The Digital Arms Race: NSA Preps America for Future Battle
Part 2: How the NSA Reads Over Shoulders of Other Spies
In addition to providing a view of the US's own ability to conduct digital attacks, Snowden's archive also reveals the capabilities of other countries. The Transgression team has access to years of preliminary field work and experience at its disposal, including databases in which malware and network attacks from other countries are cataloged.
The Snowden documents show that the NSA and its Five Eyes partners have put numerous network attacks waged by other countries to their own use in recent years. One 2009 document states that the department's remit is to "discover, understand (and) evaluate" foreign attacks. Another document reads: "Steal their tools, tradecraft, targets and take."
The practice of letting other intelligence services do the dirty work and then tapping their results is so successful that the NSA even has a name for it: "Fourth Party Collection." And all countries that aren't part of the Five Eye alliance are considered potential targets for use of this "non-traditional" technique -- even Germany.
'Difficult To Track, Difficult To Target'
The Snowden documents show that, thanks to fourth party collection, the NSA succeeded in detecting numerous incidents of data spying over the past 10 years, with many attacks originating from China and Russia. It also enabled the Tailored Access Operations (TAO) to track down the IP address of the control server used by China and, from there, to detect the people responsible inside the Peoples' Liberation Army. It wasn't easy, the NSA spies noted. The Chinese had apparently used changing IP addresses, making them "difficult to track; difficult to target." In the end, though, the document states, they succeeded in exploiting a central router.
The document suggests that things got more challenging when the NSA sought to turn the tables and go after the attacker. Only after extensive "wading through uninteresting data" did they finally succeed in infiltrating the computer of a high-ranking Chinese military official and accessing information regarding targets in the US government and in other governments around the world. They also were able to access sourcecode for Chinese malware.
- Description of an NSA employee on fifth party access / When the targeted fourth party has someone under surveillance who puts others under surveillance
- 4th party collection / Taking advantage of non-partner computer network exploitation activity
- Combination of offensive and defensive missions / How fourth-party missions are being performed
- Overview of the TRANSGRESSION program to analyze and exploit foreign CNA/CNE exploits
- NSA example SNOWGLOBE, in which a suspected French government trojan is analyzed to find out if it can be helpful for own interests
- NSA fourth party access / "I drink your milkshake"
- NSA Program TUTELAGE to instrumentalize third party attack tools
- Codename BYZANTINE HADES / NSA research on the targets of Chinese network exploitation tools, the targets and actors
- CSEC document on the handling of existing trojans when trojanizing computers
- Analysis of Chinese methods and performed actions in the context of computer network exploitation
Among the data on "sensitive military technologies" hit in the attack were air refueling schedules, the military logistics planning system, missile navigation systems belonging to the Navy, information about nuclear submarines, missile defense and other top secret defense projects.
The desire to know everything isn't, of course, an affliction only suffered by the Chinese, Americans, Russians and British. Years ago, US agents discovered a hacking operation originating in Iran in a monitoring operation that was codenamed Voyeur. A different wave of attacks, known as Snowglobe, appears to have originated in France.
Transforming Defenses into Attacks
The search for foreign cyber attacks has long since been largely automated by the NSA and its Five Eyes partners. The Tutelage system can identify incursions and ensure that they do not reach their targets.
The examples given in the Snowden documents are not limited to attacks originating in China. The relatively primitive Low Orbit Ion Cannon (LOIC) is also mentioned. The name refers to malware used by the protest movement Anonymous to disable target websites. In that instance, one document notes, Tutelage was able to recognize and block the IP addresses being used to conduct the denial of service attack.
The NSA is also able to transform its defenses into an attack of its own. The method is described as "reverse engineer, repurpose software" and involves botnets, sometimes comprising millions of computers belonging to normal users onto which software has been covertly installed. They can thus be controlled remotely as part of a "zombie army" to paralyze companies or to extort them. If the infected hosts appear to be within the United States, the relevant information will be forwarded to the FBI Office of Victim Assistance. However, a host infected with an exploitable bot could be hijacked through a Quantumbot attack and redirected to the NSA. This program is identified in NSA documents as Defiantwarrior and it is said to provide advantages such as "pervasive network analysis vantage points" and "throw-away non-attributable CNA (eds: computer network attack) nodes". This system leaves people's computers vulnerable and covertly uses them for network operations that might be traced back to an innocent victim. Instead of providing protection to private Internet users, Quantumbot uses them as human shields in order to disguise its own attacks.
