Your Source for Leaks Around the World!

Archive for the ‘CSEC’ Category

CSE’s Cyberwarfare Toolbox: False Flag Ops/Deception Techniques/Destroying Infrastructure Among 32 Tactics Revealed

In Archive, Canada, CSEC, False Flag, Hacking, NSA, NSA Files, PSYOP, Surveillance on April 2, 2015 at 11:07 AM

cse-cyber-activity-spectrum

03/23/2015

CBC/Ryan Gallagher/TheIntercept:

Top-secret documents obtained by the CBC show Canada’s electronic spy agency Communication Security Establishment (CSE) has developed a vast arsenal of cyberwarfare tools alongside its U.S. and British counterparts to hack into computers and phones in many parts of the world, including in friendly trade countries like Mexico and hotspots like the Middle East.

Details of the CSE’s capabilities are revealed in several top-secret documents analyzed by CBC News in collaboration with The Intercept.

The latest top-secret documents illustrate the development of a large stockpile of Canadian cyber-spy capabilities that go beyond hacking for intelligence, including:

  • destroying infrastructure, which could include electricity, transportation or banking systems
  •  “false flag” operations to “create unrest” — ie. carrying out an attack, but making it look like it was performed by another group — in this case, likely another government or hacker
  • “effects” operations to “alter adversary perception” – ie. sending out propaganda across social media or disrupting communications services with such techniques as deleting emails, freezing internet connections, blocking websites and redirecting wire money transfers
  • “honeypots” – ie. some sort of bait posted online that lures in targets so that they can be hacked or monitored

It’s unclear which of the 32 cyber tactics listed in the 2011 document are actively used or in development. CSE wanted to become more aggressive by 2015, the documents also said.

Document: CSEC Cyber Threat Capabilities – SIGINT and ITS: An End-to-End Approach (2011)

Previous Snowden leaks have disclosed that the CSE uses the highly sophisticated WARRIORPRIDE malware to target cellphones, and maintains a network of infected private computers — what’s called a botnet ​— that it uses to disguise itself when hacking targets.

Other leaked documents revealed back in 2013 that the CSE spied on computers or smartphones connected to Brazil’s mining and energy ministry to get economic intelligence.

Canada’s electronic spy agency and the U.S. National Security Agency “cooperate closely” in “computer network access and exploitation” of certain targets, according to an April 2013 briefing note for the NSA.

Document: NSA Intelligence Relationship with CSEC (April 2013)

Their targets are located in the Middle East, North Africa, Europe and Mexico, plus other unnamed countries connected to the two agencies’ counterterrorism goals, the documents say. Specific techniques used against the targets are not revealed.

Some of the capabilities mirror what CSE’s U.S. counterpart, the NSA, can do under a powerful hacking program called QUANTUM, which was created by the NSA’s elite cyberwarfare unit, Tailored Access Operations.

The apparent involvement of CSE in using the deception tactics suggests it is operating in the same area as a secretive British unit known as JTRIG, a division of the country’s eavesdropping agency, Government Communications Headquarters, or GCHQ. Last year, documents from Snowden revealed that JTRIG uses a range of effects operations to manipulate information online, such as by rigging the outcome of online polls, sending out fake messages on Facebook across entire countries, and posting negative information about targets online to damage their reputations.

According to the documents, the CSE wanted more aggressive powers for use both at home and abroad.

In 2011, the Canadian agency presented its vision for 2015 to the Five Eyes allies at a conference.

“We will seek the authority to conduct a wide spectrum of Effects operations in support of our mandates,” the top-secret presentation says.

Document: CASCADE: Joint Cyber Sensor Architecture (2011)

Effects operations refer to manipulating and disrupting computers or devices.

In an increasingly hostile cyberspace, Canada has also turned its attention to figuring out ways to better protect itself against such attacks.

Documents: CSEC Cyber Threat Detection (November 2009)
                          CSEC SIGINT Cyber Discovery (November 2010)

See Also: EONBLUE: CSE’s Cyber Threat Detection Platform; Access Internet Core Infrastructure with 200 Sensors Across Globe

Back in 2011, CSE envisioned creating a “perimeter around Canada” to better defend the country’s interests from potential threats from other countries and criminals, raising the prospect the agency was preparing a broad surveillance program to target Canadians’ online traffic.

At the time, “full visibility of our national infrastructure” was among its goals, according to a planning document for 2015. Security analysts wanted the means to detect an attack before it hit a target like a government website.

“If we wish to enable defence, we must have intelligence to know when attacks enter our national infrastructure,” the 2011 top-secret CSE presentation says.

The agency would not answer how far it got with the 2015 plan.

Document: CSE Response to CBC Re: Cyberwarfare Revelations

Experts say the Anti-Terrorism Act, Bill C-51, currently being debated, could legalize use of some of the capabilities outlined in these classified documents.

Though the act would give CSIS, Canada’s domestic intelligence agency, the power to disrupt threats to the security of Canada both at home and abroad, the Canadian Security Intelligence Service relies on its sister service, the CSE, for technical help with surveillance and infiltration of cellphones and computers.

PONY EXPRESS: CSE Spying on Canadians’ Emails to Government

In Archive, Canada, CSEC, NSA Files, Surveillance on February 25, 2015 at 10:42 PM

cse-pony-express

02/25/2015

Ryan Gallagher/Glenn Greenwald/TheIntercept/CBC:

Canada’s electronic surveillance agency is covertly monitoring vast amounts of Canadians’ emails as part of a sweeping domestic cybersecurity operation, according to top-secret documents.

The surveillance initiative, revealed Wednesday by CBC News in collaboration with The Intercept, is sifting through millions of emails sent to Canadian government agencies and departments, archiving details about them on a database for months or even years.

The data mining operation is carried out by the Communications Security Establishment, or CSE, Canada’s equivalent of the National Security Agency. Its existence is disclosed in documents obtained by The Intercept from NSA whistleblower Edward Snowden.

The emails are vacuumed up by the Canadian agency as part of its mandate to defend against hacking attacks and malware targeting government computers. It relies on a system codenamed PONY EXPRESS to analyze the messages in a bid to detect potential cyber threats.

PDF

Last year, CSE acknowledged it collected some private communications as part of cybersecurity efforts. But it refused to divulge the number of communications being stored or to explain for how long any intercepted messages would be retained.

Now, the Snowden documents shine a light for the first time on the huge scope of the operation — exposing the controversial details the government withheld from the public.

Under Canada’s criminal code, CSE is not allowed to eavesdrop on Canadians’ communications. But the agency can be granted special ministerial exemptions if its efforts are linked to protecting government infrastructure — a loophole that the Snowden documents show is being used to monitor the emails.

The latest revelations will trigger concerns about how Canadians’ private correspondence with government employees are being archived by the spy agency and potentially shared with police or allied surveillance agencies overseas, such as the NSA. Members of the public routinely communicate with government employees when, for instance, filing tax returns, writing a letter to a member of parliament, applying for employment insurance benefits or submitting a passport application.

In a top-secret CSE document on the security operation, dated from 2010, the agency says it “processes 400,000 emails per day” and admits that it is suffering from “information overload” because it is scooping up “too much data.”

PDF

The document outlines how CSE built a system to handle a massive 400 terabytes of data from Internet networks each month — including Canadians’ emails — as part of the cyber operation. (A single terabyte of data can hold about a billion pages of text, or about 250,000 average-sized mp3 files.)

The agency notes in the document that it is storing large amounts of “passively tapped network traffic” for “days to months,” encompassing the contents of emails, attachments and other online activity. It adds that it stores some kinds of metadata — data showing who has contacted whom and when, but not the content of the message — for “months to years.”

CSE, under its cyberdefence mandate, is allowed to hold on to personal information — email addresses, IP addresses and other identifiers — for up to 30 years, then transfer it to Library and Archives Canada, according to the agency’s own description of its databanks in the federal Info Source publication.

