{"id":41259,"date":"2014-03-24T12:00:09","date_gmt":"2014-03-24T12:00:09","guid":{"rendered":"https:\/\/www.transcend.org\/tms\/?p=41259"},"modified":"2015-05-05T21:35:11","modified_gmt":"2015-05-05T20:35:11","slug":"inside-the-nsas-secret-efforts-to-hunt-and-hack-system-administrators","status":"publish","type":"post","link":"https:\/\/www.transcend.org\/tms\/2014\/03\/inside-the-nsas-secret-efforts-to-hunt-and-hack-system-administrators\/","title":{"rendered":"Inside the NSA\u2019s Secret Efforts to Hunt and Hack System Administrators"},"content":{"rendered":"
\"A<\/a>

A secret document reveals how the NSA tracks down system administrators for surveillance.
Illustration: Josh Begley.<\/p><\/div>\n

Across the world, people who work as system administrators keep computer networks in order \u2013 and this has turned them into unwitting targets of the National Security Agency for simply doing their jobs. According to a secret document<\/a> provided by NSA whistleblower Edward Snowden, the agency tracks down the private email and Facebook accounts of system administrators (or sys admins, as they are often called), before hacking their computers to gain access to the networks they control.<\/p>\n

The document consists of several posts \u2013 one of them is titled \u201cI hunt sys admins\u201d \u2013 that were published in 2012 on an internal discussion board hosted on the agency\u2019s classified servers. They were written by an NSA official involved in the agency\u2019s effort to break into foreign network routers, the devices that connect computer networks and transport data across the Internet. By infiltrating the computers of system administrators who work for foreign phone and Internet companies, the NSA can gain access to the calls and emails that flow over their networks.<\/p>\n

The classified posts reveal how the NSA official aspired to create a database that would function as an international hit list of sys admins to potentially target. Yet the document makes clear that the admins are not suspected of any criminal activity \u2013 they are targeted only because they control access to networks the agency wants to infiltrate. \u201cWho better to target than the person that already has the \u2018keys to the kingdom\u2019?\u201d one of the posts says.<\/p>\n

The NSA wants more than just passwords. The document includes a list of other data that can be harvested from computers belonging to sys admins, including network maps, customer lists, business correspondence and, the author jokes, \u201cpictures of cats in funny poses with amusing captions.\u201d The posts, boastful and casual in tone, contain hacker jargon\u00a0 (pwn, skillz, zomg, internetz) and are punctuated with expressions of mischief. \u201cCurrent mood: devious,\u201d reads one, while another signs off, \u201cCurrent mood: scheming.\u201d<\/p>\n

The author of the posts, whose name is being withheld by The Intercept<\/i>, is a network specialist in the agency\u2019s Signals Intelligence Directorate, according to other NSA documents. The same author wrote secret presentations related to the NSA\u2019s controversial program<\/a> to identify users of the Tor browser \u2013 a privacy-enhancing tool that allows people to browse the Internet anonymously. The network specialist, who served as a private contractor prior to joining the NSA, shows little respect for hackers who do not work for the government. One post expresses disdain for the quality of presentations at Blackhat and Defcon, the computer world\u2019s premier security and hacker conferences:<\/p>\n

(Click to enlarge)<\/p>\n

\"nsa<\/a><\/p>\n

It is unclear how precise the NSA\u2019s hacking attacks are or how the agency ensures that it excludes Americans from the intrusions. The author explains in one post that the NSA scours the Internet to find people it deems \u201cprobable\u201d administrators, suggesting a lack of certainty in the process and implying that the wrong person could be targeted. It is illegal for the NSA to deliberately target Americans for surveillance without explicit prior authorization. But the employee\u2019s posts make no mention of any measures that might be taken to prevent hacking the computers of Americans who work as sys admins for foreign networks. Without such measures, Americans who work on such networks could potentially fall victim to an NSA infiltration attempt.<\/p>\n

The NSA declined to answer questions about its efforts to hack system administrators or explain how it ensures Americans are not mistakenly targeted. Agency spokeswoman Vanee\u2019 Vines said in an email statement: \u201cA key part of the protections that apply to both U.S. persons and citizens of other countries is the mandate that information be in support of a valid foreign intelligence requirement, and comply with U.S. Attorney General-approved procedures to protect privacy rights.\u201d<\/p>\n

