourselves. But right now, the problem has gotten so bad ... that I think there may be an opportunity here to come up with new rules of the game, to say maybe, OK, we won't agree to hack each other's critical infrastructure, but you cannot attack hospitals.

You cannot attack the controls at our nuclear plants without some kind of repercussions here or some kind of international repercussions. So that might be a good place to start.

But I would be very surprised if we came up with or agreed to some kind of treaty that held us back. And one of the things U.S. officials will say is, sure, we could agree to a treaty. But the fact is that here when we do our own attacks, they're done inside Cyber Command, at the Pentagon.

In China and Russia and Iran, they outsource that work to contractors, to cyber criminals. And so even if those countries agreed not to pull off a grid attack, for instance, there's not much keeping these sort of lower tier contractors and cyber criminals from doing those government's dirty work for them.

On why she prefers to live "off the grid" in a cabin

There's no smart fridges here. There's no Alexa. Our wireless system is really poor and there's no baby monitors here either. And that's not the case at my home in the Bay Area. And so I ended up just writing a lot of the book up here just because it was a peaceful place to get away from my two year old. But also, as I started to look around, I just felt a lot more safe here as I was sort of just diving into the vulnerabilities of our everyday software that we rely on.

When I first started covering this beat, everyone was warning me to worry about webcams and worry about this. And, yes, I have a piece of tape over my webcam. But what sadly happened over the last 10 years is I've covered an attack that's hit every one of these things. ...

These are no longer like hypothetical scenarios. You're not a tinfoil hat person to be suspicious of some of these devices. They have and will continue to be used for espionage and surveillance. And because I cover these things all the time, I just feel much safer in my cabin in the woods.

Newsletter

Related Articles

Beautiful Virgin Islands
0:00
0:00
Close
Munich Airport Reopens After Second Drone Shutdown
France Names New Government Amid Political Crisis
Trump Stands Firm in Shutdown Showdown and Declares War on Drug Cartels — Turning Crisis into Opportunity
Surge of U.S. Billionaires Transforms London’s Peninsula Apartments into Ultra-Luxury Stronghold
Pro Europe and Anti-War Babiš Poised to Return to Power After Czech Parliamentary Vote
Jeff Bezos Calls AI Surge a ‘Good’ Bubble, Urges Focus on Lasting Innovation
Japan’s Ruling Party Chooses Sanae Takaichi, Clearing Path to First Female Prime Minister
Sean ‘Diddy’ Combs Sentenced to Fifty Months in Prison Following Prostitution Conviction
Taylor Swift’s ‘Showgirl’ Launch Extends Billion-Dollar Empire
Trump Administration Launches “TrumpRx” Plan to Enable Direct Drug Sales at Deep Discounts
Trump Announces Intention to Impose 100 Percent Tariff on Foreign-Made Films
Altman Says GPT-5 Already Outpaces Him, Warns AI Could Automate 40% of Work
Singapore and Hong Kong Vie to Dominate Asia’s Rising Gold Trade
Trump Organization Teams with Saudi Developer on $1 Billion Trump Plaza in Jeddah
Manhattan Sees Surge in Office-to-Housing Conversions, Highest Since 2008
Switzerland and U.S. Issue Joint Assurance Against Currency Manipulation
Electronic Arts to Be Taken Private in Historic $55 Billion Buyout
Thomas Jacob Sanford Named as Suspect in Deadly Michigan Church Shooting and Arson
Russian Research Vessel 'Yantar' Tracked Mapping Europe’s Subsea Cables, Raising Security Alarms
New York Man Arrested After On-Air Confession to 2017 Parents’ Murders
U.S. Defense Chief Orders Sudden Summit of Hundreds of Generals and Admirals
Global Cruise Industry Posts Dramatic Comeback with 34.6 Million Passengers in 2024
Trump Claims FBI Planted 274 Agents at Capitol Riot, Citing Unverified Reports
India: Internet Suspended in Bareilly Amid Communal Clashes Between Muslims and Hindus
Supreme Court Extends Freeze on Nearly $5 Billion in U.S. Foreign Aid at Trump’s Request
Archaeologists Recover Statues and Temples from 2,000-Year-Old Sunken City off Alexandria
China Deploys 2,000 Workers to Spain to Build Major EV Battery Factory, Raising European Dependence
Speed Takes Over: How Drive-Through Coffee Chains Are Rewriting U.S. Coffee Culture
U.S. Demands Brussels Scrutinize Digital Rules to Prevent Bias Against American Tech
Ringo Starr Champions Enduring Beatles Legacy While Debuting Las Vegas Art Show
Private Equity’s Fundraising Surge Triggers Concern of European Market Shake-Out
Colombian President Petro Vows to Mobilize Volunteers for Gaza and Joins List of Fighters
FBI Removes Agents Who Kneeled at 2020 Protest, Citing Breach of Professional Conduct
Trump Alleges ‘Triple Sabotage’ at United Nations After Escalator and Teleprompter Failures
Shock in France: 5 Years in Prison for Former President Nicolas Sarkozy
Tokyo’s Jimbōchō Named World’s Coolest Neighbourhood for 2025
European Officials Fear Trump May Shift Blame for Ukraine War onto EU
BNP Paribas Abandons Ban on 'Controversial Weapons' Financing Amid Europe’s Defence Push
Typhoon Ragasa Leaves Trail of Destruction Across East Asia Before Making Landfall in China
The Personality Rights Challenge in India’s AI Era
Big Banks Rebuild in Hong Kong as Deal Volume Surges
Italy Considers Freezing Retirement Age at 67 to Avert Scheduled Hike
Italian City to Impose Tax on Visiting Dogs Starting in 2026
Arnault Denounces Proposed Wealth Tax as Threat to French Economy
Study Finds No Safe Level of Alcohol for Dementia Risk
Denmark Investigates Drone Incursion, Does Not Rule Out Russian Involvement
Lilly CEO Warns UK Is ‘Worst Country in Europe’ for Drug Prices, Pulls Back Investment
Nigel Farage Emerges as Central Force in British Politics with Reform UK Surge
Disney Reinstates ‘Jimmy Kimmel Live!’ after Six-Day Suspension over Charlie Kirk Comments
U.S. Prosecutors Move to Break Up Google’s Advertising Monopoly
×