Of the masses of emails the agency was scanning and storing using PONY EXPRESS in 2010, however, only about 0.001 percent of them were deemed to contain potentially malicious viruses. According to the documents, the automated system sifts through them and detects about 400 potentially suspect emails each day — about 146,000 a year. That system sends alerts to CSE analysts, who then can take a closer look at the email to see if it poses any threat. Only about four emails per day — about 1,460 a year — are serious enough to warrant CSE security analysts contacting the government departments potentially affected.

The document says that CSE has “excellent access to full take data” as part of its cyber operations and is receiving policy support on “use of intercepted private communications.” The term “full take” is surveillance-agency jargon that refers to the bulk collection of both content and metadata from Internet traffic.

Another top-secret document on the surveillance dated from 2010 suggests the agency may be obtaining at least some of the data by covertly mining it directly from Canadian Internet cables. CSE notes in the document that it is “processing emails off the wire.”

The data analyzed by PONY EXPRESS can be obtained using Deep Packet Inspection Technology (DPI). Such technology works by observing small portions of internet traffic known as packets, and matching the information describing each packet against a library of signatures—including known applications, protocols, network activity, and more.

DPI hardware can also flag all internet traffic destined for a particular IP address, or range of IP addresses, such as those belonging to the Government of Canada. It’s possible that CSE’s EONBLUE program—which is believed to be based on DPI technology—​could be the first step in flagging email traffic for further analysis by PONY EXPRESS.

Since the 2010 documents were authored, it is likely the scale of the domestic data collection has increased. CSE states in the documents that it is working to bolster its capabilities. Under a heading marked “future,” the agency notes: “metadata continues to increase linearly with new access points.”

A CSE spokesman told The Intercept and CBC News in a statement that the agency eventually deletes intercepted Canadians’ emails if they are found to contain no cyberthreat, but would not comment on the amount of emails collected, or discuss the period of time that the messages are retained for.

PDF

See: Dreamy, Nosey, Tracker & Paranoid: GCHQ’s Spying Smurfs Can Hide On Phones, Turn Them On, Eavesdrop & Locate

EONBLUE: CSE’s Cyber Threat Detection Platform; Access Internet Core Infrastructure with 200 Sensors Across Globe

In Archive, Canada, CSEC, Internet, NSA Files, Surveillance on February 25, 2015 at 10:34 PM

02/11/2015

Matthew Braga/Motherboard:

You might not think Canada’s digital spies are on par with those in the US and UK—but rest assured, America’s northern neighbour is just as capable of perpetuating mass surveillance on a global scale. Case in point: at over 200 locations around the world, spies from Canada’s cyberintelligence agency have been monitoring huge volumes of global internet traffic travelling across the internet’s core.

​From these locations, Communications Security Establishment (CSE) can track who is accessing websites and files of interest. Its analysts can also log email addresses, phone numbers and even the content of unencrypted communications—and retain encrypted communication for later study, too—as well as intercept passwords and login details for later access to remote servers and websites.

​But perhaps more importantly, tapping into global internet traffic is a means for CSE to monitor, and also exploit, an ever growing list of digital threats, such as vulnerabilities in networks and computers and the spread of malware as well as botnets and the computers under their control. In the process, analysts can keep tabs on both friendly and foreign governments conducting covert cyber attacks and infiltration of their own.

Such vast access to the backbone of the internet is achieved through a program called EONBLUE. According to documents (1) (2) leaked by whistleblower Edward Snowden,  ​and published by Der Spiegel last month, the program is designed to “track known threats,” “discover unknown threats,” and provide “defence at the core of the Internet.”

cse-eonblue-1

And while it may be tempting to dismiss this as yet another in a long line of revelations of mass surveillance, it is one of the clearest examples yet that Canada plays no small part in its Five Eyes partnership with intelligence agencies from Australia, New Zealand, the UK, and the US.

The meaning of threats, in this case, is two-fold: cyber attacks on network infrastructure and data, certainly, but also the online activities of terrorists believed to be plotting attacks against the physical world. The EONBLUE program is part of CSE’s Global Network Detection operations, which specialize in collecting signals intelligence from the movement of traffic online.

