The NSA employee likely responsible for the ShadowBrokers leak – and by extension the WannaCrypt NHS hack – has been caught and pleads guilty.


A former employee of the NSA Tailored Access Operations (TAO) unit, Nghia Hoang Pho, was last week sentenced to up to 10 years in prison for hoarding huge amounts of classified NSA tools and documents from 2010 up until March 2015.Nghia Hoang Pho, NSA Tailored Access Operations, Wannacrypt ShadowBrokers

The trove of exploits and data that he retrieved were then stolen from his home computer, allegedly through a hack by agents who gained access through a backdoor in the software Kaspersky.

A mysterious internet collective who call themselves the Shadowbrokers have been releasing a collection of hacked NSA exploits since last summer, and whilst that breach hasn’t officially been linked to of Pho’s arrest, the timing and an analysis which suggests that Shadowbrokers have had access to a TAO insider can hardly be dismissed as coincidental.

Pho wasn’t a whistleblower; the data was only taken from his possession through a cyberattack by an agent presumably working on behalf of ShadowBrokers. It is therefore puzzling why he decided to stockpile such a significant amount of data on himself. He could have been selling various exploits over the dark net where a million dollar industry thrives, however this would have added to the charges against him, and it is not mentioned in court proceedings. Another explanation is that he was working in private on the collection of cyber weapons in a capacity that would not have been approved by his employers.

Amongst the trove of weak spots for some of the world’s most popular software and operating systems released by Shadowbrokers was an exploit for the SMB protocol used on Windows operating systems called EternalBlue. Over 52% of all desktop computers worldwide use Windows and were vulnerable to this backdoor access. This vulnerability was used to implement the WannaCry ransomware attack which quickly infected 230,000 computers in three days.

WannaCrypt caused the most damage to the UK National Health Service (NHS) which was inexplicably caught still operating Windows XP for MRI scanners, blood-storage refrigerators and surgical theatre equipment in at least 42 separate trusts – an operating system released in 2001, which ceased being updated in 2014. It was therefore not patched by Microsoft in their initial attempt to address the exposure, and the chaos dragged on for longer than necessary, with ambulances being diverted in many locations and arguably lives lost.

Pho represents the fourth high profile leaker of immeasurably damaging data from the NSA after Edward Snowden, Harold Martin III and Reality Winner before him. Embarrassingly for the agency which is responsible for unconstitutionally trawling through the world’s private data, each of the four leakers didn’t exactly break their necks to get the data through security; they all simply walked out of the office with the data on USB sticks.

Lessons were clearly not learned.

Nghia Hoang Pho, NSA TAO, NSA Leaks Wannacrypt NHS Cyber Attack

Shadow Brokers NSA Leaks, Wannacrypt


About Author

Ruairi Wood

English Dirtbag. Read the Bread Book, Google Murray Bookchin.