The Digital Arms Race NSA Preps America for Future Battle

By Jacob Appelbaum, Aaron Gibson, Claudio Guarnieri, Andy Müller-Maguhn, Laura Poitras, , Leif Ryge, and

Part 2: How the NSA Reads Over Shoulders of Other Spies


In addition to providing a view of the US's own ability to conduct digital attacks, Snowden's archive also reveals the capabilities of other countries. The Transgression team has access to years of preliminary field work and experience at its disposal, including databases in which malware and network attacks from other countries are cataloged.

The Snowden documents show that the NSA and its Five Eyes partners have put numerous network attacks waged by other countries to their own use in recent years. One 2009 document states that the department's remit is to "discover, understand (and) evaluate" foreign attacks. Another document reads: "Steal their tools, tradecraft, targets and take."

In 2009, an NSA unit took notice of a data breach affecting workers at the US Department of Defense. The department traced an IP address in Asia that functioned as the command center for the attack. By the end of their detective work, the Americans succeeded not only in tracing the attack's point of origin to China, but also in tapping intelligence information from other Chinese attacks -- including data that had been stolen from the United Nations. Afterwards, NSA workers in Fort Meade continued to read over their shoulders as the Chinese secretly collected further internal UN data. "NSA is able to tap into Chinese SIGINT collection," a report on the success in 2011 stated. SIGINT is short for signals intelligence.

The practice of letting other intelligence services do the dirty work and then tapping their results is so successful that the NSA even has a name for it: "Fourth Party Collection." And all countries that aren't part of the Five Eye alliance are considered potential targets for use of this "non-traditional" technique -- even Germany.

'Difficult To Track, Difficult To Target'

The Snowden documents show that, thanks to fourth party collection, the NSA succeeded in detecting numerous incidents of data spying over the past 10 years, with many attacks originating from China and Russia. It also enabled the Tailored Access Operations (TAO) to track down the IP address of the control server used by China and, from there, to detect the people responsible inside the Peoples' Liberation Army. It wasn't easy, the NSA spies noted. The Chinese had apparently used changing IP addresses, making them "difficult to track; difficult to target." In the end, though, the document states, they succeeded in exploiting a central router.

The document suggests that things got more challenging when the NSA sought to turn the tables and go after the attacker. Only after extensive "wading through uninteresting data" did they finally succeed in infiltrating the computer of a high-ranking Chinese military official and accessing information regarding targets in the US government and in other governments around the world. They also were able to access sourcecode for Chinese malware.

But there have also been successful Chinese operations. The Snowden documents include an internal NSA assessment from a few years ago of the damage caused. The report indicates that the US Defense Department alone registered more than 30,000 known incidents; more than 1,600 computers connected to its network had been hacked. Surprisingly high costs are listed for damage assessment and network repair: more than $100 million.

Among the data on "sensitive military technologies" hit in the attack were air refueling schedules, the military logistics planning system, missile navigation systems belonging to the Navy, information about nuclear submarines, missile defense and other top secret defense projects.

The desire to know everything isn't, of course, an affliction only suffered by the Chinese, Americans, Russians and British. Years ago, US agents discovered a hacking operation originating in Iran in a monitoring operation that was codenamed Voyeur. A different wave of attacks, known as Snowglobe, appears to have originated in France.

Transforming Defenses into Attacks

The search for foreign cyber attacks has long since been largely automated by the NSA and its Five Eyes partners. The Tutelage system can identify incursions and ensure that they do not reach their targets.

The examples given in the Snowden documents are not limited to attacks originating in China. The relatively primitive Low Orbit Ion Cannon (LOIC) is also mentioned. The name refers to malware used by the protest movement Anonymous to disable target websites. In that instance, one document notes, Tutelage was able to recognize and block the IP addresses being used to conduct the denial of service attack.

The NSA is also able to transform its defenses into an attack of its own. The method is described as "reverse engineer, repurpose software" and involves botnets, sometimes comprising millions of computers belonging to normal users onto which software has been covertly installed. They can thus be controlled remotely as part of a "zombie army" to paralyze companies or to extort them. If the infected hosts appear to be within the United States, the relevant information will be forwarded to the FBI Office of Victim Assistance. However, a host infected with an exploitable bot could be hijacked through a Quantumbot attack and redirected to the NSA. This program is identified in NSA documents as Defiantwarrior and it is said to provide advantages such as "pervasive network analysis vantage points" and "throw-away non-attributable CNA (eds: computer network attack) nodes". This system leaves people's computers vulnerable and covertly uses them for network operations that might be traced back to an innocent victim. Instead of providing protection to private Internet users, Quantumbot uses them as human shields in order to disguise its own attacks.

NSA specialists at the Remote Operations Center (ROC) have an entire palette of digital skeleton keys and crowbars enabling access to even the best protected computer networks. They give their tools aggressive-sounding names, as though they were operating an app-store for cyber criminals: The implant tool "Hammerchant" allows the recording of Internet-based phone calls (VoIP). Foxacid allows agents to continually add functions to small malware programs even after they have been installed in target computers. The project's logo is a fox that screams as it is dissolved in acid. The NSA has declined to comment on operational details but insists that it has not violated the law.

