securitylab_nJuly 12, 2026🇷🇺Translated from Russian

NSA Revives Elite TAO Hacking Unit Behind Stuxnet and WannaCry to Accelerate Cyber Operations Against China and Adversaries

The U.S. National Security Agency has restored the original name Tailored Access Operations (TAO) to its premier cyber intrusion division as part of a major internal restructuring aimed at accelerating offensive operations against hostile nations, including China.

Until recently, the unit operated under the name Office of Computer Network Operations (CNO). The decision to revive the well-known TAO designation reverses part of the NSA21 reform launched in 2016, which had distributed offensive operations and intelligence collection across larger directorates and eliminated TAO as a standalone structure.

Former NSA employees noted that the previous reorganization failed to improve collaboration between developers and operators and instead created greater separation. The revival was overseen by Deputy NSA Director Tim Kosiba, who previously served in TAO. The updated organizational structure was presented to U.S. Defense Secretary Pete Hegseth during his visit to Fort Meade, home to both NSA and U.S. Cyber Command headquarters.

Starting next month, TAO will receive its own dedicated building within the Fort Meade complex. Former personnel believe that reuniting developers and operational teams will accelerate the preparation of cyber attacks and help discover new methods of penetrating highly protected networks, especially amid rapid advances in artificial intelligence.

TAO specializes in creating custom tools for covert access to foreign computer systems. These include malware, persistence mechanisms, and other specialized implants used in intelligence-gathering operations.

The unit has been linked to several high-profile cyber operations and tools. It played a role in developing Stuxnet, the sophisticated worm used to disrupt Iran’s nuclear enrichment program. TAO also became the focus of attention after the Shadow Brokers group leaked stolen NSA tools, including the EternalBlue exploit.

EternalBlue was later weaponized in the WannaCry ransomware attack of 2017, which spread to approximately 150 countries and affected around 200,000 organizations worldwide.

Around the same period, former NSA contractor Harold Martin, who worked in TAO between 2012 and 2015, was accused of storing a massive collection of classified materials at his home. In 2019 he was sentenced to nine years in prison, although investigators never proved he had shared the stolen information with others.