Snowden Documents Show NSA Can't Keep Its Eyes On Its Own Papers; Harvests Data From Other Surveillance Agencies

from the METAPHORCOLLISION:-the-NSA's-haystack-sipping-program dept

Another pile of Snowden documents has been released by Der Spiegel, detailing more of previously revealed NSA/GCHQ activities — like the harvesting of exploits and hardware shipment “interdiction” — along with some new stuff, including the NSA’s piggybacking on other countries’ surveillance to further buttress its massive haystacks.

The report digs deeper into the NSA’s Tailored Access Operations, noting that the agency’s plans for its targets’ hardware are even more aggressive than previously indicated. A document [pdf link] details different offerings for NSA “interns,” who will be tasked with a variety of operations to not only compromise hardware integrity, but possibly disable or destroy it.

Potential interns are also told that research into third party computers might include plans to “remotely degrade or destroy opponent computers, routers, servers and network enabled devices by attacking the hardware.” Using a program called Passionatepolka, for example, they may be asked to “remotely brick network cards.” With programs like Berserkr they would implant “persistent backdoors” and “parasitic drivers”. Using another piece of software called Barnfire, they would “erase the BIOS on a brand of servers that act as a backbone to many rival governments.”

Despite “tailored” being one of the key words in Tailored Access Operations, the exploits used aren’t necessarily targeted. Because the same holes can be exploited by criminals or other “bad guys,” non-targeted persons are at risk. And because some of the exploits are by nature self-replicating (documents obtained show the NSA seeking out and deploying trojans and worms), the potential for unintentional collateral damage is always present.

In this guerilla war over data, little differentiation is made between soldiers and civilians, the Snowden documents show. Any Internet user could suffer damage to his or her data or computer. It also has the potential to create perils in the offline world as well. If, for example, a D weapon like Barnfire were to destroy or “brick” the control center of a hospital as a result of a programming error, people who don’t even own a mobile phone could be affected.

One of the most fascinating documents is a presentation that borrows a famous line from There Will Be Blood. [pdf link]

The NSA doesn’t do all of its own dirty work. Its haystacking efforts also take advantage of surveillance programs deployed by anyone outside of its Five Eyes partnership — including nominally “friendly” countries like Germany. A combination of hacking and exploits allows the NSA to pursue what it calls “fourth party collections.”

Some of this is along the lines of what’s expected from a national intelligence service — like the targeting of “unfriendly” countries.

In 2009, an NSA unit took notice of a data breach affecting workers at the US Department of Defense. The department traced an IP address in Asia that functioned as the command center for the attack. By the end of their detective work, the Americans succeeded not only in tracing the attack’s point of origin to China, but also in tapping intelligence information from other Chinese attacks — including data that had been stolen from the United Nations. Afterwards, NSA workers in Fort Meade continued to read over their shoulders as the Chinese secretly collected further internal UN data. “NSA is able to tap into Chinese SIGINT collection,” a report on the success in 2011 stated.

But it goes further than that. Allies outside the Five Eyes partnership are not immune from the NSA’s piggybacking. And the NSA goes further than simply utilizing man-in-the-middle attacks to “make copies” of anything interesting other countries’ surveillance networks have picked up. The presentation lays out the NSA’s use of “fourth party collections” to deploy its own exploits (called “victim stealing”) or collect new exploits being deployed by other surveillance agencies.

The stuff the NSA pulls from other surveillance networks is then routed away from the agency in order to cover its tracks. Anything that might lead back to the agency is obscured, which could easily result in innocent persons or companies being targeted by irritated foreign surveillance agencies who happen to notice their networks have been accessed by others.

In technical terms, the ROC [Remote Operations Center] lays false tracks as follows: After third-party computers are infiltrated, the process of exfiltration can begin — the act of exporting the data that has been gleaned. But the loot isn’t delivered directly to ROC’s IP address. Rather, it is routed to a so-called Scapegoat Target. That means that stolen information could end up on someone else’s servers, making it look as though they were the perpetrators.

Before the data ends up at the Scapegoat Target, of course, the NSA intercepts and copies it using its mass surveillance infrastructure and sends it on to the ROC. But such cover-up tactics increase the risk of a controlled or uncontrolled escalation between the agencies involved.

This isn’t as deep as the rabbit hole gets, however. The documents leaked by Ed Snowden also detail yet another layer of the NSA’s collection-by-proxy efforts. A Q&A pulled from the NSA’s internal message boards [pdf link] contains the following discussion:

Is there “fifth party” collection?

“Fourth party collection” refers to passively or actively obtaining data from some other actor’s CNE [computer network exploitation] activity against a target. Has there ever been an instance of NSA obtaining information from Actor One exploiting Actor Two’s CNE activity against a target that NSA, Actor One, and Actor Two all care about?


Yes. There was a project that I was working last year with regard to the South Korean CNE program. While we aren’t super interested in SK (things changed a bit when they started targeting us a bit more), we were interested in North Korea and SK puts a lot of resources against them.

At that point, our access to NK was next to nothing but we were able to make some inroads to the SK CNE program. We found a few instances where there were NK officials with SK implants on their boxes, so we got on the exfil points, and sucked back the data. Thats fourth party. However, some of the individuals that SK was targeting were also part of the NK CNE program. So I guess that would be the fifth party collect you were talking about. But once that started happening, we ramped up efforts to target NK ourselves (as you dont want to rely on an untrusted actor to do your work for you). But some of the work that was done there was able to help us gain access.

I know of another instance (I will be more vague because I believe there are more compartments involved and parts are probably NF) where there was an actor we were going against. We realized there was another actor that was also going against them and having great success because of a 0 day they wrote. We got the 0 day out of passive and were able to re-purpose it. Big win.

The NSA’s long straw surveillance also repurposes vernacular from another arena where the war is neverending and the foes declared so dangerous that every Constitutional violation is justified. Those who are used without their knowledge as “hosts” for information gathered by the NSA’s “fourth party” efforts have been given an unflattering nickname.

The unwitting victim, whose phone has been infected with a spy program, smuggles the information out of the office. The information is then retrieved remotely as the victim heads home after work. Digital spies have even adopted drug-dealer slang in referring to these unsuspecting accomplices. They are called “unwitting data mules.”

When the NSA discusses its efforts with its oversight, very few details are given on the means and methods. The general attitude seems to be that if something like this occurs outside of the US, it doesn’t matter. The NSA may make minimal efforts to preserve American citizens’ rights, but it has absolutely no concern for anyone located outside of America’s borders.

As Der Spiegel notes, the NSA is operating in a “legal vacuum.” The tracks left behind by its milkshake drinking cause it no great concern. While it does make some effort to obfuscate its origins (by saddling uninvolved “data mules” with the consequences), it generally remains unconcerned about being caught in the act. There’s no legal process that can truly hold the NSA accountable for its extraterritorial actions — at least nothing that couldn’t easily be deflected by one of the most powerful nations in the world.

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Snowden Documents Show NSA Can't Keep Its Eyes On Its Own Papers; Harvests Data From Other Surveillance Agencies”

Subscribe: RSS Leave a comment
Pronounce (profile) says:

Re: 5 Eyes Business Loss Due to Spying

It’s always wise to diversify your business holdings. For cloud business this may look like investment in storage locations inside the firewall of viable economies. So then the major impact by unfriendly business policy is most significantly felt by the local employees and not the corporate office at large.

Anonymous Coward says:

Re: Who hacks the hacking hackers?

What will the NSA do when they find they are reading their own traffic via a another spy agency?

Use the other agency’s system to hack into an NSA computer and use the hacked computer to attack the other agency. When the other agency complains, point out the attack came from a hacked computer, could have been anybody, and obviously was not the NSA because it is never so direct and never gets caught doing its own dirty work. Then ask why analysis of the hack shows that the complaining agency had access to that server.

Anonymous Coward says:

Another defense lawyer angle

“Your honour, my client is nothing more than an unwitting data mule for the American National Security Agency. He did not commit the hacking alleged by the prosecution and indeed lacks the technical capacity even to attempt such a thing, which is why he was so successfully abused by the Americans.”

Anonymous Coward says:

Re: Another defense lawyer angle

“Wait, you mean, this was an intelligence service who framed your client, and your client had nothing whatsoever to do with what he’s being accused of…..oh, ahem, well,…..thats diffrent….”

Turns to jury

“!?GUILTY, court dismissed”

Quickly walks out, whispering sorry,sorry,sorry in to his turned off phone

pixelpusher220 (profile) says:

Not new?

I thought it was already well established that Country A hoover’s up all data outside Country A, Country B hoovers up all data outside Country B. A and B share data and now they are both ‘legal’ because they didn’t ‘collect’ their own country’s data?
(obviously the ‘only’ outside is theoretical only!)

Which is why the laws should be written to make ‘possession’ of data from inside the country illegal as well as the collection.

Pronounce (profile) says:

Re: I am shallow

Oh, hahaha, you have no clue how arrogant these people are. The talk behind closed doors is that of a wolf looking at a flock of sheep and gleefully deciding whom to kill. But unlike a wolf who is following their natural instinct these individuals get a rush and high watching the flock flee and squirm as they go for a kill.

Watch the glee on that dude’s game video of him pwning people with head-shots. His enjoyment is on par with what I’m talking about.

Anonymous Coward says:

Re: I am shallow

Really, i keep getting the impression that its written by for lack of a better word geeks, with a shiny toy and being very excited, or at least, technilogical savvy people in suits playing with the nice shiny new toys they’ve had their geek department create……now dont get me wrong, technilogical smart dudes or geeks, i have major respect for, i think you as the inovators of the technological world, and am forever greatfull ……..but geeks putting their intellectual minds into something that is bad, is still geeks putting their intellectual minds into something that is bad……..masse surveilance specifically i mean but not limited

John Fenderson (profile) says:

Re: Re: I am shallow

I am a great big honkin’ geek myself. Being a geek doesn’t excuse this at all.

Really, there is a subset of the geek sphere that I routinely see this sort of sociopathic behavior in: criminal hackers in general, but primarily the script kiddies. Even if the NSA wasn’t doing anything controversial, that sort of attitude very badly on the agency. It makes it look like they hired a bunch of adolescent crooks.

Anonymous Coward says:

The unwitting victim, whose phone has been infected with a spy program, smuggles the information out of the office. The information is then retrieved remotely as the victim heads home after work. Digital spies have even adopted drug-dealer slang in referring to these unsuspecting accomplices. They are called “unwitting data mules.”

So add, commiting a crime and implicating someone else to the list

M. Alan Thomas II (profile) says:

So the NSA knows that (1) nation-states can render IP tracking of a “cyberattack” irrelevant if they’ve compromised the backbone or even simply hacked the scapegoat and (2) if one nation-state has found a 0 day or other security flaw, another nation-state can hijack it or the resulting data flows for their own purposes.

Now if only we could convince policy-makers of this….

Pronounce (profile) says:

Is it Incompetence or Arrogance?

GCQH hacks media. NSA hacks intelligence agencies. So why in the world does Der Spiegel even still have access to the Snowden docs?

It’s obvious that the media agencies like Der Spiegel, Techdirt, Last Week Tonight with John Oliver, aren’t *THAT* big of a deal (in terms of funding) to these agencies otherwise they’d have a NK DDoS or Charlie Hebdo “accident”.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...