Friday, September 22, 2017

Sloppy U.S. Spies Misused a Covert Network for Personal Shopping — and Other Stories from Internal NSA Documents



























NSA agents successfully targeted “the entire business chain” connecting foreign cafes to the internet, bragged about an “all-out effort” to spy on liberated Iraq, and began systematically trying to break into virtual private networks, according to a set of internal agency news reports dating to the first half of 2005.

British spies, meanwhile, were made to begin providing new details about their informants via a system of “Intelligence Source Descriptors” created in response to intelligence failures in Iraq. Hungary and the Czech Republic pulled closer to the National Security Agency.

And future Intercept backer Pierre Omidyar visited NSA headquarters for an internal conference panel on “human networking” and open-source intelligence.

These stories and more are contained in a batch of 294 articles from SIDtoday, the internal news website of the NSA’s core Signals Intelligence Directorate. The Intercept is publishing the articles in redacted form as part of an ongoing project to release material from the files provided by NSA whistleblower Edward Snowden.

In addition to the aforementioned highlights, summarized in further detail below, the documents show how the NSA greatly expanded a secret eavesdropping partnership with Ethiopia’s draconian security forces in the Horn of Africa, as detailed in an investigation by longtime Intercept contributor Nick Turse. They describe the NSA’s operations at a base in Digby, England, where the agency worked with its British counterpart GCHQ to help direct drones in the Middle East and tap into communications through the Arab Spring uprisings, according to a separate article by Intercept reporter Ryan Gallagher. And they show how the NSA and GCHQ thwarted encryption systems used to protect peer-to-peer file sharing through the apps Kazaa and eDonkey, as explained here by Intercept technologist Micah Lee.

NSA did not comment for this article.

American Intelligence Agents Outed Themselves Online

Members of the U.S. intelligence community routinely thwarted a system designed to mask their identities online by using it for personal shopping and to log on to websites, according to an NSA information technology manager.

The system, called “AIRGAP,” was run by “one of the world’s largest ISPs” and created around 1998 at the behest of the NSA, according to NSA Internet Program Manager Charlie Speight, writing in SIDtoday. Its purpose was to allow “non-attribution internet access,” Speight added, meaning that intelligence analysts could surf the internet without revealing that they were coming from U.S. spy agencies. By 2005, it was used by the whole U.S. intelligence community.

One early concern about the firewall was that it funneled all internet traffic through a single IP address, meaning that if any activity on the address was revealed to be associated with U.S. spies, a broad swath of other activity could then be attributed to other U.S. spies. More IP addresses were subsequently added, but “occasionally we find that the ISP reverts to one address, or does not effectively rotate those assigned,” Speight wrote.

Speight added that the “greater security concern” was the very intelligence agents the system was designed to protect. “Despite rules and warnings to the contrary, all too frequently users will use AIRGAP for registering on web sites or for services, logging into other sites and services and even ordering personal items from on-line vendors,” Speight wrote in a classified passage. “By doing so, these users reveal information about themselves and, potentially, other users on the network. So much for ‘non-attribution.'”

This sort of sloppiness mirrors behavior that has undermined Russian intelligence operatives. A slide presentation by Canadian intelligence, dating to 2011 or later, labeled as “morons” members of a Russian hacking group code-named “MAKERSMARK,” who thwarted a “really well-designed” system to hide their identities by using it to log on to their personal social and email accounts.

The two situations are not perfectly comparable; the U.S. system was managed as part of a network for obtaining unclassified information, while the Russian system was used for the more sensitive activity of staging hack attacks. But Speight hinted at aggressive use of the U.S. system, writing in his piece that the NSA had begun “using AIRGAP for reasons and in volumes not intended in its formation” — the agency thus began developing its own separate firewall.

The NSA had systems with the same goal as AIRGAP — anonymization — but for phone calls. According to a February 2005 SIDtoday article, the NSA controlled 40,000 telephone numbers, but these were almost all prefixed with area- and exchange-code combinations that were publicly associated with the agency. An analyst who needed to make a public phone call without leaking their affiliation could use “anonymous telephones,” most of them registered to Department of Defense, or “cover telephones,” registered using alias names and P.O. boxes. No security protocol lapses were described in connection with the old-fashioned voice networks.

NSA Targeted “the Entire Business Chain” to Spy on Internet Cafes

While hiding, or at least trying to hide, its own online operations, the NSA launched an all-encompassing campaign to trace online activity in internet cafes, down to specific seats.