But as well developed as the weapons of digital war may be, there is a paradox lurking when it comes to breaking into and spying on third party networks: How can intelligence services be sure that they won't become victims of their own methods and be infiltrated by private hackers, criminals or other intelligence services, for example?
To control their malware, the Remote Operation Center operatives remain connected to them via their own shadow network, through which highly sensitive telephone recordings, malware programs and passwords travel.
The incentive to break into this network is enormous. Any collection of VPN keys, passwords and backdoors is obviously of very high value. Those who possess such passwords and keys could theoretically pillage bank accounts, thwart military deployments, clone fighter jets and shut down power plants. It means nothing less than "global network dominance".
But the intelligence world is a schizophrenic one. The NSA's job is to defend the Internet while at the same time exploiting its security holes. It is both cop and robber, consistent with the motto adhered to by spies everywhere: "Reveal their secrets, protect our own."
As a result, some hacked servers are like a bus during rush hour, with people constantly coming and going. The difference, though, is that the server's owner has no idea anyone is there. And the presumed authorities stand aside and do nothing.
'Unwitting Data Mules'
It's absurd: As they are busy spying, the spies are spied on by other spies. In response, they routinely seek to cover their tracks or to lay fake ones instead. In technical terms, the ROC lays false tracks as follows: After third-party computers are infiltrated, the process of exfiltration can begin -- the act of exporting the data that has been gleaned. But the loot isn't delivered directly to ROC's IP address. Rather, it is routed to a so-called Scapegoat Target. That means that stolen information could end up on someone else's servers, making it look as though they were the perpetrators.
Before the data ends up at the Scapegoat Target, of course, the NSA intercepts and copies it using its mass surveillance infrastructure and sends it on to the ROC. But such cover-up tactics increase the risk of a controlled or uncontrolled escalation between the agencies involved.
It's not just computers, of course, that can be systematically broken into, spied on or misused as part of a botnet. Mobile phones can also be used to steal information from the owner's employer. The unwitting victim, whose phone has been infected with a spy program, smuggles the information out of the office. The information is then retrieved remotely as the victim heads home after work. Digital spies have even adopted drug-dealer slang in referring to these unsuspecting accomplices. They are called "unwitting data mules."
Edward Snowden has revealed how intelligence agencies around the world, led by the NSA, are doing their best to ensure a legal vacuum in the Internet. In a recent interview with the US public broadcaster PBS, the whistleblower voiced his concerns that "defense is becoming less of a priority than offense."
Snowden finds that concerning. "What we need to do," he said, "is we need to create new international standards of behavior."
By Jacob Appelbaum, Aaron Gibson, Claudio Guarnieri, Andy Müller-Maguhn, Laura Poitras, Marcel Rosenbach, Leif Ryge, Hilmar Schmundt and Michael Sontheimer
Editor's Note: A German version of this story can also be found on SPIEGEL ONLINE.
- Part 1: NSA Preps America for Future Battle
- Part 2: How the NSA Reads Over Shoulders of Other Spies
© SPIEGEL ONLINE 2015
All Rights Reserved
Reproduction only allowed with the permission of SPIEGELnet GmbH
Click on the links below for more information about DER SPIEGEL's history, how to subscribe or purchase the latest issue of the German-language edition in print or digital form or how to obtain rights to reprint SPIEGEL articles.
- Frequently Asked Questions: Everything You Need to Know about DER SPIEGEL
- Six Decades of Quality Journalism: The History of DER SPIEGEL
- A New Home in HafenCity: SPIEGEL's New Hamburg HQ
- Reprints: How To License SPIEGEL Articles