Beautiful Virgin Islands

Thursday, Oct 30, 2025

U.S. Cyber Weapons Were Leaked - And Are Now Being Used Against Us, Reporter Says

U.S. Cyber Weapons Were Leaked - And Are Now Being Used Against Us, Reporter Says

New York Times reporter Nicole Perlroth says the U.S. went from having the world's strongest cyber arsenal to becoming most susceptible to attack. Her book is This is How They Tell Me The World Ends.

In December 2020, a U.S. cybersecurity company announced it had recently uncovered a massive cyber breach. The hack dates back to March 2020, and possibly even earlier, when an adversary, believed to be Russia, hacked into the computer networks of U.S. government agencies and private companies via SolarWinds, a security software used by many thousands of organizations in the U.S. and around the world.

New York Times cyber security reporter Nicole Perlroth calls the SolarWinds hack "one of the biggest intelligence failures of our time."

"We really don't know the extent of it," Perlroth says. "What we know is that this thing has hit the Department of Homeland Security — the very agency charged with keeping us safe — the Treasury, the State Department, the Justice Department, the Department of Energy, some of the nuclear labs, the Centers for Disease Control."

Perlroth says the fact that the breach went undetected for so long means that the hackers likely planted "back door" code, which would allow them to re-enter the systems at a later date.

"We're still trying to figure out where those back doors are," Perlroth says. "And that could take months, if not years, to get to the bottom of."

In her new book, This is How They Tell Me The World Ends, Perlroth writes about the global cyber weapons race and how the U.S. went from having the world's strongest cyber arsenal to becoming so vulnerable to attack.

"We are one of the most advanced, if not the most advanced cyber superpower in the world, but we are also its most targeted and its most vulnerable," she says.

Part of the problem, Perlroth says, is that the U.S. has spent more energy on hacking other countries than on defending itself.

"We really need to make a decision as a society and inside government to stop leaving ourselves vulnerable," she says. "We have to take our own security seriously. We also have to stop leaving gaping holes in software that could be used by adversaries to pull off some of these attacks."

Interview highlights


On SolarWinds, the cyber security company through which the hackers entered, which used the password "solarwinds123"

Their security was just not up to snuff. We learned that they had really basic passwords. We learned that they were warned as far back as two years before this attack began that if they didn't take their security more seriously, it could be catastrophic.

When I started calling up some of the victims of this attack, many of them didn't even know they used SolarWinds software until it came out that the company was breached. ... So what we were looking at really was a company that didn't have very good security, but that was touching some of the most sensitive systems we have. This was used inside the Pentagon. The NSA used that. We know that the Treasury used it and all the other victims that are coming out, including our utility companies.

On how the SolarWinds hackers may have accessed Black Start, the name of U.S. plans to restore power in the event of a catastrophic blackout

Originally when this hack was discovered, one of the bright spots was that they believed that the hackers had not made their way into classified systems. But what I kept hearing from security researchers and people who worked at these agencies was just how much vulnerable data was outside these classified systems. And one of those things was Black Start.

Black Start is just a very technical document. And it's essentially a to-do list. If we were able to have a major power failure, it says, you know, we're going to go turn on the power here first, then we're going to move over here and do this. And with that document in hand, that could be very valuable for an adversary because it would essentially give them the perfect hit list to make sure that the power stayed off.

On a recent cyber attack on the water supply in Oldsmar, Fla., in which hackers attempted to increase the amount of lye in the drinking water

I think it's just a wake-up call in general that a lot of these facilities allow contractors and engineers to get in, get remote access from miles away or across the country. And I think we need to start rethinking that access. Do we really want strangers being able to get into these systems from afar? And I think right now would be a good time to ask ourselves. And I think the answer is probably no.

This is really dangerous. You know, they increased the amount of lye in the water from 100 parts per million to 11,000 parts per million. It just so happened that there happened to be a software engineer sitting at his computer watching his cursor move around on his screen and then later watched someone go into these functions and upped the amount of chemical. Had that not happened, then we would have been looking at an attack that would have badly sickened a lot of people.

On what a "zero day" is

A zero day is just a hole in software that hasn't been discovered yet. And, you know, once these zero days are discovered, they get patched, and a patch gets rolled out via your software updates. But if a government discovers this hole first, then it can be used for espionage, it can be used for cyber weapons.