A program called “MASTERSHAKE” accomplished this by exploiting equipment used by the cafes, including satellite internet modems, according to top-secret information reported by SIDtoday. “MASTERSHAKE targets the entire business chain, from manufacturer to Internet café installation, to ascertain any and all available data regarding … geolocation, the network connectivity of the modem, as well as the actual physical location of the installation,” according to SIDtoday.

MASTERSHAKE data was “enriched” with other information, including “geolocatable phone events,” as well as intelligence from throughout the NSA’s Signals Intelligence Directorate and from the agency’s XKeyscore search system.

The NSA knew the precise location of over 400 internet cafes. For over 50 of these cafes, it could locate a target to a specific seat within the cafe. One goal of the monitoring was to hunt down Al Qaeda leaders, like Abu Musab al-Zarqawi. SIDtoday focused on the use of MASTERSHAKE in Iraq, describing an incident in the city of Ramadi where two “counterterrorism targets” began using a messenger service at an internet cafe, and “within about 15 minutes the two men were arrested.” But it also indicated the system was used more broadly, “in the Middle East and Africa.”

As the Intercept previously reported, the NSA has surveilled internet cafes in Yemen, Afghanistan, Syria, Lebanon, and Iran, as detailed in agency documents.

An “All-Out Effort” To Spy on Liberated Iraq

The NSA’s surveillance against Iraqis went far beyond cafe computers. Two years after President George W. Bush’s infamous “Mission Accomplished” speech and a year after the Coalition Provisional Authority handed over the reins to the Iraqi Interim Government, the agency was trying to tap the nation’s communications — and enlist friendly Iraqis and the new government to do likewise.

In a top-secret SIDtoday report, an NSA “data acquisition lead” in Baghdad described “an all-out effort to penetrate Iraqi networks using everything in the tool box of the most sophisticated SIGINT agency in the world.” The “very forward-leaning and aggressive” collection effort brought “our technology to bear at the optimum access points” in the country. The identity of those access points is hinted at by the list of people the NSA staffer met with as the “field rep on a number of projects”: “Iraqi government personnel engaged in telecommunications and IT issues for Iraq; small and medium sized Iraqi communications contractors; the CEO’s and Chief Technical Officers of the major Iraqi telecommunications service providers; [and] Iraqi cabinet level officials,” among others.

Another article confirmed the NSA was spying on Iraqi telecommunications, describing a “dramatic drop” in information the agency collected from links carrying mobile phone traffic between Fallujah and northern Baghdad and a consequent gap in intelligence gathering. A team from the NSA and CIA was able to restore the collection within two weeks by targeting microwave signals carrying the traffic.

In addition to its own electronic spying within Iraq, the NSA sought to rebuild the country’s ability to spy on itself through another joint project with the CIA, along with GCHQ. The Western intelligence entities would build a new Iraqi spy agency, dubbed the Iraq SIGINT Element, according to another SIDtoday article. The Iraqi SIGINT Element’s expertise would come, of course, from veterans of Saddam Hussein’s regime; the NSA and GCHQ made a list of candidates “gleaned from years of targeting the Iraqi civil and military SIGINT units,” SIDtoday reported. The former targets were the new recruits. The CIA assisted in the vetting process with polygraphers, psychologists, and background checks, and the NSA trained the selected candidates on “how we do SIGINT.” The new intelligence agents’ first assignment was to find communications of former Saddam “elements” and insurgents in Baghdad. They went covertly into Baghdad neighborhoods, which U.S. and U.K. forces were unable to do.

It was at the behest of the director of central intelligence that the NSA “moved aggressively to help [Iraq] establish and enhance their signals intelligence capabilities,” SIDtoday reported separately. A similar effort was underway in Afghanistan. “Both relationships come with risks, but the overall benefit to U.S. objectives in the region outweighs these risks,” wrote an NSA foreign affairs staff officer.

Targeting Bombers in Iraq

Mass surveillance efforts in Iraq were part of a broader NSA effort to address the consequences of the coalition’s victory over Saddam Hussein. Immediately after the Ba’athist government fell to the invading forces in 2003, signals intelligence collection on the regime ceased to exist. NSA staff, some of whom had been monitoring the country for more than a decade, woke up to “no more audio cuts, no more transcripts … no more product reports,” according to an account in SIDtoday. One official wondered, “Will we lose resources because of our success?” Postwar insurgency and sectarian strife ensured this was not the case.

