Your Source for Leaks Around the World!

“Steal Their Tools, Tradecraft, Targets and Take”: How NSA Uses Other Countries’ Cyber Attacks to Their Advantage

In Archive, China, Hacking, NSA, NSA Files, Surveillance on February 6, 2015 at 1:16 PM

nsa-fourth-party-milkshake

01/17/2015

h/t Jacob Appelbaum/Laura Poitras/SPIEGEL:

Just how close the NSA has already gotten to its aim of “global network dominance” is illustrated particularly well by the work of department S31177, codenamed TRANSGRESSION.

The department’s task is to trace foreign cyber attacks, observe and analyze them and, in the best case scenario, to siphon off the insights of competing intelligence agencies. This form of “Cyber Counter Intelligence” counts among the most delicate forms of modern spying.

In addition to providing a view of the US’s own ability to conduct digital attacks, Snowden’s archive also reveals the capabilities of other countries. The TRANSGRESSION team has access to years of preliminary field work and experience at its disposal, including databases in which malware and network attacks from other countries are cataloged.

The Snowden documents show that the NSA and its Five Eyes partners have put numerous network attacks waged by other countries to their own use in recent years. One 2009 document states that the department’s remit is to “discover, understand (and) evaluate” foreign attacks. Another document reads: “Steal their tools, tradecraft, targets and take.”

In 2009, an NSA unit took notice of a data breach affecting workers at the US Department of Defense. The department traced an IP address in Asia that functioned as the command center for the attack. By the end of their detective work, the Americans succeeded not only in tracing the attack’s point of origin to China, but also in tapping intelligence information from other Chinese attacks — including data that had been stolen from the United Nations. Afterwards, NSA workers in Fort Meade continued to read over their shoulders as the Chinese secretly collected further internal UN data. “NSA is able to tap into Chinese SIGINT collection,” a report on the success in 2011 stated. SIGINT is short for signals intelligence.

The practice of letting other intelligence services do the dirty work and then tapping their results is so successful that the NSA even has a name for it: “Fourth Party Collection.” And all countries that aren’t part of the Five Eye alliance are considered potential targets for use of this “non-traditional” technique — even Germany.

The Snowden documents show that, thanks to fourth party collection, the NSA succeeded in detecting numerous incidents of data spying over the past 10 years, with many attacks originating from China and Russia. It also enabled the Tailored Access Operations (TAO) to track down the IP address of the control server used by China and, from there, to detect the people responsible inside the Peoples’ Liberation Army. It wasn’t easy, the NSA spies noted. The Chinese had apparently used changing IP addresses, making them “difficult to track; difficult to target.” In the end, though, the document states, they succeeded in exploiting a central router.

The document suggests that things got more challenging when the NSA sought to turn the tables and go after the attacker. Only after extensive “wading through uninteresting data” did they finally succeed in infiltrating the computer of a high-ranking Chinese military official and accessing information regarding targets in the US government and in other governments around the world. They also were able to access source code for Chinese malware.

But there have also been successful Chinese operations. The Snowden documents include an internal NSA assessment from a few years ago of the damage caused. The report indicates that the US Defense Department alone registered more than 30,000 known incidents; more than 1,600 computers connected to its network had been hacked. Surprisingly high costs are listed for damage assessment and network repair: more than $100 million.

Among the data on “sensitive military technologies” hit in the attack were terabytes of data relating to the Joint Strike Fighter (JSF) – also known as the Lockheed Martin F-35 Lightning II, air refueling schedules, the military logistics planning system, missile navigation systems belonging to the Navy, information about nuclear submarines, missile defense and other top secret defense projects.

The desire to know everything isn’t, of course, an affliction only suffered by the Chinese, Americans, Russians and British. Years ago, US agents discovered a hacking operation originating in Iran in a monitoring operation that was codenamed VOYEUR. A different wave of attacks, known as SNOWGLOBE, appears to have originated in France.

  1. […] Related: “Steal Their Tools, Tradecraft, Targets and Take”: How NSA Uses Other Countries’ Cyber Attacks… […]

    Like

  2. […] “Steal Their Tools, Tradecraft, Targets and Take”: How NSA Uses Other Countries’ Cyber Attacks… […]

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: