Your Source for Leaks Around the World!

Archive for the ‘ISNU’ Category

What Goes Around Comes Around: NSA Cyberattacks Helping Other Countries (Iran) Learn to Hack Better

In Archive, Flame, GCHQ, Hacking, Iran, ISNU, Israel, Malware, NSA, NSA Files, Stuxnet, Surveillance on February 16, 2015 at 12:37 AM


Glenn Greenwald/TheIntercept:

The U.S. Government often warns of increasingly sophisticated cyberattacks from adversaries, but it may have actually contributed to those capabilities in the case of Iran.

A top secret National Security Agency document from April 2013 reveals that the U.S. intelligence community is worried that the West’s campaign of aggressive and sophisticated cyberattacks enabled Iran to improve its own capabilities by studying and then replicating those tactics.


The NSA is specifically concerned that Iran’s cyberweapons will become increasingly potent and sophisticated by virtue of learning from the attacks that have been launched against that country. “Iran’s destructive cyber attack against Saudi Aramco in August 2012, during which data was destroyed on tens of thousands of computers, was the first such attack NSA has observed from this adversary,” the NSA document states. “Iran, having been a victim of a similar cyber attack against its own oil industry in April 2012, has demonstrated a clear ability to learn from the capabilities and actions of others.”

The document was provided to The Intercept by NSA whistleblower Edward Snowden, and was prepared in connection with a planned meeting with Government Communications Headquarters, the British surveillance agency. The document references joint surveillance successes such as “support to policymakers during the multiple rounds of P5 plus 1 negotiations,” referring to the ongoing talks between the five permanent members of the U.N. Security Council, Germany and Iran to forge an agreement over Iran’s nuclear program.

The document suggests that Iran has become a much more formidable cyberforce by learning from the viruses injected into its systems—attacks which have been linked back to the United States and Israel.

In June 2012, The New York Times reported that from “his first months in office, President Obama secretly ordered sophisticated attacks on the computer systems that run Iran’s main nuclear enrichment facilities, significantly expanding America’s first sustained use of cyberweapons, according to participants in the program.” As part of that plan, the U.S. and Israel jointly unleashed the Stuxnet virus on Iranian nuclear facilities, but a programming error “allowed it to escape Iran’s Natanz plant and sent it around the world on the Internet.” Israel also deployed a second virus, called Flame, against Iran.

Related: Obama Orders US to Draw Up Overseas Target List for Cyberattacks

Obama ordered cyberattacks despite his awareness that they would likely unleash a wholly new form of warfare between states, similar to the “first use of atomic weapons in the 1940s, of intercontinental missiles in the 1950s and of drones in the past decade,” according to the Times report. Obama “repeatedly expressed concerns that any American acknowledgment that it was using cyberweapons—even under the most careful and limited circumstances—could enable other countries, terrorists or hackers to justify their own attacks.”

The NSA’s concern of inadvertently aiding Iran’s cyberattack capabilities is striking given the government’s recent warning about the ability of adversaries to develop more advanced viruses. A top official at the Pentagon’s Defense Advanced Research Projects Agency’s (DARPA) appeared on 60 Minutes this Sunday and claimed that cyberattacks against the U.S. military are becoming more potent. “The sophistication of the attacks is increasing,” warned Dan Kaufman, director of DARPA’s Information Innovation Office.

The NSA document suggests that offensive cyberattacks on other states do not merely provoke counterattacks—those attacks can teach adversaries how to launch their own. “Iran continues to conduct distributed denial-of-service (DDOS) attacks against numerous U.S. financial institutions, and is currently in the third phase of a series of such attacks that began in August 2012,” the document says. “SIGINT indicates that these attacks are in retaliation to Western activities against Iran’s nuclear sector and that senior officials in the Iranian government are aware of these attacks.”

This would not be the first time the U.S. has inadvertently assisted Iran’s attack capabilities. Last month, former CIA officer Jeffrey Sterling was convicted of multiple felony counts for telling New York Times reporter James Risen about an agency program designed to feed Iran false data about nuclear engineering in order to create setbacks, but which instead may have provided useful information the Iranians were able to exploit to advance their nuclear research.

