{"id":47576,"date":"2014-09-15T12:00:04","date_gmt":"2014-09-15T11:00:04","guid":{"rendered":"https:\/\/www.transcend.org\/tms\/?p=47576"},"modified":"2015-05-05T21:30:36","modified_gmt":"2015-05-05T20:30:36","slug":"map-of-the-stars","status":"publish","type":"post","link":"https:\/\/www.transcend.org\/tms\/2014\/09\/map-of-the-stars\/","title":{"rendered":"Map of the Stars"},"content":{"rendered":"

The NSA and GCHQ Campaign against German Satellite Companies<\/em><\/p>\n

\"satellite-feature-hero-b<\/a><\/em><\/p>\n

\u201cFuck!\u201d That is the word that comes to the mind of Christian Steffen, the CEO of German satellite communications company Stellar PCS. He is looking at classified documents laying out the scope of something called Treasure Map, a top secret NSA program. Steffen\u2019s firm provides internet access to remote portions of the globe via satellite, and what he is looking at tells him that the company, and some of its customers, have been penetrated by the U.S. National Security Agency and British spy agency GCHQ.<\/p>\n

Stellar\u2019s visibly shaken chief engineer, reviewing the same documents, shares his boss\u2019 reaction. \u201cThe intelligence services could use this data to shut down the internet in entire African countries that are provided access via our satellite connections,\u201d he says.<\/p>\n

Treasure Map is a vast NSA campaign to map the global internet<\/a>. The program doesn\u2019t just seek to chart data flows in large traffic channels, such as telecommunications cables. Rather, it seeks to identify and locate every single device that is connected to the internet somewhere in the world\u2014every smartphone, tablet, and computer\u2014\u201danywhere, all the time,\u201d according to NSA documents. Its internal logo depicts a skull superimposed onto a compass, the eyeholes glowing demonic red.<\/p>\n

The breathtaking mission is described in a document from the archive of NSA whistleblower Edward Snowden provided to The Intercept<\/em> and Der Spiegel<\/em><\/a>. Treasure Map\u2019s goal is to create an \u201cinteractive map of the global internet\u201d in \u201calmost real time.\u201d Employees of the so-called \u201cFive Eyes\u201d intelligence alliance\u2014England, Canada, Australia, and New Zealand\u2014can install and use the program on their own computers. It evokes a kind of Google Earth for global data traffic, a bird\u2019s eye view of the planet\u2019s digital arteries.<\/p>\n

The New York Times<\/em> reported on the existence of Treasure Map last November<\/a>. Though the NSA documents indicate that it can be used to monitor \u201cadversaries,\u201d and for \u201ccomputer attack\/exploit planning\u201d\u2014offering a kind of battlefield map for cyber warfare\u2014they also clearly show that Treasure Map monitors traffic and devices inside the United States. Unnamed intelligence officials told the Times<\/em> that the program didn\u2019t have the capacity to monitor all<\/em> internet-connected devices, and was focused on foreign networks, as well as the U.S. Defense Department\u2019s own computer systems.<\/p>\n

\"A<\/a>

A slide from an NSA presentation explaining Treasure Map<\/p><\/div>\n

The Treasure Map graphics contained in the Snowden archive don\u2019t just provide detailed views of global networks\u2014they also note which carriers and internal service provider networks Five Eyes agencies claim to have already penetrated. In graphics generated by the program, some of the \u201cautonomous systems\u201d\u2014basically, networks of routers all controlled by one company, referred to by the shorthand \u201cAS\u201d\u2014under Treasure Map\u2019s watchful eye are marked in red. An NSA legend explains what that means: \u201cWithin these AS, there are access points for technical monitoring.\u201d In other words, they are under observation.<\/p>\n

In one GCHQ document<\/a>, an AS belonging to Stellar PCS is marked in red, as are networks that belong to two other German firms, Deutsche Telekom AG and Netcologne, which operates a fiber-optic network and provides telephone and internet services to 400,000 customers.<\/p>\n

\"A<\/a>

A Treasure Map image from a GCHQ document shows Stellar PCS and other companies marked red, meaning their networks have been penetrated<\/p><\/div>\n

Deutsche Telekom, of which the German government owns more than 30 percent, is one of the dozen or so international telecommunications companies that operate global networks\u2014so-called Tier 1 providers. In Germany alone, Deutsche Telekom claims to provide mobile phone services, internet, and land lines to 60 million customers.<\/p>\n

It\u2019s not clear from the documents how or where the NSA gained access to the networks. Deutsche Telekom\u2019s autonomous system, marked in red, includes several thousand routers worldwide. It has operations in the U.S. and England, and is part of a consortium that operates the TAT14 transatlantic cable system, which stretches from England to the east coast of the U.S. \u201cThe accessing of our network by foreign intelligence agencies,\u201d said a Telekom spokesperson, \u201cwould be completely unacceptable.\u201d<\/p>\n

The fact that Netcologne is a regional provider, with no international operations, would seem to indicate that the NSA or one of its partners accessed the network from within Germany. If so, that would be a violation of German law and potentially another NSA-related case for German prosecutors, who have been investigating the monitoring of Chancellor Angela Merkel\u2019s mobile phone.<\/p>\n

Reporters for Der Spiegel<\/em>, working in collaboration with The Intercept,\u00a0<\/em>contacted both companies several weeks ago in order to give them an opportunity to look into the alleged security breaches themselves. The security departments of both firms say they launched intensive investigations, but failed to find any suspicious equipment or data streams leaving the network. The NSA declined to comment for this story, and GCHQ offered no response beyond its boilerplate claim that all its activities are lawful.<\/p>\n