While the locations of EONBLUE sites are not disclosed in the documents, one slide makes reference to the internet’s “core” and describes EONBLUE’s ability to “scale to backbone internet speeds”—implying possible access to telecom operators, data centers, undersea cables and other infrastructure providers worldwide.

Such access would mean that much, if not all of the data, travelling through a location tapped by CSE could be subject to surveillance. Though the agency maintains it cannot legally track Canadians at home or abroad it is hard to fathom how such data could be exempt.

As of November 2010, when the document was dated, EONBLUE had already been under development for over eight years. However, it isn’t clear from the slides for how long EONBLUE has been used, or whether it is still in use today.

According to network security researchers consulted by Motherboard, EONBLUE is likely a global-scale implementation of ​a technology known as Deep Packet Inspection (DPI).

cse-eonblue-2

Such technology works by observing small portions of internet traffic known as packets, and matching the information describing each packet against a library of signatures—including known applications, protocols, network activity, and more. Internet service providers have been known to use DPI technology to identify subscribers using peer-to-peer filesharing protocols such as BitTorrent on their networks, for example. But such devices, generally speaking, can do much, much more.

Depending on how the system is configured, DPI hardware can: log the IP addresses of all users connecting to a website or webpage; log all activity from a certain IP, or blocks of IPs; identify applications being used on the network; look for cookies, email addresses, phone numbers, and other identifiers; identify encrypted traffic, and also the type of encryption used; identify the type of protocol a connection is using (for example, FTP or HTTP); locate the port that network traffic is connecting to or from; and, perhaps most concerning of all, modify certain types of traffic in real-time, in such a way that neither the sender or receiver would know any such tampering took place.

In other words, such a device can be instructed to lay bare your activities online.

It’s not clear what, exactly, EONBLUE is configured to monitor, but descriptions of other Canadian intelligence operations that rely on the program do offer some indication. For example, one document says that, thanks to EONBLUE, Canadian intelligence analysts identified a new type of malware, codenamed SNOWGLOBE, that they suspected was the work of French intelligence.

Because EONBLUE monitors network traffic, CSE was able to watch someone log into one of the remote computers, or listening posts, with which SNOWGLOBE communicated, and retrace the malware operator’s steps. This enabled Canadian intelligence to login to the listening post themselves, and see the data SNOWGLOBE had transmitted from the computers it had infected.

Another document outlining a roadmap for EONBLUE development references a Canadian version of ​the infamous US intelligence database XKEYSCORE. At the NSA, XKEYSCORE allowed analysts to query such information as the content of emails, browsing history, telephone numbers and online chats between Facebook users that, until July 2013, were not encrypted by default.

cse-eonblue-3

While it’s not clear how CSE’s XKEYSCORE functioned in practice, it’s clear Canadian spies were at least planning to develop a powerful database on par with that of its partner agencies in the US and UK—but using data that had been flagged by EONBLUE.

While the documents make it clear that EONBLUE relies on access to the internet’s core infrastructure—the physical cables and connection points across which most data in a geographic region travels—it’s not clear where, exactly, that access occurs.

“It’s difficult to understand how they’re doing this without violating the sovereignty and likely the criminal laws of at least some countries, allied countries even, abroad,” said Tamir Israel, a staff lawyer at the ​Canadian Internet Policy & Public Interest Clinic (CIPPIC).

One slide suggests that EONBLUE sits on-top of existing collection programs, such as SPECIALSOURCE, and  ​sometimes referred to as Special Source Operations (SSO)—a term that has been used in other documents to indicate direct access to fibre-optic cables and ISPs.

cse-eonblue-4

In other words, CSE’s partner agencies—or another division within CSE itself—are likely responsible for gaining physical access to internet infrastructure, and then making that data available to programs such as EONBLUE.

Curiously, one slide within the document hints at the existence of an Australian extension of EONBLUE operated by Australian Signals Directorate. Another refers to a Canadian special source. Whether that data source is located in Canada, or is a Canadian operator of infrastructure abroad, remains unclear.