But as well developed as the weapons of digital war may be, there is a paradox lurking when it comes to breaking into and spying on third party networks: How can intelligence services be sure that they won't become victims of their own methods and be infiltrated by private hackers, criminals or other intelligence services, for example?

To control their malware, the Remote Operation Center operatives remain connected to them via their own shadow network, through which highly sensitive telephone recordings, malware programs and passwords travel.

The incentive to break into this network is enormous. Any collection of VPN keys, passwords and backdoors is obviously of very high value. Those who possess such passwords and keys could theoretically pillage bank accounts, thwart military deployments, clone fighter jets and shut down power plants. It means nothing less than "global network dominance".

But the intelligence world is a schizophrenic one. The NSA's job is to defend the Internet while at the same time exploiting its security holes. It is both cop and robber, consistent with the motto adhered to by spies everywhere: "Reveal their secrets, protect our own."

As a result, some hacked servers are like a bus during rush hour, with people constantly coming and going. The difference, though, is that the server's owner has no idea anyone is there. And the presumed authorities stand aside and do nothing.

'Unwitting Data Mules'

It's absurd: As they are busy spying, the spies are spied on by other spies. In response, they routinely seek to cover their tracks or to lay fake ones instead. In technical terms, the ROC lays false tracks as follows: After third-party computers are infiltrated, the process of exfiltration can begin -- the act of exporting the data that has been gleaned. But the loot isn't delivered directly to ROC's IP address. Rather, it is routed to a so-called Scapegoat Target. That means that stolen information could end up on someone else's servers, making it look as though they were the perpetrators.

Before the data ends up at the Scapegoat Target, of course, the NSA intercepts and copies it using its mass surveillance infrastructure and sends it on to the ROC. But such cover-up tactics increase the risk of a controlled or uncontrolled escalation between the agencies involved.

It's not just computers, of course, that can be systematically broken into, spied on or misused as part of a botnet. Mobile phones can also be used to steal information from the owner's employer. The unwitting victim, whose phone has been infected with a spy program, smuggles the information out of the office. The information is then retrieved remotely as the victim heads home after work. Digital spies have even adopted drug-dealer slang in referring to these unsuspecting accomplices. They are called "unwitting data mules."

NSA agents aren't concerned about being caught. That's partly because they work for such a powerful agency, but also because they don't leave behind any evidence that would hold up in court. And if there is no evidence of wrongdoing, there can be no legal penalty, no parliamentary control of intelligence agencies and no international agreement. Thus far, very little is known about the risks and side-effects inherent in these new D weapons and there is almost no government regulation.

Edward Snowden has revealed how intelligence agencies around the world, led by the NSA, are doing their best to ensure a legal vacuum in the Internet. In a recent interview with the US public broadcaster PBS, the whistleblower voiced his concerns that "defense is becoming less of a priority than offense."

Snowden finds that concerning. "What we need to do," he said, "is we need to create new international standards of behavior."

By Jacob Appelbaum, Aaron Gibson, Claudio Guarnieri, Andy Müller-Maguhn, Laura Poitras, Marcel Rosenbach, Leif Ryge, Hilmar Schmundt and Michael Sontheimer

Editor's Note: A German version of this story can also be found on SPIEGEL ONLINE.

Article...
Comments
Discuss this issue with other readers!
36 total posts
Show all comments
Page 1
stevecollins48146 01/17/2015
1.
If there was any doubt in your mind about Snowden, this should confirm he did Harm to America and helped its enemies. This information should be top secret!
john.m.landry1 01/17/2015
2.
Maybe there should be several internets? Was it Elon Musk that was talking about satellite based internet? Bust it up, make it hard to sabotage.
Inglenda2 01/17/2015
3. Forget the NSA, honesty starts at home!
The NSA may be planning for wars of the future in which the Internet will play a critical role. This however should not disturb upright German internet users as much as the activities of the Bertelsmann foundation in Gütersloh. An organisation, operating in 50 countries, which has the task of providing politicians and government departments with favourable statistics, produces a much higher level of insecurity, for normal working German citizens, than anything the NSA could possibly have in mind. For Europeans, the potential control, by the USA, of the infrastructure, including power and water supplies, factories, airports or the flow of money, is already little more than secondary consideration. For as can be seen in the case of the Ukraine, our foreign policies have led us to a position, in which we are almost completely in the hands of those, who have few good intentions towards us.
harro12 01/17/2015
4.
Another reason why one should no longer travel to the US, invest in the US or deal in US dollars. COMPLETE BOYCOTT.
floydhowardjr 01/17/2015
5. NSA craving control of humanity!
We are not loving, virtuous JESUS who is perfect in his control of creation and in everything he does! We are human beings craving power and control of the ultimate degree! It won't be enough! Absolute power corrupts absolutely! NSA thy name is satan!
Show all comments
Page 1

© SPIEGEL ONLINE 2015
All Rights Reserved
Reproduction only allowed with the permission of SPIEGELnet GmbH


Die Homepage wurde aktualisiert. Jetzt aufrufen.
Hinweis nicht mehr anzeigen.