And so for a long time, we have recognized the sort of espionage and battlefield potential of a zero day. And starting in the 1990s, I learned through the process of reporting out this book, that the U.S. government was actually actively paying hackers and defense contractors to find these zero days to write them into reliable exploits that they could use to spy on our adversaries. Or to essentially drop a cyber weapon into their systems if we needed to one day.

On the underground market for buying and selling cyber vulnerabilities

Hackers can find a zero day in a critical system like Microsoft or maybe your Apple iPhone software, and they have a decision — they can give that vulnerability to Microsoft or Apple, which these days will pay them small bounties for turning that over, or they can fetch much higher rates by giving that zero day to a digital arms broker essentially, or by selling it directly to a government.

Because governments recognize that these zero days have tremendous espionage potential, they're willing to pay as much as 2 million to 3 million dollars these days for a major zero day in your iPhone or Android phone software. And it's not just the United States, although the United States was the first government to essentially start paying hackers to turn over these zero days and then stay very quiet about them by forcing them to sign nondisclosure agreements. And later, many of these programs were classified.

But over the last 10 years, this is not just a U.S. government market anymore. ... It's a broker for the United Arab Emirates and Saudi Arabia that pays top dollar for a way to get into your iPhone. So this market's really drifted outside U.S. control or even, you know, the control of our Western allies.

On the U.S.'s reluctance to sign a treaty banning hacking

The United States has been very hesitant to sign on to any cyber treaty or even any norms that would prevent the United States from hacking into the infrastructure in other countries. And part of this is just that the United States for a long time has been the most advanced player in the space.

So by signing on to any kind of agreement to not hack each other's infrastructure, I think the theory was that we would be handcuffing ourselves. But right now, the problem has gotten so bad ... that I think there may be an opportunity here to come up with new rules of the game, to say maybe, OK, we won't agree to hack each other's critical infrastructure, but you cannot attack hospitals.

You cannot attack the controls at our nuclear plants without some kind of repercussions here or some kind of international repercussions. So that might be a good place to start.

But I would be very surprised if we came up with or agreed to some kind of treaty that held us back. And one of the things U.S. officials will say is, sure, we could agree to a treaty. But the fact is that here when we do our own attacks, they're done inside Cyber Command, at the Pentagon.

In China and Russia and Iran, they outsource that work to contractors, to cyber criminals. And so even if those countries agreed not to pull off a grid attack, for instance, there's not much keeping these sort of lower tier contractors and cyber criminals from doing those government's dirty work for them.

On why she prefers to live "off the grid" in a cabin

There's no smart fridges here. There's no Alexa. Our wireless system is really poor and there's no baby monitors here either. And that's not the case at my home in the Bay Area. And so I ended up just writing a lot of the book up here just because it was a peaceful place to get away from my two year old. But also, as I started to look around, I just felt a lot more safe here as I was sort of just diving into the vulnerabilities of our everyday software that we rely on.

When I first started covering this beat, everyone was warning me to worry about webcams and worry about this. And, yes, I have a piece of tape over my webcam. But what sadly happened over the last 10 years is I've covered an attack that's hit every one of these things. ...

These are no longer like hypothetical scenarios. You're not a tinfoil hat person to be suspicious of some of these devices. They have and will continue to be used for espionage and surveillance. And because I cover these things all the time, I just feel much safer in my cabin in the woods.

