U.S. intelligence agencies have noticed a recent trend among hackers and adversaries: they repurpose and then weaponize existing capabilities, according to a top cyber official at the National Security Agency.

While one actor might use a particular exploit or strain of malware against a target, “another adversary might see that, grab hold of that and say I want to use that for my purposes and I want to combine it with these other techniques or malwares or exploits and really repurpose, combine and use it in ways that the originator of that exploit never intended it to be used,” Jonathan Darby, deputy chief of the Cybersecurity Operations Group at the National Security Agency, said in a keynote address at the Overseas Security Advisory Council Annual Briefing in Arlington Nov. 15.

“We’re seeing more of that taking place today,” he added of this emerging threat vector in cyberspace.

Darby’s comments regarding these tools “in the wild,” in cyber speak, come on the heels of the alleged theft and release of a trove of NSA’s most sensitive tools used to infiltrate networks by a mysterious group called the Shadow Brokers.

Large-scale global cyber incidents such as the WannaCry ransomware episode and the attacks against Society for Worldwide Interbank Financial Telecommunication were thought to have used NSA exploits stolen and released by Shadow Brokers.

NSA has repeatedly declined to comment on the validity of claims that the tools in Shadow Brokers possession were stolen from the agency.

When asked about Shadow Brokers and the release of tools to the internet, Darby also declined to comment, only saying that “as an intelligence agency, we’re worried about cyber defense [and] we continually track releases of exploits that are out there in the wild.”

“Doesn’t matter the source of the exploit,” he added, “doesn’t matter who originated it, we care about how do we defend ourselves against it.”

Disclosure of vulnerabilities

Following these global hacks, many have called on the U.S. government to more frequently disclose to private companies vulnerabilities it discovers as opposed to hording them for intelligence value.

Microsoft’s president and chief legal officer, Brad Smith, has become one of the most vocal critics of the United States IC in light of recent incidents soliciting a digital Geneva Convention.

Both the Senate and House Intelligence Committees sought to direct the executive branch to revaluate this process, known as the Vulnerabilities Equities Process established under the Obama administration.

In a blog post published Nov. 15, Rob Joyce, White House cybersecurity coordinator, outlined the current administration’s approach to disclosing vulnerabilities. The post lists improved transparency, fair representation of interest for all parties and accountability as key tenants for a revised process going forward.