As of 2013, the NSA said that while it had no indications “that Iran plans to conduct such an attack against a U.S. or UK target, we cannot rule out the possibility of such an attack, especially in the face of increased international pressure on the regime.”

The NSA “can’t comment or speculate on the motivations of those who aim to harm the United States or our allies,” a spokesperson for the agency said. “The National Security Agency works with foreign partners to protect our interests and citizens in cyberspace.”

Kim Zetter/WIRED (1) (2):

In addition to attacks against Iran’s nuclear sector, however, the document also states that Iran learned from a different attack that struck its oil industry. The report says Iran then replicated the techniques of that attack in a subsequent attack called Shamoon that targeted Saudi Arabia’s oil conglomerate, Saudi Aramco.

“Iran’s destructive cyber attack against Saudi Aramco in August 2012, during which data was destroyed on tens of thousands of computers, was the first such attack NSA has observed from this adversary,” the NSA document states. “Iran, having been a victim of a similar cyber attack against its own oil industry in April 2012, has demonstrated a clear ability to learn from the capabilities and actions of others.”

How Wiper Inspired Copycat Attacks

The latter statement in the document is referring to the so-called Wiper attack, an aggressive and destructive piece of malware that targeted machines belonging to the Iranian Oil Ministry and the National Iranian Oil Company in April 2012. Wiper didn’t steal data—instead it destroyed it, first wiping content on the machines before systematically erasing system files, causing the systems to crash, and preventing them from rebooting. Wiper was “designed to quickly destroy as many files as effectively as possible, which can include multiple gigabytes at a time,” according to researchers at Kaspersky Lab who examined the mirror images of hard drives in Iran that were destroyed by Wiper.

Wiper was the first known data destruction attack of its kind. Although the NSA document doesn’t credit the US and its allies for launching the attack, Kaspersky researchers found that it shared some circumstantial hallmarks of the Duqu and Stuxnet attacks, suggesting that Wiper might have been created and unleashed on Iran by the US or Israel.

Many believe it served as inspiration for Shamoon, a subsequent destructive attack that struck computers belonging to Saudi Aramco in August 2012. The document claims Iran was behind Shamoon. The Shamoon malware wiped data from about 30,000 machines before overwriting the Master Boot Record, preventing machines from rebooting. The attack was designed to replace erased data with an image of a burning US American flag, though the malware contained a bug that prevented the flag image from completely unfurling on machines. Instead, only a fragment of the flag appeared. Researchers said at the time that Shamoon was a copycat attack that mimicked Wiper.

Wiper is also believed to have inspired a destructive attack that struck computers belonging to banks and media companies in South Korea in March 2013. That attack wiped the hard drives and Master Boot Record of at least three banks and two media companies simultaneously and reportedly put some ATMs out of operation, preventing South Koreans from withdrawing cash from them. The report does not suggest that Iran was behind this attack.

Wiper is also widely believed to have been inspiration for the recent hack of Sony Pictures Entertainment. Again, in the latter attack, the hackers wiped data from Sony systems and overwrote parts of the Master Boot Record, preventing systems from rebooting.

The US has long blamed the Saudi Aramco attack on Iran, but has blamed the South Korea and Sony hacks on North Korea. Although the NSA document published today cites the Saudi Aramco attack as “the first such attack the NSA has observed from this adversary,” researchers have disputed the attribution in this and the hacks against South Korea and Sony. A group calling itself the Cutting Sword of Justice took credit for the Saudi Aramco attack, and researchers from Kaspersky Lab noted that due to the attack’s unsophisticated design, the errors contained in it, and statements from the apparent hackers, they believe it more likely came from hacktivists rather than nation-state developers in Iran. Other researchers have found the attribution of the Sony and South Korea attacks circumstantial and flimsy.