According to documents jointly published by The Intercept and CBC, a CSE program codenamed LEVITATION tracked users downloading certain files from popular filesharing networks worldwide to identify extremists, while another program codenamed PONY EXPRESS sifts through millions of emails sent from Canadians to government agencies in a bid to detect potential cyber threats.

While there is no explicit link between the programs in any of the documents that have been publicly released, CSE could have instructed EONBLUE to flag the IP addresses of every user who attempted to access a bomb-making guide, for example, and send that information to a database for later analysis by LEVITATION.

The data analyzed by PONY EXPRESS can be obtained using Deep Packet Inspection Technology. DPI hardware can also flag all internet traffic destined for a particular IP address, or range of IP addresses, such as those belonging to the Government of Canada. It’s possible that CSE’s EONBLUE program—which is believed to be based on DPI technology—​could be the first step in flagging email traffic for further analysis by PONY EXPRESS.

It’s hard not to overstate the importance of what’s happening here. There are more eyes than we realize watching our data as it travels around the world. And it’s programs such as EONBLUE that prove the Canadian government is playing a much larger role in monitoring the internet than most might think—with a prowess that rivals both NSA and GCHQ.

LEVITATION: CSE Tracking Millions of Downloads Daily from 102 File-Sharing Sites

In Archive, Canada, CSEC, Internet, NSA Files, Surveillance, Terrorism on February 22, 2015 at 6:26 PM

01/27-28/2015

Ryan Gallagher/Glenn Greenwald/TheIntercept/CBC:

Canada’s leading surveillance agency is monitoring millions of Internet users’ file downloads in a dragnet search to identify extremists, according to top-secret documents.

The covert operation, revealed Wednesday by CBC News in collaboration with The Intercept, taps into Internet cables and analyzes records of up to 15 million downloads daily from popular websites commonly used to share videos, photographs, music, and other files.

The revelations about the spying initiative, codenamed LEVITATION, are the first from the trove of files provided by National Security Agency whistleblower Edward Snowden to show that the Canadian government has launched its own globe-spanning Internet mass surveillance system.

According to the documents, the LEVITATION program can monitor downloads in several countries across Europe, the Middle East, North Africa, and North America. It is led by the Communications Security Establishment, or CSE, Canada’s equivalent of the NSA. (The Canadian agency was formerly known as “CSEC” until a recent name change.)

The latest disclosure sheds light on Canada’s broad existing surveillance capabilities at a time when the country’s government is pushing for a further expansion of security powers following attacks in Ottawa and Quebec last year.

Ron Deibert, director of University of Toronto-based Internet security think tank Citizen Lab, said LEVITATION illustrates the “giant X-ray machine over all our digital lives.”

“Every single thing that you do – in this case uploading/downloading files to these sites – that act is being archived, collected and analyzed,” Deibert said, after reviewing documents about the online spying operation for CBC News.


The ostensible aim of the surveillance is to sift through vast amounts of data to identify people uploading or downloading content that could be connected to terrorism – such as bomb-making guides and hostage videos.

In the process, however, CSE combs through huge volumes of data showing uploads and downloads initiated by Internet users not suspected of any wrongdoing.

In a top-secret PowerPoint presentation, dated from mid-2012, an analyst from the agency jokes about how, while hunting for extremists, the LEVITATION system gets clogged with information on innocuous downloads of the musical TV series Glee.

PDF

CSE finds some 350 “interesting” downloads each month, the presentation notes, a number that amounts to less than 0.0001 per cent of the total collected data.

The agency stores details about downloads and uploads to and from 102 different popular file-sharing websites, according to the 2012 document, which describes the collected records as “free file upload,” or FFU, “events.” Only three of the websites are named: RapidShare, SendSpace, and the now defunct MegaUpload.

SendSpace said in a statement that “no organization has the ability/permission to trawl/search Sendspace for data,” adding that its policy is not to disclose user identities unless legally compelled. Representatives from RapidShare and MegaUpload had not responded to a request for comment at time of publication.

