London Daily

Focus on the big picture.
Tuesday, Jul 15, 2025

U.S. Cyber Weapons Were Leaked - And Are Now Being Used Against Us, Reporter Says

U.S. Cyber Weapons Were Leaked - And Are Now Being Used Against Us, Reporter Says

New York Times reporter Nicole Perlroth says the U.S. went from having the world's strongest cyber arsenal to becoming most susceptible to attack. Her book is This is How They Tell Me The World Ends.

In December 2020, a U.S. cybersecurity company announced it had recently uncovered a massive cyber breach. The hack dates back to March 2020, and possibly even earlier, when an adversary, believed to be Russia, hacked into the computer networks of U.S. government agencies and private companies via SolarWinds, a security software used by many thousands of organizations in the U.S. and around the world.

New York Times cyber security reporter Nicole Perlroth calls the SolarWinds hack "one of the biggest intelligence failures of our time."

"We really don't know the extent of it," Perlroth says. "What we know is that this thing has hit the Department of Homeland Security — the very agency charged with keeping us safe — the Treasury, the State Department, the Justice Department, the Department of Energy, some of the nuclear labs, the Centers for Disease Control."

Perlroth says the fact that the breach went undetected for so long means that the hackers likely planted "back door" code, which would allow them to re-enter the systems at a later date.

"We're still trying to figure out where those back doors are," Perlroth says. "And that could take months, if not years, to get to the bottom of."

In her new book, This is How They Tell Me The World Ends, Perlroth writes about the global cyber weapons race and how the U.S. went from having the world's strongest cyber arsenal to becoming so vulnerable to attack.

"We are one of the most advanced, if not the most advanced cyber superpower in the world, but we are also its most targeted and its most vulnerable," she says.

Part of the problem, Perlroth says, is that the U.S. has spent more energy on hacking other countries than on defending itself.

"We really need to make a decision as a society and inside government to stop leaving ourselves vulnerable," she says. "We have to take our own security seriously. We also have to stop leaving gaping holes in software that could be used by adversaries to pull off some of these attacks."

Interview highlights


On SolarWinds, the cyber security company through which the hackers entered, which used the password "solarwinds123"

Their security was just not up to snuff. We learned that they had really basic passwords. We learned that they were warned as far back as two years before this attack began that if they didn't take their security more seriously, it could be catastrophic.

When I started calling up some of the victims of this attack, many of them didn't even know they used SolarWinds software until it came out that the company was breached. ... So what we were looking at really was a company that didn't have very good security, but that was touching some of the most sensitive systems we have. This was used inside the Pentagon. The NSA used that. We know that the Treasury used it and all the other victims that are coming out, including our utility companies.

On how the SolarWinds hackers may have accessed Black Start, the name of U.S. plans to restore power in the event of a catastrophic blackout

Originally when this hack was discovered, one of the bright spots was that they believed that the hackers had not made their way into classified systems. But what I kept hearing from security researchers and people who worked at these agencies was just how much vulnerable data was outside these classified systems. And one of those things was Black Start.

Black Start is just a very technical document. And it's essentially a to-do list. If we were able to have a major power failure, it says, you know, we're going to go turn on the power here first, then we're going to move over here and do this. And with that document in hand, that could be very valuable for an adversary because it would essentially give them the perfect hit list to make sure that the power stayed off.

On a recent cyber attack on the water supply in Oldsmar, Fla., in which hackers attempted to increase the amount of lye in the drinking water

I think it's just a wake-up call in general that a lot of these facilities allow contractors and engineers to get in, get remote access from miles away or across the country. And I think we need to start rethinking that access. Do we really want strangers being able to get into these systems from afar? And I think right now would be a good time to ask ourselves. And I think the answer is probably no.

This is really dangerous. You know, they increased the amount of lye in the water from 100 parts per million to 11,000 parts per million. It just so happened that there happened to be a software engineer sitting at his computer watching his cursor move around on his screen and then later watched someone go into these functions and upped the amount of chemical. Had that not happened, then we would have been looking at an attack that would have badly sickened a lot of people.