Regardless of whether Iran is behind the Shamoon attack, there’s no question that it and other nations learn from cyberattacks launched by the US and its allies. Common cybercriminals also study Stuxnet and the like to learn new techniques for evading detection and stealing data.

Of course, a similar attack did strike the US. But instead of hitting the US oil industry or a similarly critical sector, it struck a Hollywood film studio. And instead of coming from Iran, it came this time (according to the White House and FBI) from North Korea. All of which suggests that when the US and Israeli strike their enemies, it isn’t just that single adversary who learns from the attack.

There are two other points in the document that merit attention.

One concerns the spy tool known as Flame; the other refers to concerns the NSA had about partnering with the British spy agency Government Communications Headquarters and Israeli intelligence in surveillance operations.

Did GCHQ Partner With the NSA on Flame?

In the document, prepared in April 2013 for a meeting between the NSA director and GCHQ, the author cites the Flame attack against Iran as an example of a US/GCHQ partnership. Flame was a massive spy platform exposed by Kaspersky Lab and Symantec in 2012. Flame targeted more than 10,000 machines in Iran, Lebanon, Syria, Sudan, the Israeli Occupied Territories and other countries in the Middle East and North Africa and was active for at least six years before it was discovered. It used some of the same code that Stuxnet used, leading researchers to conclude that it had been created by the same US/Israel teams that had created Stuxnet. The Washington Post reported in 2012 that the US and Israel were both behind Flame, quoting anonymous US officials. But the new Snowden document hints that GCHQ might have been involved in Flame with the US.

Although the document doesn’t say overtly that GCHQ partnered with the US in creating and unleashing Flame, it hints obliquely at cooperation. The document notes that the NSA has “successfully worked multiple high-priority surges with GCHQ” and cites Flame as an example. But, oddly, it doesn’t say they worked together on creating Flame. Instead, it simply cites Iran’s discovery of Flame in a list of projects on which the GCHQ and the US collaborated.

These jointly worked events include “the storming of the British Embassy in Tehran; Iran’s discovery of computer network exploitation tools on their networks in 2012 and 2013; and support to policymakers during the multiple rounds of P5 plus 1 negotiation on Iran’s nuclear program,” the document reads. The reference to an embassy attack presumably refers to the 2011 attack on the British embassy by protestors in Iran. The reference to the P5 plus 1 relates to negotiations between Iran and Western powers over Iran’s nuclear program. The network attacks are identified by name as the Flame attacks in another part of the document.

It’s unclear what else this might refer to if not the two countries partnering in the creation and unleashing of Flame. Other documents leaked by Edward Snowden have spelled out in more detail how the NSA and GCHQ have partnered over the years in other spy operations, ranging from sharing data siphoned from undersea cables to the hacking of telecom networks, like Belgium’s Belgacom, to monitor mobile traffic. The new document suggests that the two countries might also have partnered on Flame in some way, though it’s unclear to what extent. If this is correct, and the previous Post is correct as well, it would mean the three nations teamed up to spy on Iran, presumably over its nuclear program.

NSA Expresses Concern About Partnering with GCHQ and Israel

Although there are numerous examples released in the Snowden documents of NSA-GCHQ cooperation as well as NSA-Israeli cooperation, the 2013 document published today expresses concern about a trilateral agreement between the three nations.

It appears in a section discussing a collaboration between the NSA, GCHQ and ISNU—a reference to the Israeli SIGINT National Unit, the Israeli counterpart to the NSA. Under the heading “Potential Landmines,” the document notes that GCHQ has long pushed to work with the NSA and ISNU “in a trilateral arrangement to prosecute the Iranian target.” And it notes that the NSA and GCHQ have agreed to share information gleaned from their separate partnerships with Israeli intelligence. But with regard to a trilateral partnership, the NSA had reservations. The document notes that the “SID policy has been opposed to such a blanket arrangement.”

