{"id":53598,"date":"2015-02-09T13:29:55","date_gmt":"2015-02-09T13:29:55","guid":{"rendered":"https:\/\/www.transcend.org\/tms\/?p=53598"},"modified":"2015-05-05T21:26:07","modified_gmt":"2015-05-05T20:26:07","slug":"western-spy-agencies-secretly-rely-on-hackers-for-intel-and-expertise","status":"publish","type":"post","link":"https:\/\/www.transcend.org\/tms\/2015\/02\/western-spy-agencies-secretly-rely-on-hackers-for-intel-and-expertise\/","title":{"rendered":"Western Spy Agencies Secretly Rely on Hackers for Intel and Expertise"},"content":{"rendered":"
\"Hacker<\/a>

Hacker being hacked.
Illustration: Getty Images<\/p><\/div>\n

4 Feb 2015 – <\/em>The U.S., U.K. and Canadian\u00a0governments characterize hackers as\u00a0a criminal menace<\/a>, warn of the threats they allegedly pose<\/a>\u00a0to critical infrastructure, and\u00a0aggressively prosecute<\/a> them, but they are also secretly exploiting their information and expertise, according to top secret documents.<\/p>\n

In some cases, the surveillance agencies\u00a0are obtaining the content of emails by monitoring hackers as they breach email\u00a0accounts, often without notifying the hacking victims of these breaches.\u00a0\u201cHackers are stealing the emails of some of our targets\u2026 by collecting the hackers\u2019 \u2018take,\u2019 we . . .\u00a0\u00a0get access to the emails themselves,\u201d reads one top secret 2010 National Security Agency document.<\/p>\n

These and other revelations about the intelligence agencies\u2019 reliance on hackers are\u00a0contained in documents\u00a0provided by whistleblower Edward Snowden. The documents\u2014which come from the\u00a0U.K. Government Communications Headquarters agency and NSA\u2014shed new light on the various means used by intelligence agencies to exploit hackers\u2019 successes and learn from their skills, while also raising questions about whether governments have overstated the threat posed by some hackers.<\/p>\n

By\u00a0looking out for hacking conducted\u00a0\u201cboth by state-sponsored and freelance hackers\u201d and riding on the coattails of hackers, Western intelligence agencies\u00a0have gathered what they regard as\u00a0<\/strong>valuable content:<\/p>\n

Recently, Communications Security Establishment Canada (CSEC) and Menwith Hill Station (MHS) discovered and began exploiting a target-rich data set being stolen by hackers. The hackers\u2019 sophisticated email-stealing intrusion set is known as INTOLERANT. Of the traffic observed, nearly half contains category hits because the attackers are targeting email accounts of interest to the Intelligence Community. Although a relatively new data source, [Target Offices of Primary Interest] have already written multiple reports based on INTOLERANT collect.<\/em><\/p>\n

The hackers targeted a wide range of diplomatic corps, human rights and democracy activists and even journalists:<\/p>\n

INTOLERANT traffic is very organized. Each event is labeled to identify and categorize victims. Cyber attacks commonly apply descriptors to each victim \u2013 it helps herd victims and track which attacks succeed and which fail. Victim categories make INTOLERANT interesting:<\/em><\/p>\n

A = Indian Diplomatic & Indian Navy
\nB = Central Asian diplomatic
\nC = Chinese Human Rights Defenders
\nD = Tibetan Pro-Democracy Personalities
\nE = Uighur Activists
\nF = European Special Rep to Afghanistan and Indian photo-journalism
\nG = Tibetan Government in Exile<\/em><\/p>\n

In those cases, the NSA and its partner agencies in the United Kingdom and Canada were unable to determine the identity of the hackers who collected the data, but suspect a state sponsor \u201cbased on the level of sophistication and the victim set.\u201d<\/p>\n

In instances where hacking may compromise data from the U.S. and U.K. governments, or their allies, notification was given to the \u201crelevant parties.\u201d<\/p>\n

In a separate document, GCHQ officials discuss plans to use open source discussions among hackers to improve their own knowledge. \u201cAnalysts are potentially missing out on valuable open source information relating to cyber defence because of an inability to easily keep up to date with specific blogs and Twitter sources,\u201d according to one document.<\/p>\n

GCHQ created a program called LOVELY HORSE to monitor and index public discussion by hackers on Twitter and other social media. The Twitter accounts designated for collection in the 2012\u00a0document:<\/p>\n