Newsletter

Related Articles

Beautiful Virgin Islands
0:00
0:00
Close
UK and Vietnam Sign Landmark Migration Deal to Fast-Track Returns of Irregular Arrivals
UK Drug-Pricing Overhaul Essential for Life-Sciences Ambition, Says GSK Chief
Princesses Beatrice and Eugenie Temporarily Leave the UK Amid Their Parents’ Royal Fallout
UK Weighs Early End to Oil and Gas Windfall Tax as Reeves Seeks Investment Commitments
UK Retail Inflation Slows as Shop Prices Fall for First Time Since Spring
Next Raises Full-Year Profit Guidance After Strong Third-Quarter Performance
Reform UK’s Lee Anderson Admits to 'Gaming' Benefits System While Advocating Crackdown
United States and South Korea Conclude Major Trade Accord Worth $350 Billion
Hurricane Melissa Strikes Cuba After Devastating Jamaica With Record Winds
Vice President Vance to Headline Turning Point USA Campus Event at Ole Miss
U.S. Targets Maritime Narco-Routes While Border Pressure to Mexico Remains Limited
Bill Gates at 70: “I Have a Real Fear of Artificial Intelligence – and Also Regret”
Elon Musk Unveils Grokipedia: An AI-Driven Alternative to Wikipedia
Saudi Arabia Unveils Vision for First-Ever "Sky Stadium" Suspended Over Desert Floor
Amazon Announces 14 000 Corporate Job Cuts as AI Investment Accelerates
UK Shop Prices Fall for First Time Since March, Food Leads the Decline
London Stock Exchange Group ADR (LNSTY) Earns Zacks Rank #1 Upgrade on Rising Earnings Outlook
Soap legend Tony Adams, long-time star of Crossroads, dies at 84
Rachel Reeves Signals Tax Increases Ahead of November Budget Amid £20-50 Billion Fiscal Gap
NatWest Past Gains of 314% Spotlight Opportunity — But Some Key Risks Remain
UK Launches ‘Golden Age’ of Nuclear with £38 Billion Sizewell C Approval
UK Announces £1.08 Billion Budget for Offshore Wind Auction to Boost 2030 Capacity
UK Seeks Steel Alliance with EU and US to Counter China’s Over-Capacity
UK Struggles to Balance China as Both Strategic Threat and Valued Trading Partner
Argentina’s Markets Surge as Milei’s Party Secures Major Win
British Journalist Sami Hamdi Detained by U.S. Authorities After Visa Revocation Amid Israel-Gaza Commentary
King Charles Unveils UK’s First LGBT+ Armed Forces Memorial at National Memorial Arboretum
At ninety-two and re-elected: Paul Biya secures eighth term in Cameroon amid unrest
Racist Incidents Against UK Nurses Surge by 55%
UK Chancellor Rachel Reeves Cites Shared Concerns With Trump Administration as Foundation for Early US-UK Trade Deal
Essentra plc: A Closer Look at a UK ‘Penny Stock’ Opportunity Amid Market Weakness
U.S. and China Near Deal to Avert Rare-Earth Export Controls Ahead of Trump-Xi Summit
Justin time: Justin Herbert Shields Madison Beer with Impressive Reflex at Lakers Game
Russia’s President Putin Declares Burevestnik Nuclear Cruise Missile Ready for Deployment
Giuffre’s Memoir Alleges Maxwell Claimed Sexual Act with Clooney
House Republicans Move to Strip NYC Mayoral Front-Runner Zohran Mamdani of U.S. Citizenship
Record-High Spoiled Ballots Signal Voter Discontent in Ireland’s 2025 Presidential Election
Philippines’ Taal Volcano Erupts Overnight with 2.4 km Ash Plume
Albania’s Virtual AI 'Minister' Diella Set to 'Birth' Eighty-Three Digital Assistants for MPs
Tesla Unveils Vision for Optimus V3 as ‘Biggest Product of All Time’, Including Surgical Capabilities
Francis Ford Coppola Auctions Luxury Watches After Self-Financed Film Flop
Convicted Sex Offender Mistakenly Freed by UK Prison Service Arrested in London
United States and China Begin Constructive Trade Negotiations Ahead of Trump–Xi Summit
U.S. Treasury Sanctions Colombia’s President Gustavo Petro over Drug-Trafficking Allegations
Miss USA Crowns Nebraska’s Audrey Eckert Amid Leadership Overhaul
‘I Am Not Done’: Kamala Harris Signals Possible 2028 White House Run
NBA Faces Integrity Crisis After Mass Arrests in Gambling Scandal
Swift Heist at the Louvre Sees Eight French Crown Jewels Stolen in Under Seven Minutes
U.S. Halts Trade Talks with Canada After Ontario Ad Using Reagan Voice Triggers Diplomatic Fallout
Microsoft AI CEO: ‘We’re making an AI that you can trust your kids to use’ — but can Microsoft rebuild its own trust before fixing the industry’s?
×