On what a "zero day" is

A zero day is just a hole in software that hasn't been discovered yet. And, you know, once these zero days are discovered, they get patched, and a patch gets rolled out via your software updates. But if a government discovers this hole first, then it can be used for espionage, it can be used for cyber weapons.

And so for a long time, we have recognized the sort of espionage and battlefield potential of a zero day. And starting in the 1990s, I learned through the process of reporting out this book, that the U.S. government was actually actively paying hackers and defense contractors to find these zero days to write them into reliable exploits that they could use to spy on our adversaries. Or to essentially drop a cyber weapon into their systems if we needed to one day.

On the underground market for buying and selling cyber vulnerabilities

Hackers can find a zero day in a critical system like Microsoft or maybe your Apple iPhone software, and they have a decision — they can give that vulnerability to Microsoft or Apple, which these days will pay them small bounties for turning that over, or they can fetch much higher rates by giving that zero day to a digital arms broker essentially, or by selling it directly to a government.

Because governments recognize that these zero days have tremendous espionage potential, they're willing to pay as much as 2 million to 3 million dollars these days for a major zero day in your iPhone or Android phone software. And it's not just the United States, although the United States was the first government to essentially start paying hackers to turn over these zero days and then stay very quiet about them by forcing them to sign nondisclosure agreements. And later, many of these programs were classified.

But over the last 10 years, this is not just a U.S. government market anymore. ... It's a broker for the United Arab Emirates and Saudi Arabia that pays top dollar for a way to get into your iPhone. So this market's really drifted outside U.S. control or even, you know, the control of our Western allies.

On the U.S.'s reluctance to sign a treaty banning hacking

The United States has been very hesitant to sign on to any cyber treaty or even any norms that would prevent the United States from hacking into the infrastructure in other countries. And part of this is just that the United States for a long time has been the most advanced player in the space.

So by signing on to any kind of agreement to not hack each other's infrastructure, I think the theory was that we would be handcuffing ourselves. But right now, the problem has gotten so bad ... that I think there may be an opportunity here to come up with new rules of the game, to say maybe, OK, we won't agree to hack each other's critical infrastructure, but you cannot attack hospitals.

You cannot attack the controls at our nuclear plants without some kind of repercussions here or some kind of international repercussions. So that might be a good place to start.

But I would be very surprised if we came up with or agreed to some kind of treaty that held us back. And one of the things U.S. officials will say is, sure, we could agree to a treaty. But the fact is that here when we do our own attacks, they're done inside Cyber Command, at the Pentagon.

In China and Russia and Iran, they outsource that work to contractors, to cyber criminals. And so even if those countries agreed not to pull off a grid attack, for instance, there's not much keeping these sort of lower tier contractors and cyber criminals from doing those government's dirty work for them.

On why she prefers to live "off the grid" in a cabin

There's no smart fridges here. There's no Alexa. Our wireless system is really poor and there's no baby monitors here either. And that's not the case at my home in the Bay Area. And so I ended up just writing a lot of the book up here just because it was a peaceful place to get away from my two year old. But also, as I started to look around, I just felt a lot more safe here as I was sort of just diving into the vulnerabilities of our everyday software that we rely on.

When I first started covering this beat, everyone was warning me to worry about webcams and worry about this. And, yes, I have a piece of tape over my webcam. But what sadly happened over the last 10 years is I've covered an attack that's hit every one of these things. ...

These are no longer like hypothetical scenarios. You're not a tinfoil hat person to be suspicious of some of these devices. They have and will continue to be used for espionage and surveillance. And because I cover these things all the time, I just feel much safer in my cabin in the woods.