\"Illustration:<\/a>

Illustration: Getty Images<\/p><\/div>\n

These accounts represent a\u00a0cross section of the hacker community and security scene. In addition to monitoring multiple accounts affiliated with Anonymous, GCHQ monitored the tweets of Kevin Mitnick<\/a>, who was sent to prison in 1999 for various computer and fraud related offenses. The U.S. Government once characterized Mitnick as one of the world\u2019s most villainous hackers, but\u00a0he has since turned security consultant and exploit broker<\/a>.<\/p>\n

Among others, GCHQ monitored the tweets of reverse-engineer and Google employee, Thomas Dullien<\/a>.\u00a0Fellow Googler\u00a0Tavis Ormandy<\/a>, from Google\u2019s vulnerability research team Project Zero, is featured on the list, along with other well known offensive security researchers, including Metasploit\u2019s HD Moore<\/a> and James Lee (aka Egypt)<\/a> together with Dino Dai Zovi<\/a> and Alexander Sotirov<\/a>, who at the time both worked for New York-based offensive security\u00a0company, Trail of Bits (Dai Zovi has since taken up a position at payment company, Square). The list also includes notable anti-forensics and operational security expert \u201cThe Grugq.\u201d<\/a><\/p>\n

GCHQ monitored the tweets of former NSA agents Dave Aitel<\/a> and Charlie Miller<\/a>, and former Air Force intelligence officer Richard Bejtlich<\/a> as well as French exploit vendor, VUPEN<\/a> (who sold a one year subscription<\/a> for its binary analysis and exploits service to the NSA in 2012).<\/p>\n

The GCHQ document states\u00a0that they\u00a0\u201ccurrently have a list of around 60 blog and Twitter sources\u201d that were identified by analysts for collection.\u00a0A prototype of the LOVELY HORSE program ensured that \u201cTwitter and (and subject to legal\/security approval) blog content [was] manually scraped and uploaded to GCDesk.\u201d A later version would upload content in real time.<\/p>\n

Several of the accounts to be mined for expertise are associated with the hactivist collective Anonymous. Documents previously published<\/a> by The Intercept <\/em>reveal\u00a0extensive<\/a>, and sometimes extreme<\/a>, tactics employed<\/a> by GCHQ to infiltrate, discredit and disrupt that group. The agency employed some of the same hacker methods against Anonymous (e.g., mass denial of service) as governments have prosecuted Anonymous for using.<\/p>\n

A separate GCHQ document details the open-source sites monitored and collected by the agency, including blogs, websites, chat venues and Twitter. It describes Twitter monitoring undertaken for \u201creal-time alerting to new security issues reported by known security professionals, or planned activity by hacking groups, e.g. Anonymous.\u201d The agency planned to expand its monitoring and aggregation\u00a0program to a wide range of web locations, including IRC chat rooms and Pastebin, where \u201can increasing number of tip-offs are coming from . . . as this is where many hackers anonymously advertise and promote their exploits, by publishing stolen information.\u201d<\/p>\n

One classified document casts serious doubt on warnings about the threat<\/a> posed by Anonymous (in early 2012 then-NSA chief Keith Alexander reportedly warned<\/a> that Anonymous could shut down parts of the power grid).<\/p>\n

That document, containing \u201ctalking points\u201d prepared by Jessica Vielhuber of the National Intelligence Council in September 2011\u00a0for a NATO meeting on cyber-threats, describes the threat from Anonymous as relatively small.\u00a0\u201cAlthough \u2018hacktivist\u2019 groups such as Anonymous have made headlines recently with their theft of NATO information, the threat posed by such activity is minimal relative to that of nation-states,\u201d she wrote.<\/p>\n

In response to The\u00a0Intercept<\/em>\u2018s questions, an agency spokesperson said that \u201cNSA will not comment on the\u00a0Intercept\u2019s speculation,\u201d and noted that NSA \u201cdefends the nation and our allies from foreign threats while going to great lengths to safeguard privacy and civil liberties.\u201d The spokesperson added that \u201cover the last year, at the president\u2019s direction, the U.S. intelligence community engaged in an unprecedented effort to examine and strengthen the privacy and civil liberty protections afforded to all people, regardless of nationality.\u201d<\/p>\n

GCHQ declined to answer questions for this article, or to comment on the\u00a0programs involved, but instead provided a boiler plate statement, which says the agency\u2019s work is legal and subject to government oversight. \u201cIt is longstanding policy that we do not comment on\u00a0intelligence matters,\u201d the agency notes.<\/p>\n

Documents published with this article:<\/em><\/p>\n