LEVITATION does not rely on cooperation from any of the file-sharing companies. A separate secret CSE operation codenamed ATOMIC BANJO obtains the data directly from internet cables that it has tapped into, which can be viewed through the agency’s OLYMPIA program. CSE then sifts out the unique IP address of each computer that downloaded files from the targeted websites.

The IP addresses are valuable pieces of information to CSE’s analysts, helping to identify people whose downloads have been flagged as suspicious. The analysts use the IP addresses as a kind of search term, entering them into other surveillance databases that they have access to, such as the vast repositories of intercepted Internet data shared with the Canadian agency by the NSA and its British counterpart Government Communications Headquarters.

Once a suspicious file-downloader is identified, analysts can plug that IP address into MUTANT BROTH, a database run by the British electronic spy agency Government Communications Headquarters (GCHQ), to see five hours of that computer’s online traffic before and after the download occurred, opening the door for further surveillance of their activities.

That can sometimes lead them to a Facebook profile page and to a string of Google and other cookies used to track online users’ activities for advertising purposes. This can help identify an individual.

In one example in the top-secret document, analysts also used the U.S. National Security Agency’s powerful MARINA database, which keeps online metadata on people for up to a year, to search for further information about a target’s Facebook profile. It helped them find an email address.

After doing its research, the Levitation team then passes on a list of suspects to CSE’s Office of Counter Terrorism.

Since the secret 2012 presentation about LEVITATION was authored, both RapidShare and SendSpace have toughened security by encrypting users’ connections to their websites, which may have thwarted CSE’s ability to target them for surveillance. But many other popular file-sharing sites have still not adopted encryption, meaning they remain vulnerable to the snooping.

As of mid-2012, CSE was maintaining a list of 2,200 particular download links that it regarded as connected to suspicious “documents of interest.” Anyone clicking on those links could have found themselves subject to extra scrutiny from the spies.

The file-sharing surveillance also raises questions about the number of Canadians whose downloading habits could have been swept up as part of LEVITATION’s dragnet.

By law, CSE isn’t allowed to target Canadians. Canada’s commissioner charged with reviewing the secretive group found it unintentionally swept up private communications of 66 Canadians while monitoring signals intelligence abroad, but concluded there was no sign of unlawful practice.

In the LEVITATION presentation, however, two Canadian IP addresses that trace back to a web server in Montreal appear on a list of suspicious downloads found across the world. The same list includes downloads that CSE monitored in closely allied countries, including the United Kingdom, United States, Spain, Brazil, Germany and Portugal.

It is unclear from the document whether LEVITATION has ever prevented any terrorist attacks. The agency cites only two successes of the program in the 2012 presentation: the discovery of a hostage video through a previously unknown target, and an uploaded document that contained the hostage strategy of a terrorist organization. The hostage in the discovered video was ultimately killed, according to public reports.

A CSE spokesman declined to comment to The Intercept on whether LEVITATION remained active, and would not provide examples of useful intelligence gleaned from the spying, or explain how long data swept up under the operation is retained.

cse-response-to-cbc-re-levitation

Related Link: EONBLUE: CSE’s Cyber Threat Detection Platform; Access Internet Core Infrastructure with 200 Sensors Across Globe

01/29/2015

Marcy Wheeler/Emptywheel:

I’ve argued the NSA does similar analysis using known codes tied to Inspire (not the URL, necessarily, but possibly the encryption code included in each Inspire edition) on upstream collection, which would basically identify the people within the US who had downloaded AQAP’s propaganda magazine. One reason I’m so confident NSA does this is because of the high number of FBI sting operations that seem to arise from some 20-year old downloading Inspire, which them appears to get sent out to a local FBI office for further research into online activities and ultimately approaches by a paid informant or undercover officer.

In other words, this kind of analysis seems to lie at the heart of a lot of the stings FBI initiates.

cse-levitation-scoreboard

But as the “Scoreboard” slide in this presentation makes clear, what this process gives you is not validated IDs, but rather probabilistic matches (which FISC appears to deal with using minimization procedures, suggesting they let NSA collect on these probabilistic matches with the understanding they have to treat the data in some certain way if it ends up being a false positive).

