Did the NSA really use Twitter to send coded messages to a Russian?

On June 20 last year, the official Twitter account for the US National Security Agency (NSA) issued the following innocent-looking tweet:

Samuel Morse patented the telegraph 177 years ago. Did you know you can still send telegrams? Faster than post & pay only if it’s delivered.

On August 17, the same theme was taken up again:

The 1st telegraph communications exchange occurred between Queen Victoria and President Buchanan in 1858.

At the time, only a handful of people responded to either message. The tweets might have rested in obscurity indefinitely had the New York Times and The Intercept not alleged last weekend that the messages had an extraordinary purpose unconnected to remarking on telegraphic history. Explains The Intercept:

Each tweet looked completely benign but was in fact a message to the Russians.

As part of a sequence of 12, the tweets are now claimed to be a coded back-channel used to communicate with a Russian who was negotiating to sell to the NSA a set of cyberweapons stolen from it in 2016 by a group calling itself The Shadow Brokers.

These tools were leaked to the world and used by cybercriminals to launch attacks, such as May 2017’s WannaCry ransomware attack (later blamed by the US on North Korea).

Assuming the latest account stands up, it suggests that as recently as a few months ago, the NSA was still keen to find out precisely how much was lost in the incident and was willing to pay for the privilege.

But, surely sending coded messages on a public system is a strange way to communicate something this sensitive?

There might be two reasons for an agency like the NSA to use Twitter.

The first is that a verified Twitter account appears to be a valued stamp of authenticity. The ‘Russian’ apparently needed something to verify with whom he was talking, and an official Twitter handle will do it seems.

Less obviously, using coded tweets is a convenient way to hide in plain sight. The two parties could have used direct messaging (DM) but this would have logged the connection they had to one another (i.e. from one Twitter account to another).

Ironically, in 2014 Twitter was said to be working on a way of making DMs encrypted end-to-end but backed down, possibly because the company didn’t want to antagonise a US government already unhappy with the spread of hard-to-crack encryption. That would have made the channel more secure for the NSA too.

The idea of encoding messages using a public system – or going a stage further and actually hiding them in its communication – has been around for a while even if documented examples are rare.

In 2010, Georgia Tech researchers proposed a steganography tool called Collage that would use Twitter posts and Flickr images to hide messages from government censors.

That same year, the possibilities of the technique were demonstrated by reports that that a Russian spy ring has used it to hide messages in a 100 or more public website images.

This week, the world was reminded that there is more to communication than what is said or written. The NSA’s tweets will never seem mundane again.