For example, an NSA team set about thwarting detonation systems for bombs set by insurgents. The bombs, known within the U.S. military as improvised explosive devices, were triggered from a distance, often using high-powered cordless phone systems, in which a common base station, controlled by a triggerman, connects to a cluster of wireless handsets. The team devised a way to locate triggermen: Intercepting and identifying security codes emitted by captured handsets. The codes, intended to tether a handset to a particular base station, could then be used to locate base stations, resulting in military targeting and “hopefully, the IED makers neutralized,” SIDtoday stated.

The NSA may have had a chance to deploy this technique at the end of January 2005, when Iraq’s first parliamentary elections took place. An article in SIDtoday said that signals intelligence helped prevent 50 to 60 suicide bombers from making it into polling centers. Still, 285 other insurgent attacks occurred that day, and CNN reported several incidents of suicide bombings that hit police officers and Iraqis waiting to vote.

How British Spies Were Made To Atone for Bad Iraq Intel

In Iraq and elsewhere, the NSA expanded the scope of its intelligence sharing to U.S. government “customers,” as described in a January 2005 article, in which an NSA staffer in Baghdad read a new sharing guideline aloud to a hesitant colleague: “It’s OK to talk about, show and share evaluated, minimized unpublished SIGINT to customers/partners in order to facilitate analytic collaboration.”

Even amid the aggressive intelligence sharing, the NSA was taking note of what could happen when such sharing went terribly wrong. A SIDtoday story about a British government inquiry into prewar intelligence on Iraq, the Butler Review, describes how the U.K.’s signals intelligence agency GCHQ was now required to provide “Intelligence Source Descriptors” on all intel reports. This requirement came in response to the finding that the British foreign spying agency, MI6, did not adequately check human sources and relied on third-hand reporting about Iraqi chemical weapons, including “seriously flawed” information from “another country’s intelligence service.”

The new British source descriptors would include identification of sources by name or role along with judgments on whether the source had direct or indirect access to the information reported. The GCHQ descriptor would also indicate whether a source is “reliable,” “unknown,” or “uncertain” as to reliability. “There are no plans at present to use a like program on NSA reports,” SIDtoday reported.

Despite reporting on fallout from the U.K. postwar review, SIDtoday did not cover a U.S. presidential commission that prominently reported in March 2005 on how the American intelligence community was “dead wrong” in its prewar assessment of weapons of mass destruction in Iraq.

NSA Works with Hungary, Pakistan, Ethiopia — and an Eager Czech Republic

In parallel with its efforts to share information with more U.S. government and intelligence agencies, the NSA also forged connections with foreign partners whose collaboration would have, in previous decades, seemed inconceivable.

In early 2005, the NSA entered into a partnership with Hungary’s Military Intelligence Office, inviting the spy agency to “work with NSA as part of our extended SIGINT enterprise,” according to SIDtoday, and “write SIGINT reports for dissemination through the NSA system to our intelligence community customers.” The partnership allowed the NSA to tap into the Hungarian agency’s “unique access to Serbian and Ukrainian military targets.”

A contemporaneous NSA visit to the Czech Republic, as described in SIDtoday, showed how such “third party” partnerships can come to fruition. The trip was conducted to establish whether the NSA should partner with the Czech External Intelligence Service, or ÚZSI, which wanted to tap NSA expertise “on many technical issues.” In order to win over the Americans, spy agency “personnel essentially opened the door to their SIGINT vault,” displaying an “exceptional degree of openness.” The NSA team came away impressed, judging ÚZSI “exceptionally good at analysis of material associated with Russian [counterintelligence] targets,” and impressed with the agency’s “very good analytic effort against Russian and Ukrainian HF networks” and “overall levels of sophistication, knowledge, practical experience, ingenuity and enthusiasm that allow them to overcome many financial and equipment shortfalls.” Perhaps best of all, ÚZSI “has not requested financial support from the NSA.” The Czech Republic eventually became a third-party partner.

A March 2005 SIDtoday article, summarizing a briefing from the NSA’s principal director for foreign affairs, alluded to agency “relationships” with Pakistan and Ethiopia, “work” with Iraq (discussed elsewhere in this article) and Afghanistan, and a “multinational collaboration in the Pacific.”

More generally, third parties became vital at this time simply for providing additional staffing and coverage. For instance, after the U.S. closed several bases, the NSA developed a reliance on third-party partners to participate in High Frequency Directional Finding networks for locating the origins of targeted radio signals. And the U.S. partnered with Hungary’s military intelligence organization in part because it “has been instrumental in providing intelligence that answers high-priority CIA and DIA (Defense Intelligence Agency) requirements that NSA would otherwise not be able to answer due to manpower constraints.”