Newsletter

Related Articles

0:00
0:00
Close
Dimon Warns on Fed Independence as Trump Administration Eyes Powell’s Succession
Church of England Removes 1991 Sexuality Guidelines from Clergy Selection
Superman Franchise Achieves Success with Latest Release
Hungary's Viktor Orban Rejects Agreements on Illegal Migration
Jeff Bezos Considers Purchasing Condé Nast as a Wedding Gift
Ghislaine Maxwell Says She’s Ready to Testify Before Congress on Epstein’s Criminal Empire
Bal des Pompiers: A Celebration of Community and Firefighter Culture in France
FBI Chief Kash Patel Denies Resignation Speculations Amid Epstein List Controversy
Air India Pilot’s Mental Health Records Under Scrutiny
Google Secures Windsurf AI Coding Team in $2.4 Billion Licence Deal
Jamie Dimon Warns Europe Is Losing Global Competitiveness and Flags Market Complacency
South African Police Minister Suspended Amid Organised Crime Allegations
Nvidia CEO Claims Chinese Military Reluctance to Use US AI Technology
Hong Kong Advances Digital Asset Strategy to Address Economic Challenges
Australia Rules Out Pre‑commitment of Troops, Reinforces Defence Posture Amid US‑China Tensions
Martha Wells Says Humanity Still Far from True Artificial Intelligence
Nvidia Becomes World’s First Four‑Trillion‑Dollar Company Amid AI Boom
U.S. Resumes Deportations to Third Countries After Supreme Court Ruling
Excavation Begins at Site of Mass Grave for Children at Former Irish Institution
Iranian President Reportedly Injured During Israeli Strike on Secret Facility
EU Delays Retaliatory Tariffs Amid New U.S. Threats on Imports
Trump Defends Attorney General Pam Bondi Amid Epstein Memo Backlash
Renault Shares Drop as CEO Luca de Meo Announces Departure Amid Reports of Move to Kering
Senior Aides for King Charles and Prince Harry Hold Secret Peace Summit
Anti‑Semitism ‘Normalised’ in Middle‑Class Britain, Says Commission Co‑Chair
King Charles Meets David Beckham at Chelsea Flower Show
If the Department is Really About Justice: Ghislaine Maxwell Should Be Freed Now
NYC Candidate Zohran Mamdani’s ‘Antifada’ Remarks Spark National Debate on Political Language and Economic Policy
President Trump Visits Flood-Ravaged Texas, Praises Community Strength and First Responders
From Mystery to Meltdown, Crisis Within the Trump Administration: Epstein Files Ignite A Deepening Rift at the Highest Levels of Government Reveals Chaos, Leaks, and Growing MAGA Backlash
Trump Slams Putin Over War Death Toll, Teases Major Russia Announcement
Reparations argument crushed
Rainmaker CEO Says Cloud Seeding Paused Before Deadly Texas Floods
A 92-year-old woman, who felt she doesn't belong in a nursing home, escaped the death-camp by climbing a gate nearly 8 ft tall
French Journalist Acquitted in Controversial Case Involving Brigitte Macron
Elon Musk’s xAI Targets $200 Billion Valuation in New Fundraising Round
Kraft Heinz Considers Splitting Off Grocery Division Amid Strategic Review
Trump Proposes Supplying Arms to Ukraine Through NATO Allies
EU Proposes New Tax on Large Companies to Boost Budget
Trump Imposes 35% Tariffs on Canadian Imports Amid Trade Tensions
Junior Doctors in the UK Prepare for Five-Day Strike Over Pay Disputes
US Opens First Rare Earth Mine in Over 70 Years in Wyoming
Kurdistan Workers Party Takes Symbolic Step Towards Peace in Northern Iraq
Bitcoin Reaches New Milestone of $116,000
Biden’s Doctor Pleads the Fifth to Avoid Self-Incrimination on President’s Medical Fitness
Grok Chatbot Faces International Backlash for Antisemitic Content
Severe Heatwave Claims 2,300 Lives Across Europe
NVIDIA Achieves Historic Milestone as First Company Valued at $4 Trillion
Declining Beer Consumption Signals Cultural Shift in Germany
Linda Yaccarino Steps Down as CEO of X After Two Years
×