As The Intercept<\/i> revealed last week<\/a>, clandestine hacking has become central to the NSA\u2019s mission in the past decade. The agency is working to aggressively scale its ability to break into computers to perform what it calls \u201ccomputer network exploitation,\u201d or CNE: the collection of intelligence from covertly infiltrated computer systems. Hacking into the computers of sys admins is particularly controversial because unlike conventional targets \u2013 people who are regarded as threats \u2013 sys admins are not suspected of any wrongdoing.<\/p>\n

In a post calling sys admins \u201ca means to an end,\u201d the NSA employee writes, \u201cUp front, sys admins generally are not my end target. My end target is the extremist\/terrorist or government official that happens to be using the network some admin takes care of.\u201d<\/p>\n

The first step, according to the posts, is to collect IP addresses that are believed to be linked to a network\u2019s sys admin. An IP address is a series of numbers allocated to every computer that connects to the Internet. Using this identifier, the NSA can then run an IP address through the vast amount of signals intelligence data, or SIGINT, that it collects every day, trying to match the IP address to personal accounts.<\/p>\n

\u201cWhat we\u2019d really like is a personal webmail or Facebook account to target,\u201d one of the posts explains, presumably because, whereas IP addresses can be shared by multiple people, \u201calternative selectors\u201d like a webmail or Facebook account can be linked to a particular target. You can \u201cdumpster-dive for alternate selectors in the big SIGINT trash can\u201d the author suggests. Or \u201cpull out your wicked Google-fu\u201d (slang for efficient Googling) to search for any \u201cofficial and non-official e-mails\u201d that the targets may have posted online.<\/p>\n

Once the agency believes it has identified a sys admin\u2019s personal accounts, according to the posts, it can target them with its so-called QUANTUM hacking techniques<\/a>. The Snowden files reveal that the QUANTUM methods have been used<\/a> to secretly inject surveillance malware into a Facebook page by sending malicious NSA data packets that appear to originate from a genuine Facebook server. This method tricks a target\u2019s computer into accepting the malicious packets, allowing the NSA to infect the targeted computer with a malware \u201cimplant\u201d and gain unfettered access to the data stored on its hard drive.<\/p>\n

\u201cJust pull those selectors, queue them up for QUANTUM, and proceed with the pwnage,\u201d the author of the posts writes. (\u201cPwnage,\u201d short for \u201cpure ownage,\u201d is gamer-speak for defeating opponents.) The author adds, triumphantly, \u201cYay! \/throws confetti in the air.\u201d<\/p>\n

In one case, these tactics were used by the NSA\u2019s British counterpart, Government Communications Headquarters, or GCHQ, to infiltrate the Belgian telecommunications company Belgacom. As Der Speigel <\/i>revealed last year<\/a>, Belgacom\u2019s network engineers were targeted by GCHQ in a QUANTUM mission named \u201cOperation Socialist\u201d \u2013 with the British agency hacking into the company\u2019s systems in an effort to monitor smartphones.<\/p>\n

While targeting innocent sys admins may be surprising on its own, the \u201chunt sys admins\u201d document reveals how the NSA network specialist secretly discussed building a \u201cmaster list\u201d of sys admins across the world, which would enable an attack to be initiated on one of them the moment their network was thought to be used by a person of interest. One post outlines how this process would make it easier for the NSA\u2019s specialist hacking unit, Tailored Access Operations (TAO), to infiltrate networks and begin collecting, or \u201ctasking,\u201d data:<\/p>\n

\"nsa<\/a><\/p>\n

Aside from offering up thoughts on covert hacking tactics, the author of these posts also provides a glimpse into internal employee complaints at the NSA. The posts describe how the agency\u2019s spies gripe about having \u201cdismal infrastructure\u201d and a \u201cBig Data Problem\u201d because of the massive volume of information being collected by NSA surveillance systems. For the author, however, the vast data troves are actually something to be enthusiastic about.<\/p>\n

\u201cOur ability to pull bits out of random places of the Internet, bring them back to the mother-base to evaluate and build intelligence off of is just plain awesome!\u201d the author writes. \u201cOne of the coolest things about it is how much<\/i> data we have at our fingertips.\u201d<\/p>\n

Documents published with this article:<\/i><\/p>\n