Intercept Backer Spoke at NSA Headquarters

Back in the U.S., the NSA’s post-9/11 “transformation,” initiated by Director Michael Hayden, promoted information sharing and collaboration to the traditionally closed community at Fort Meade. Invitations to participate at agency seminars and conferences were made not just to partners from the intelligence and military communities, but also to members of private industry and academia.

An announcement in SIDtoday for the third annual Analysis Conference from the NSA’s Analysis and Production division proclaimed the need to “keep communications open and leverage our partners’ insights.” Speakers at the May 2005 event, held at agency headquarters, included authors, U.S. senators, corporate executives, and journalists.

One “high-powered panel” at the conference on “human networking” featured eBay founder Pierre Omidyar, who would go on to provide funding for The Intercept, which covers and is frequently critical of the NSA. A separate SIDtoday article touting the panel  indicated that corporate anthropologist Karen Stephenson and Wired founding executive editor Kevin Kelly also participated and that panelists were recruited through the Global Business Network, a consulting firm specializing in scenario-based forecasting. The GBN had been asked to harness its network of experts, “most of whom have had no previous involvement with the intelligence community,” to apply strategies from “the competitive marketplace” to NSA challenges.

Omidyar told The Intercept that the GBN “asked me to participate in an unclassified meeting at NSA headquarters at Fort Meade on the topic of ‘open source’ intelligence. My recollection of the people I met there is that they were very smart and genuinely interested in bringing outside ideas into the agency. I stayed involved with the GBN for some time after that meeting but when they approached me many months later to participate in additional meetings with the NSA, I declined. The invitation was made after news broke in December 2005 about the agency’s ‘warrantless wiretapping’ — and those events were deeply concerning to me. In addition, I didn’t have anything else to add beyond what I had already shared. I was not asked to meet with the NSA again after declining that invitation.”

Omidyar said he was not paid for his appearance.

Advanced Word on Indian Nuclear Weapons

A series of nuclear weapons tests conducted by India in the spring of 1998 took the intelligence community by surprise, prompting an internal investigation into why these tests had not been foreseen; a subsequent report was harshly critical of the U.S. intelligence community. A similar lapse in data gathering would not happen again in 2005. An Australian NSA site, RAINFALL, isolated a signal it suspected was associated with an Indian nuclear facility, according to SIDtoday. Collaboration between RAINFALL and two NSA stations in Thailand (INDRA and LEMONWOOD) confirmed the source of the signals and allowed for the interception of information about several new Indian missile initiatives. Although these missile systems did not come to public attention for several more years (the Sagarika submarine-launched ballistic missile was first tested in 2008), the NSA’s access to these signals gave them foreknowledge of their Third Party SIGINT partner’s (see last image) actions.

Attacking VPNs

An NSA working group focused on virtual private networks, or VPNs, was established in November 2004 to “conduct systematic and thorough SIGINT Development of VPN communications (typically encrypted),” SIDtoday reported — meaning that the agency wanted to break into the networks. The group published regular “VPN Target Activity Reports” on a large number of countries throughout Europe, the Middle East, North Africa, Russia, and China, as well as “specific financial, governmental, communication service providers and international organizations.” These reports may help analysts “exploit targets’ VPNs more successfully.”

Women at the NSA

Sonia Kovalevsky Days take place at schools and colleges nationwide, with competitions and talks to encourage young women to pursue careers in mathematics. Although the events’ namesake was a radical socialist and pioneering female mathematician, members of the NSA’s Women in Mathematics Society participated as part of the agency’s effort to recruit more female mathematicians. The NSA believed itself to be the largest employer of mathematicians in the country, but between 1987 to 1993, only one of the 30 math Ph.D.s the agency hired identified as a woman, and only 26 percent of women hired into the agency’s mathematics community had an advanced degree, according to SIDtoday. After the Women in Mathematics Society was formed, from 1994 through 2005, about 38 percent of women mathematicians hired into NSA had a doctoral degree and 27 percent held a master’s degree.

Hold the Spam, Please

“Spam affects NSA by impeding our collection, processing and storage of [Digital Network Intelligence] traffic,” said the author of a February 2005 SIDtoday article. “Unfortunately, filtering out spam has proven to be an extremely difficult and cumbersome task.”According to the author, analysts developed technology that tagged “an average of 150,000 spam sessions a day,” which greatly reduced the amount of spam that shows up in “daily searches” of intercepted emails.






















No comments:

Post a Comment