That’s important not just for the young men whom FBI decides might make worthwhile targets (even if they’re being targeted, largely, on their First Amendment activities).

It’s important, too, for the false negatives, by far the most important of which I believe to be the Tsarnaev brothers, both of whom reportedly had downloaded multiple episodes of Inspire, as well as other similar jihadist material, and on whom NSA had collected data it never accessed until after the attack, but neither of whom got targeted off this correlation process before they attacked the Boston Marathon.

That is, this really important possible false negative, just as much as the dubious positives that end up getting unbalanced young men targeted by the FBI, may say as much about the reliability of this process as anything else.

This CSE PPT is not yet proof that my suspicions are entirely accurate (though my claims here about correlations are based on officially released documents). But they strongly suggest my suspicions have been correct.

And — particularly given ODNI’s refusal to release what appears to be a key opinion describing the terms on which FISC permits the use of these correlations — this ought to elicit far more conversations about how NSA and its Five Eye partners “correlate” identities and how those correlations get used.

INTOLERANT: How NSA/GCHQ/CSEC Piggyback on Hackers to Collect Data on Targets

In Archive, CSEC, GCHQ, Hacking, NSA, NSA Files, Surveillance on February 16, 2015 at 1:11 AM

PDF

02/04/2015

Glenn Greenwald/TheIntercept:

The U.S., U.K. and Canadian governments characterize hackers as a criminal menace, warn of the threats they allegedly pose to critical infrastructure, and aggressively prosecute them, but they are also secretly exploiting their information and expertise, according to top secret documents.

In some cases, the surveillance agencies are obtaining the content of emails by monitoring hackers as they breach email accounts, often without notifying the hacking victims of these breaches. “Hackers are stealing the emails of some of our targets… by collecting the hackers’ ‘take,’ we . . .  get access to the emails themselves,” reads one top secret 2010 National Security Agency document.

These and other revelations about the intelligence agencies’ reliance on hackers are contained in documents provided by whistleblower Edward Snowden. The documents—which come from the U.K. Government Communications Headquarters agency and NSA—shed new light on the various means used by intelligence agencies to exploit hackers’ successes and learn from their skills, while also raising questions about whether governments have overstated the threat posed by some hackers.

By looking out for hacking conducted “both by state-sponsored and freelance hackers” and riding on the coattails of hackers, Western intelligence agencies have gathered what they regard as valuable content:

Recently, Communications Security Establishment Canada (CSEC) and Menwith Hill Station (MHS) discovered and began exploiting a target-rich data set being stolen by hackers. The hackers’ sophisticated email-stealing intrusion set is known as INTOLERANT. Of the traffic observed, nearly half contains category hits because the attackers are targeting email accounts of interest to the Intelligence Community. Although a relatively new data source, [Target Offices of Primary Interest] have already written multiple reports based on INTOLERANT collect.

The hackers targeted a wide range of diplomatic corps, human rights and democracy activists and even journalists:

INTOLERANT traffic is very organized. Each event is labeled to identify and categorize victims. Cyber attacks commonly apply descriptors to each victim – it helps herd victims and track which attacks succeed and which fail. Victim categories make INTOLERANT interesting:

A = Indian Diplomatic & Indian Navy
B = Central Asian diplomatic
C = Chinese Human Rights Defenders
D = Tibetan Pro-Democracy Personalities
E = Uighur Activists
F = European Special Rep to Afghanistan and Indian photo-journalism
G = Tibetan Government in Exile

In those cases, the NSA and its partner agencies in the United Kingdom and Canada were unable to determine the identity of the hackers who collected the data, but suspect a state sponsor “based on the level of sophistication and the victim set.”

In instances where hacking may compromise data from the U.S. and U.K. governments, or their allies, notification was given to the “relevant parties.”

Related Link: NSA Digital Arms: Documents on Network Attacks/Exploitation/Malware/Implants/Exfiltration/Botnet Takeovers

%d bloggers like this: