The U.S., U.K. and Canadian governments characterize hackers as a criminal menace, warn of the threats they allegedly pose to critical infrastructure, and aggressively prosecute them, but they are also secretly exploiting their information and expertise, according to top secret documents.
In some cases, the surveillance agencies are obtaining the content of
emails by monitoring hackers as they breach email accounts, often
without notifying the hacking victims of these breaches. “Hackers are
stealing the emails of some of our targets… by collecting the hackers’
‘take,’ we . . . get access to the emails themselves,” reads one top
secret 2010 National Security Agency document.
These and other revelations about the intelligence agencies’ reliance
on hackers are contained in documents provided by whistleblower Edward
Snowden. The documents—which come from the U.K. Government
Communications Headquarters agency and NSA—shed
new light on the various means used by intelligence agencies to exploit
hackers’ successes and learn from their skills, while also raising
questions about whether governments have overstated the threat posed by
some hackers.
By looking out for hacking conducted “both by state-sponsored and
freelance hackers” and riding on the coattails of hackers, Western
intelligence agencies have gathered what they regard as valuable content:
Recently, Communications Security Establishment Canada (CSEC) and Menwith Hill Station (MHS) discovered and began exploiting a target-rich data set being stolen by hackers. The hackers’ sophisticated email-stealing intrusion set is known as INTOLERANT. Of the traffic observed, nearly half contains category hits because the attackers are targeting email accounts of interest to the Intelligence Community. Although a relatively new data source, [Target Offices of Primary Interest] have already written multiple reports based on INTOLERANT collect.
The hackers targeted a wide range of diplomatic corps, human rights and democracy activists and even journalists:
INTOLERANT traffic is very organized. Each event is labeled to identify and categorize victims. Cyber attacks commonly apply descriptors to each victim – it helps herd victims and track which attacks succeed and which fail. Victim categories make INTOLERANT interesting:
A = Indian Diplomatic & Indian Navy
B = Central Asian diplomatic
C = Chinese Human Rights Defenders
D = Tibetan Pro-Democracy Personalities
E = Uighur Activists
F = European Special Rep to Afghanistan and Indian photo-journalism
G = Tibetan Government in Exile
In those cases, the NSA and its partner agencies in the United
Kingdom and Canada were unable to determine the identity of the hackers
who collected the data, but suspect a state sponsor “based on the level
of sophistication and the victim set.”
In instances where hacking may compromise data from the U.S. and U.K.
governments, or their allies, notification was given to the “relevant
parties.”
In a separate document, GCHQ officials discuss plans to use open
source discussions among hackers to improve their own knowledge.
“Analysts are potentially missing out on valuable open source
information relating to cyber defence because of an inability to easily
keep up to date with specific blogs and Twitter sources,” according to
one document.
GCHQ created a program called LOVELY HORSE to monitor and index
public discussion by hackers on Twitter and other social media. The
Twitter accounts designated for collection in the 2012 document:
These accounts represent a cross section of the hacker community and
security scene. In addition to monitoring multiple accounts affiliated
with Anonymous, GCHQ monitored the tweets of Kevin Mitnick,
who was sent to prison in 1999 for various computer and fraud related
offenses. The U.S. Government once characterized Mitnick as one of the
world’s most villainous hackers, but he has since turned security
consultant and exploit broker.
Among others, GCHQ monitored the tweets of reverse-engineer and Google employee, Thomas Dullien. Fellow Googler Tavis Ormandy,
from Google’s vulnerability research team Project Zero, is featured on
the list, along with other well known offensive security researchers,
including Metasploit’s HD Moore and James Lee (aka Egypt) together with Dino Dai Zovi and Alexander Sotirov,
who at the time both worked for New York-based offensive
security company, Trail of Bits (Dai Zovi has since taken up a position
at payment company, Square). The list also includes notable
anti-forensics and operational security expert “The Grugq.”
GCHQ monitored the tweets of former NSA agents Dave Aitel and Charlie Miller, and former Air Force intelligence officer Richard Bejtlich as well as French exploit vendor, VUPEN (who sold a one year subscription for its binary analysis and exploits service to the NSA in 2012).
The GCHQ document states that they “currently have a list of around
60 blog and Twitter sources” that were identified by analysts for
collection. A prototype of the LOVELY HORSE program ensured that
“Twitter and (and subject to legal/security approval) blog content [was]
manually scraped and uploaded to GCDesk.” A later version would upload
content in real time.
Several of the accounts to be mined for expertise are associated with the hactivist collective Anonymous. Documents previously published by The Intercept reveal extensive, and sometimes extreme, tactics employed
by GCHQ to infiltrate, discredit and disrupt that group. The agency
employed some of the same hacker methods against Anonymous (e.g., mass
denial of service) as governments have prosecuted Anonymous for using.
A separate GCHQ document details the open-source sites monitored and
collected by the agency, including blogs, websites, chat venues and
Twitter. It describes Twitter monitoring undertaken for “real-time
alerting to new security issues reported by known security
professionals, or planned activity by hacking groups, e.g. Anonymous.”
The agency planned to expand its monitoring and aggregation program to a
wide range of web locations, including IRC chat rooms and Pastebin,
where “an increasing number of tip-offs are coming from . . . as this is
where many hackers anonymously advertise and promote their exploits, by
publishing stolen information.”
One classified document casts serious doubt on warnings about the threat posed by Anonymous (in early 2012 then-NSA chief Keith Alexander reportedly warned that Anonymous could shut down parts of the power grid).
That document, containing “talking points” prepared by Jessica
Vielhuber of the National Intelligence Council in September 2011 for a
NATO meeting on cyber-threats, describes the threat from Anonymous as
relatively small. “Although ‘hacktivist’ groups such as Anonymous have
made headlines recently with their theft of NATO information, the threat
posed by such activity is minimal relative to that of nation-states,”
she wrote.
In response to The Intercept‘s questions, an agency
spokesperson said that “NSA will not comment on the Intercept’s
speculation,” and noted that NSA “defends the nation and our allies from
foreign threats while going to great lengths to safeguard privacy and
civil liberties.” The spokesperson added that “over the last year, at
the president’s direction, the U.S. intelligence community engaged in an
unprecedented effort to examine and strengthen the privacy and civil
liberty protections afforded to all people, regardless of nationality.”
GCHQ declined to answer questions for this article, or to comment on
the programs involved, but instead provided a boiler plate statement,
which says the agency’s work is legal and subject to government
oversight. “It is longstanding policy that we do not comment
on intelligence matters,” the agency notes.
Source:
No comments:
Post a Comment