SID refers to the Signals Intelligence Directorate. Under the SID Management Directive 422 (PDF), the intelligence community is prohibited from delegating a mission to a non-USSS element—that is, a non-US SIGINT System—without first obtaining a memo of understanding between the NSA and the non-US entity. NSA activities are government by a number of directives, most important among them is USSID 18, which governs what the US can and cannot collect on US persons and how it must handle information collected incidentally on them. Including a foreign spy agency in data collection raises issues about oversight and legality if it involves data pertaining to U.S. persons. This may be in part why the NSA was concerned.

As noted, the NSA has partnered separately with both the GCHQ and Israeli on intelligence collection. Previously released Snowden documents discussed how the NSA shared raw intelligence with Israel.

And according to the new document, the US, UK and Israeli spy agencies engaged in discussions in 2013 about a possible three-way partnership in tackling issues with Iran. “In January 2013, during an NSA-ISNU analytic workshop on Iranian Leadership, the first ever trilateral VTC on an Iranian issue was held with NSA, CCHQ and ISNU particiants,” it notes.

But the US was apparently hesitant about expanding the surveillance agreement outside of the issue of Iran. “The trilateral relationship is limited to the topic and will serve as a proof of concept of this kind of engagement,” the document notes. But “this specific trilateral should not be interpreted as a broad change of approach.” In other words, in areas not to do with Iran, the NSA and CCHQ have agreed to continue to share information gleaned from their respective bilateral relationships with the ISNU, but apparently are reluctant to make Israel a part of their exclusive club on a regular basis.

Related: Israel/Saudi Arabia Discuss Production of Malware Worse Than Stuxnet to Spy On/Destroy Iran’s Nuclear Program

Israel (and 1 Other Intel Agency) Eavesdropped on John Kerry’s Calls to Gain Advantage in Mideast Peace Talks

In Archive, ISNU, Israel, Palestine, Politics, Surveillance, USA on August 4, 2014 at 6:08 PM

U.S. Secretary of State John Kerry meets with Israeli Prime Minister Benjamin Netanyahu in Tel Aviv



SPIEGEL has learned from reliable sources that Israeli intelligence eavesdropped on US Secretary of State John Kerry during Middle East peace negotiations. In addition to the Israelis, at least one other intelligence service also listened in as Kerry mediated last year between Israel, the Palestinians and the Arab states, several intelligence service sources told SPIEGEL. Revelations of the eavesdropping could further damage already tense relations between the US government and Israel.

During the peak stage of peace talks last year, Kerry spoke regularly with high-ranking negotiating partners in the Middle East. At the time, some of these calls were not made on encrypted equipment, but instead on normal telephones, with the conversations transmitted by satellite. Intelligence agencies intercepted some of those calls. Israel thus often knew precisely what Kerry was talking to the other sides about. The government in Jerusalem then used the information obtained in international negotiations aiming to reach a diplomatic solution in the Middle East. Kerry, the magazine said, was aware of the risks but he wanted results and personal conversations were more important to him than concerns from his security advisers.

In the current Gaza conflict, the Israelis have massively criticized Kerry, with a few ministers indirectly calling on him to withdraw from peace talks. Both the US State Department and the Israeli authorities declined to comment.

Israel Eavesdropped on President Clinton’s Diplomatic Phone Calls


NSA document leaked by Edward Snowden. Published in Glenn Greenwald’s new book “No Place to Hide.”

(NSA Document) Israel Flagged as Top Spy Threat to U.S. (PDF)

NSA/Israel Intelligence Relationship & Palestine Surveillance

NSA/Israel Intelligence Relationship & Palestine Surveillance

In Archive, Canada, CSEC, EWD, GCHQ, ISNU, Israel, Jordan, NSA, NSA Files, Palestine, PASF, Surveillance, UK on August 4, 2014 at 2:38 AM

Israeli Flag


Glenn Greenwald/TheIntercept:

The U.S. government has long lavished overwhelming aid on Israel, providing cash, weapons and surveillance technology that play a crucial role in Israel’s attacks on its neighbors. But top secret documents provided by NSA whistleblower Edward Snowden shed substantial new light on how the U.S. and its partners directly enable Israel’s military assaults – such as the one on Gaza.

