Snowden Documents Show NSA Can't Keep Its Eyes On Its Own Papers; Harvests Data From Other Surveillance Agencies

from the METAPHORCOLLISION:-the-NSA's-haystack-sipping-program dept

Another pile of Snowden documents has been released by Der Spiegel, detailing more of previously revealed NSA/GCHQ activities — like the harvesting of exploits and hardware shipment “interdiction” — along with some new stuff, including the NSA’s piggybacking on other countries’ surveillance to further buttress its massive haystacks.

The report digs deeper into the NSA’s Tailored Access Operations, noting that the agency’s plans for its targets’ hardware are even more aggressive than previously indicated. A document [pdf link] details different offerings for NSA “interns,” who will be tasked with a variety of operations to not only compromise hardware integrity, but possibly disable or destroy it.

Potential interns are also told that research into third party computers might include plans to “remotely degrade or destroy opponent computers, routers, servers and network enabled devices by attacking the hardware.” Using a program called Passionatepolka, for example, they may be asked to “remotely brick network cards.” With programs like Berserkr they would implant “persistent backdoors” and “parasitic drivers”. Using another piece of software called Barnfire, they would “erase the BIOS on a brand of servers that act as a backbone to many rival governments.”

Despite “tailored” being one of the key words in Tailored Access Operations, the exploits used aren’t necessarily targeted. Because the same holes can be exploited by criminals or other “bad guys,” non-targeted persons are at risk. And because some of the exploits are by nature self-replicating (documents obtained show the NSA seeking out and deploying trojans and worms), the potential for unintentional collateral damage is always present.

In this guerilla war over data, little differentiation is made between soldiers and civilians, the Snowden documents show. Any Internet user could suffer damage to his or her data or computer. It also has the potential to create perils in the offline world as well. If, for example, a D weapon like Barnfire were to destroy or “brick” the control center of a hospital as a result of a programming error, people who don’t even own a mobile phone could be affected.

One of the most fascinating documents is a presentation that borrows a famous line from There Will Be Blood. [pdf link]

The NSA doesn’t do all of its own dirty work. Its haystacking efforts also take advantage of surveillance programs deployed by anyone outside of its Five Eyes partnership — including nominally “friendly” countries like Germany. A combination of hacking and exploits allows the NSA to pursue what it calls “fourth party collections.”

Some of this is along the lines of what’s expected from a national intelligence service — like the targeting of “unfriendly” countries.

In 2009, an NSA unit took notice of a data breach affecting workers at the US Department of Defense. The department traced an IP address in Asia that functioned as the command center for the attack. By the end of their detective work, the Americans succeeded not only in tracing the attack’s point of origin to China, but also in tapping intelligence information from other Chinese attacks — including data that had been stolen from the United Nations. Afterwards, NSA workers in Fort Meade continued to read over their shoulders as the Chinese secretly collected further internal UN data. “NSA is able to tap into Chinese SIGINT collection,” a report on the success in 2011 stated.

But it goes further than that. Allies outside the Five Eyes partnership are not immune from the NSA’s piggybacking. And the NSA goes further than simply utilizing man-in-the-middle attacks to “make copies” of anything interesting other countries’ surveillance networks have picked up. The presentation lays out the NSA’s use of “fourth party collections” to deploy its own exploits (called “victim stealing”) or collect new exploits being deployed by other surveillance agencies.

The stuff the NSA pulls from other surveillance networks is then routed away from the agency in order to cover its tracks. Anything that might lead back to the agency is obscured, which could easily result in innocent persons or companies being targeted by irritated foreign surveillance agencies who happen to notice their networks have been accessed by others.

In technical terms, the ROC [Remote Operations Center] lays false tracks as follows: After third-party computers are infiltrated, the process of exfiltration can begin — the act of exporting the data that has been gleaned. But the loot isn’t delivered directly to ROC’s IP address. Rather, it is routed to a so-called Scapegoat Target. That means that stolen information could end up on someone else’s servers, making it look as though they were the perpetrators.

Before the data ends up at the Scapegoat Target, of course, the NSA intercepts and copies it using its mass surveillance infrastructure and sends it on to the ROC. But such cover-up tactics increase the risk of a controlled or uncontrolled escalation between the agencies involved.

This isn’t as deep as the rabbit hole gets, however. The documents leaked by Ed Snowden also detail yet another layer of the NSA’s collection-by-proxy efforts. A Q&A pulled from the NSA’s internal message boards [pdf link] contains the following discussion:

Is there “fifth party” collection?

“Fourth party collection” refers to passively or actively obtaining data from some other actor’s CNE [computer network exploitation] activity against a target. Has there ever been an instance of NSA obtaining information from Actor One exploiting Actor Two’s CNE activity against a target that NSA, Actor One, and Actor Two all care about?

—–

Yes. There was a project that I was working last year with regard to the South Korean CNE program. While we aren’t super interested in SK (things changed a bit when they started targeting us a bit more), we were interested in North Korea and SK puts a lot of resources against them.

At that point, our access to NK was next to nothing but we were able to make some inroads to the SK CNE program. We found a few instances where there were NK officials with SK implants on their boxes, so we got on the exfil points, and sucked back the data. Thats fourth party. However, some of the individuals that SK was targeting were also part of the NK CNE program. So I guess that would be the fifth party collect you were talking about. But once that started happening, we ramped up efforts to target NK ourselves (as you dont want to rely on an untrusted actor to do your work for you). But some of the work that was done there was able to help us gain access.

I know of another instance (I will be more vague because I believe there are more compartments involved and parts are probably NF) where there was an actor we were going against. We realized there was another actor that was also going against them and having great success because of a 0 day they wrote. We got the 0 day out of passive and were able to re-purpose it. Big win.

The NSA’s long straw surveillance also repurposes vernacular from another arena where the war is neverending and the foes declared so dangerous that every Constitutional violation is justified. Those who are used without their knowledge as “hosts” for information gathered by the NSA’s “fourth party” efforts have been given an unflattering nickname.

The unwitting victim, whose phone has been infected with a spy program, smuggles the information out of the office. The information is then retrieved remotely as the victim heads home after work. Digital spies have even adopted drug-dealer slang in referring to these unsuspecting accomplices. They are called “unwitting data mules.”

When the NSA discusses its efforts with its oversight, very few details are given on the means and methods. The general attitude seems to be that if something like this occurs outside of the US, it doesn’t matter. The NSA may make minimal efforts to preserve American citizens’ rights, but it has absolutely no concern for anyone located outside of America’s borders.

As Der Spiegel notes, the NSA is operating in a “legal vacuum.” The tracks left behind by its milkshake drinking cause it no great concern. While it does make some effort to obfuscate its origins (by saddling uninvolved “data mules” with the consequences), it generally remains unconcerned about being caught in the act. There’s no legal process that can truly hold the NSA accountable for its extraterritorial actions — at least nothing that couldn’t easily be deflected by one of the most powerful nations in the world.

Filed Under: gchq, nsa, surveillance, tailored access operations, tao