Deutsche Telekom and Netcologne are not the first German companies to be pinpointed by Snowden documents as having been successfully hacked by intelligence agencies. In March, Der Spiegel<\/em> reported on a large-scale attack by GCHQ<\/a> on German satellite operators Stellar, Cetel, and IABG, all of which offer satellite internet connections to remote regions of the world. All three companies operate their own autonomous systems. And all three are marked red in Treasure Map graphics.<\/p>\n

Der Spiegel<\/em> also contacted 11 of the international providers listed in the Treasure Map document. Four answered, all saying they examined their systems and were unable to find any irregularities. \u201cWe would be extremely concerned if a foreign government were to seek unauthorized access to our global networks and infrastructure,\u201d said a spokesperson for the Australian telecommunications company Telstra.<\/p>\n

The case of Stellar illustrates the lengths to which GCHG and NSA have gone in making their secret map of the internet, and its users.<\/p>\n

One document, from GCHQ\u2019s Network Analysis Center, lays out what appears to be an attack on Stellar. The document lists \u201ccentral employees\u201d at the company, and states that they should be identified and \u201ctasked.\u201d To \u201ctask\u201d somebody, in signals intelligence jargon, is to engage in electronic surveillance. In addition to Stellar CEO Christian Steffen, nine other employees are named in the document.<\/p>\n

The attack on Stellar has notable similarities with the GCHQ surveillance operation targeting the Belgian provider Belgacom, which Der Spiegel<\/em> reported last year<\/a>. There too, the GCHQ Network Analysis department penetrated deeply into the Belgacom network and that of its subsidiary BICS by hacking employee computers. They then prepared routers for cyber attacks.<\/p>\n

Der Spiegel<\/em> reporters visited Stellar at its headquarters in H\u00fcrth, near Cologne, and presented the documents to Steffen and three of his \u201ctasked\u201d employees. They were able to recognize, among other things, a listing for their central server as well as the company\u2019s mail server, which the GCHQ attackers appear to have hacked.<\/p>\n

The document also lays out the intelligence gathered from the spying efforts, including an internal table that shows which Stellar customers are being served by which specific satellite transponders. \u201cThose are business secrets and sensitive information,\u201d said Stellar\u2019s visibly shocked IT chief, Ali Fares, who is himself cited in the document as an employee to be \u201ctasked.\u201d<\/p>\n

The Stellar officials expressed alarm when they saw the password for the central server of an important customer. The significance of the theft is immense, Fares said. \u201cThis is really disturbing.\u201d<\/p>\n

Steffen, after spitting out his four-letter assessment, said he considers the documents to constitute proof that his company\u2019s systems were breached illegally. \u201cThe hacked server has always stood behind our company\u2019s own firewall,\u201d he said. \u201cThe only way of accessing it is if you first successfully break into our network.\u201d The company in question is no longer a customer with Stellar.<\/p>\n

When asked if there are any reasons that would prompt England, a European Union partner country, to take such an aggressive approach to Stellar, Steffen shrugged his shoulders, perplexed. \u201cOur customer traffic doesn\u2019t run across conventional fiber optic lines,\u201d he said. \u201cIn the eyes of intelligence services, we are apparently seen as difficult to access.\u201d Still, he said, \u201cthat doesn\u2019t give anyone the right to break in.\u201d<\/p>\n

\u201cA cyber attack of this nature is a clear criminal offense under German law,\u201d he continued. \u201cI want to know why we were a target and exactly how the attack against us was conducted\u2014if for no other reason than to be able to protect myself and my customers from this happening again.\u201d Steffen wrote a letter to the British ambassador in Berlin asking for an explanation, but says he never received an answer.<\/p>\n

Meanwhile, Deutsche Telekom\u2019s security division has conducted a forensic review of important routers in Germany, but has yet to detect anything. Volker Tschersich, who heads the security division, says it\u2019s possible the red dots in Treasure Map can be explained as access to the TAT14 cable, in which Telekom occupies a frequency band in England and the U.S. At the end of last week, the company informed Germany\u2019s Federal Office for Information Security of the findings of Der Speigel<\/em>\u2018s reporting.<\/p>\n

The classified documents also indicate that other data from Germany contributes to keeping the global treasure map up to date. Of the 13 servers the NSA operates around the world in order to track current data flows on the open Internet, one is located somewhere in Germany.<\/p>\n

Like the other servers, this one, which feeds data into the secret NSA network, is \u201ccovered\u201d in an inconspicuous \u201cdata center.\u201d<\/p>\n

_________________________<\/p>\n

Email the authors: amm@datenreisen.de<\/a>, laura.poitras@theintercept.com<\/a>, marcel_rosenbach@spiegel.de<\/a>, michael_sontheimer@spiegel.de<\/a>, christian@grothoff.org<\/a><\/em><\/p>\n

Go to Original \u2013 firstlook.org<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

The NSA and GCHQ Campaign against German Satellite Companies – \u201cFuck!\u201d That is the word that comes to the mind of Christian Steffen, the CEO of German satellite communications company Stellar PCS.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[60],"tags":[],"class_list":["post-47576","post","type-post","status-publish","format-standard","hentry","category-whistleblowing-surveillance"],"_links":{"self":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/47576","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/comments?post=47576"}],"version-history":[{"count":0,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/posts\/47576\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/media?parent=47576"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/categories?post=47576"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.transcend.org\/tms\/wp-json\/wp\/v2\/tags?post=47576"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}