Over the last decade, the NSA has significantly increased the surveillance assistance it provides to its Israeli counterpart, the Israeli SIGINT National Unit (ISNU; also known as Unit 8200), including data used to monitor and target Palestinians. In many cases, the NSA and ISNU work cooperatively with the British and Canadian spy agencies, the GCHQ and CSEC.

The relationship has, on at least one occasion, entailed the covert payment of a large amount of cash to Israeli operatives. Beyond their own surveillance programs, the American and British surveillance agencies rely on U.S.-supported Arab regimes, including the Jordanian monarchy and even the Palestinian Authority Security Forces, to provide vital spying services regarding Palestinian targets.

The new documents underscore the indispensable, direct involvement of the U.S. government and its key allies in Israeli aggression against its neighbors. That covert support is squarely at odds with the posture of helpless detachment typically adopted by Obama officials and their supporters.

Last September, the Guardian revealed that the NSA “routinely shares raw intelligence data with Israel without first sifting it to remove information about US citizens.” The paper published the full top secret Memoranadum of Understanding between the two agencies governing that sharing. But the NSA/ISNU relationship extends far beyond that.

One newly disclosed top secret NSA document, dated April 13, 2013 and published today by the Intercept, recounts that the “NSA maintains a far-reaching technical and analytic relationship with the Israeli SIGINT National Unit (ISNU) sharing information on access, intercept, targeting, language, analysis and reporting.”

The cooperation between the NSA and ISNU began decades ago. A top secret agreement between the two agencies from July 1999 recounts that the first formal intelligence-sharing agreement was entered into in 1968 between U.S. President Lyndon Johnson and Israeli Prime Minister Levi Eshkol, and informally began in the 1950s. But the relationship has grown rapidly in the last decade.

In 2003 and 2004, the Israelis were pressuring the NSA to agree to a massively expanded intelligence-sharing relationship called “Gladiator.” As part of that process, Israel wanted the Americans to pay hundreds of millions of dollars to fund Israeli activities. The specific proposed “Gladiator” agreement appears never to have been consummated, derailed by Israeli demands that the U.S. bear the full cost, but documents in the Snowden archive pertaining to those negotiations contain what appear to be two receipts for one or more payments of $500,000 in cash to Israeli officials for unspecified purposes:



The surveillance-sharing relationship with Israel has expanded to include the NSA’s British and Canadian counterparts, GCHQ and CSEC, both of which actively participate in feeding the Israelis selected communications data they have collected. Several documents from early 2009, at the height of the Israeli attack on Gaza called “Cast Lead” that left more than 1,000 people dead, detail some of this cooperation.

One top secret 2009 GCHQ project named “YESTERNIGHT” involved “Ruffle,” the British agency’s code name for ISNU. According to the document, the project involved a “trilateral (GCHQ, NSA and Third Party RUFFLE) targeting exchange agreement covering respective COMSAT accesses.” One of the “specific intelligence topics” shared between the parties was “Palestinians”, although the GCHQ document states that “due to the sensitivities” of Israeli involvement, that particular program does not include direct targeting of Palestinians and Israelis themselves. Another GCHQ document from February, 2009, describes “a quadrilateral meeting for RUFFLE, NSA, CSEC and GCHQ.”

The British agency noted in early 2009 that it had been spying on emails and telephone numbers specifically requested by ISNU, “and they have thanked us many times over.”

The NSA and GCHQ receive intelligence about the Palestinians from many sources. The agencies have even succeeded in inducing the U.S.-supported Palestinian Authority Security Forces (PASF) to provide them with surveillance and intelligence about other Arab groups in the region. One July 2008 GCHQ document states:


Jordan also feeds surveillance data about the Palestinians to the NSA. One classified NSA document from 2013 describes how “NSA’s partnership with EWD [the Jordanian Electronic Warfare Directorate] is a well established, long-standing and trusted relationship dating back to the early 1980’s.” Specifically, the two agencies “cooperate on high-priority SIGINT targets of mutual interest” that includes the Palestinian Security Forces.



%d bloggers like this: