Just how close the NSA has already gotten to its aim of “global network dominance” is illustrated particularly well by the work of department S31177, codenamed TRANSGRESSION.
The department’s task is to trace foreign cyber attacks, observe and analyze them and, in the best case scenario, to siphon off the insights of competing intelligence agencies. This form of “Cyber Counter Intelligence” counts among the most delicate forms of modern spying.
In addition to providing a view of the US’s own ability to conduct digital attacks, Snowden’s archive also reveals the capabilities of other countries. The TRANSGRESSION team has access to years of preliminary field work and experience at its disposal, including databases in which malware and network attacks from other countries are cataloged.
The Snowden documents show that the NSA and its Five Eyes partners have put numerous network attacks waged by other countries to their own use in recent years. One 2009 document states that the department’s remit is to “discover, understand (and) evaluate” foreign attacks. Another document reads: “Steal their tools, tradecraft, targets and take.”
In 2009, an NSA unit took notice of a data breach affecting workers at the US Department of Defense. The department traced an IP address in Asia that functioned as the command center for the attack. By the end of their detective work, the Americans succeeded not only in tracing the attack’s point of origin to China, but also in tapping intelligence information from other Chinese attacks — including data that had been stolen from the United Nations. Afterwards, NSA workers in Fort Meade continued to read over their shoulders as the Chinese secretly collected further internal UN data. “NSA is able to tap into Chinese SIGINT collection,” a report on the success in 2011 stated. SIGINT is short for signals intelligence.
The practice of letting other intelligence services do the dirty work and then tapping their results is so successful that the NSA even has a name for it: “Fourth Party Collection.” And all countries that aren’t part of the Five Eye alliance are considered potential targets for use of this “non-traditional” technique — even Germany.
The Snowden documents show that, thanks to fourth party collection, the NSA succeeded in detecting numerous incidents of data spying over the past 10 years, with many attacks originating from China and Russia. It also enabled the Tailored Access Operations (TAO) to track down the IP address of the control server used by China and, from there, to detect the people responsible inside the Peoples’ Liberation Army. It wasn’t easy, the NSA spies noted. The Chinese had apparently used changing IP addresses, making them “difficult to track; difficult to target.” In the end, though, the document states, they succeeded in exploiting a central router.
The document suggests that things got more challenging when the NSA sought to turn the tables and go after the attacker. Only after extensive “wading through uninteresting data” did they finally succeed in infiltrating the computer of a high-ranking Chinese military official and accessing information regarding targets in the US government and in other governments around the world. They also were able to access source code for Chinese malware.
But there have also been successful Chinese operations. The Snowden documents include an internal NSA assessment from a few years ago of the damage caused. The report indicates that the US Defense Department alone registered more than 30,000 known incidents; more than 1,600 computers connected to its network had been hacked. Surprisingly high costs are listed for damage assessment and network repair: more than $100 million.
Among the data on “sensitive military technologies” hit in the attack were terabytes of data relating to the Joint Strike Fighter (JSF) – also known as the Lockheed Martin F-35 Lightning II, air refueling schedules, the military logistics planning system, missile navigation systems belonging to the Navy, information about nuclear submarines, missile defense and other top secret defense projects.
The desire to know everything isn’t, of course, an affliction only suffered by the Chinese, Americans, Russians and British. Years ago, US agents discovered a hacking operation originating in Iran in a monitoring operation that was codenamed VOYEUR. A different wave of attacks, known as SNOWGLOBE, appears to have originated in France.
NSA DOCS ON FOURTH PARTY COLLECTION:
- Description of an NSA employee on fifth party access / When the targeted fourth party has someone under surveillance who puts others under surveillance (<1MB) (See: NSA Breached North Korean Networks Before Sony Attack, Officials Say)
- 4th party collection / Taking advantage of non-partner computer network exploitation activity (<1MB)
- Combination of offensive and defensive missions / How fourth-party missions are being performed (<1MB)
- Overview of the TRANSGRESSION program to analyze and exploit foreign CNA/CNE exploits (3MB)
- NSA example SNOWGLOBE, in which a suspected French government trojan is analyzed to find out if it can be helpful for own interests (9MB)
- NSA fourth party access / “I drink your milkshake” (6MB)
- NSA Program TUTELAGE to instrumentalize third party attack tools (40MB)
- Codename BYZANTINE HADES / NSA research on the targets of Chinese network exploitation tools, the targets and actors (19MB)
- CSEC document on the handling of existing trojans when trojanizing computers (11MB)
- Analysis of Chinese methods and performed actions in the context of computer network exploitation (3MB)