December 23, 2015

Leaked documents that were not attributed to Snowden

(UPDATED: August 28, 2022)

Since June 2013, numerous top secret documents from the American signals intelligence agency NSA and its British counterpart GCHQ have been disclosed. The overwhelming majority of them came from the former NSA contractor Edward Snowden.

But what many people probably didn't notice, is that some of these documents (some being very compromising and embarrassing for NSA) were not provided by Snowden, but by other leakers.

Often, the press reports didn't mention that very clear, and it was only by not attributing such documents to Snowden, that it became clear they apparently came from someone else.



NSA report about an intercepted conversation of French president Hollande.
From an unknown source, published by Wikileaks in 2015
(click to enlarge)


So far, the following classified documents have been disclosed without having been attributed to Snowden:

2013:

- Chancellor Merkel tasking record
- TAO's ANT product catalog

2014:

- XKEYSCORE rules: TOR and TAILS
- NCTC watchlisting guidance
- NCTC terrorist watchlist report

2015:

- XKEYSCORE rules: New Zealand
- Ramstein AFB supporting drone operations
- NSA tasking & reporting: France
- NSA tasking & reporting: Germany
- NSA tasking & reporting: Brazil
- NSA tasking & reporting: Japan
- Chinese cyber espionage against the US
- XKEYSCORE agreement between NSA, BND and BfV
- The Drone Papers
- Cellphone surveillance catalogue

2016:

- US military documents: Iraq and Afghanistan
- NSA tasking & reporting: EU, Italy, UN
- TAO hacking tools (The Shadow Brokers)
- FBI & CBP border intelligence gathering
- TAO IP addresses and domain names

2017:

- TAO Windows files
- CIA information needs about France
- CIA hacking tools (Vault 7)
- TAO Solaris exploits
- TAO Windows exploits + SWIFT files
- CIA specific hacking projects (Vault 7)
- NSA report about Russian hacking
- TAO UNITEDRAKE Manual
- CIA source code (Vault 8)

Analysis:

- Some thoughts on the form of the documents
- Some thoughts on the motives behind the leaks
- Conclusion


Document collections

The most user-friendly collection of all the leaked documents can be found on the website IC Off The Record (which started as a parody on IC On The Record, the official US government website on which declassified documents are published).

Other websites that collect leaked documents related to the Five Eyes agencies, so from Snowden as well as from other sources, are FVEY Docs and Cryptome. The Snowden-documents are also available and searchable through the Snowden Surveillance Archive.


Domestic US leaks

Here, only leaks related to foreign signals intelligence and related military topics will be listed. Not included are therefore documents about American domestic operations, like for example:
- Several revelations about the DEA
- The FBI's Domestic Investigations and Operations Guide (DIOG) and related documents (Update: in March 2018, Minneapolis FBI agent Terry James Albury was charged with leaking these documents to The Intercept)


Original documents

Also not included are stories based upon leaks of information without original documents being published, like for example about NSA's interception efforts against Israel or the intercepted communications of the Russian oligarch Yevgeniy Prigozhin.



          - Documents not attributed to Snowden -         


Chancellor Merkel tasking record

On October 23, 2013, the German magazine Der Spiegel revealed that the NSA may have eavesdropped on the cell phone of chancellor Merkel. This was based upon "the excerpt from an NSA database about Merkel's cell phone", which the magazine received.* A journalist from Der Spiegel made a transcription of the database record, and later on, a copy of this transcription was printed in some German newspapers.
Glenn Greenwald confirmed that this information didn't came from the Snowden archive, and also Bruce Schneier was convinced that this came from a second source.

Reports:
- Kanzler-Handy im US-Visier? Merkel beschwert sich bei Obama
- NSA-Überwachung: Merkels Handy steht seit 2002 auf US-Abhörliste

Document:
- Transcript of an NSA database record

Date of the document: ?






TAO's ANT product catalog

On December 29, 2013, the German magazine Der Spiegel published a 50-page catalog from the ANT-unit of NSA's hacking division TAO. It contains a wide range of sophisticated hacking and eavesdropping techniques. The next day, Jacob Appelbaum discussed them during his presentation at the CCC in Berlin.
According to Bruce Schneier this catalog came from the second source, who also leaked the Merkel tasking record and the XKEYSCORE rules.

Report:
- Shopping for Spy Gear: Catalog Advertises NSA Toolbox

Document:
- ANT Product Catalog (SECRET/COMINT)

Date of the document: 2008?




XKEYSCORE rules: TOR and TAILS

On July 3, 2014, the German regional television magazine Reporter disclosed the transcripts of a set of rules used by the NSA's XKEYSCORE system to automatically execute frequently used search terms, including correlating different identities of a certain target.
According to Bruce Schneier, these rules could be leaked by the second source, which also provided the Merkel tasking record and the TAO catalog.

Report:
- NSA targets the privacy-conscious

Document:
- Transcript of XKeyscore Rules (classification not included)




NCTC watchlisting guidance

On July 23, 2014, the website The Intercept published a manual from the US National CounterTerrorism Center (NCTC) with rules and indications used for putting people in terrorist databases and no-fly lists.
The Intercept says this document was provided by a "source within the intelligence community".

Report:
- The Secret Government Rulebook for Labeling You as a Terrorist

Document:
- March 2013 Watchlisting Guidance (UNCLASSIFIED/FOUO)

Date of the document: March 2013




NCTC terrorist watchlist report

On August 5, 2014, The Intercept published a report from the US National CounterTerrorism Center (NCTC) about terrorist watchlists and databases.
Just like the previous document, this was also obtained from a "source within the intelligence community". Bruce Schneier says this report is from August 2013, which is well after Snowden had fled the US, and therefore he assumes it was leaked by a third source.

Report:
- Watch Commander - Barack Obama’s Secret Terrorist-Tracking System, by the Numbers

Document:
- Directorate of Terrorist Identities (DTI) Strategic Accomplishments 2013 (SECRET/NOFORN)

Date of the document: August 2013




XKEYSCORE rules: New Zealand

On March 14 and March 22, 2015, The New Zealand Herald published transcripts of two sets of XKEYSCORE fingerprints that define targets of the New Zealand signals intelligence agency GCSB. They were not attributed to Snowden, although in the weeks before, New Zealand media published several other documents that did come from the Snowden cache.

Reports:
- Revealed: The names NZ targeted using NSA's XKeyscore system
- How spy agency homed in on Groser's rivals

Documents:
- Fingerprint about the WTO (TOP SECRET/COMINT)
- Fingerprint about the Solomon Islands (TOP SECRET/COMINT)

Date of the documents: January 6 & May 6, 2013






Ramstein AFB supporting drone operations

On April 17, 2015, The Intercept and Der Spiegel published a series of slides showing the infrastructure which is used for operating drones, for which the US base in Ramstein, Germany, acts as a relay station.
In the Citizen Four we see Glenn Greenwald visiting Snowden in Moscow, telling him there's a new source which revealed the role of Ramstein AFB in the drone program.

Reports:
- Germany is the Tell-Tale Heart of America's Drone War
- Bündnisse: Der Krieg via Ramstein

Document:
- Architecture of U.S. Drone Operations (TOP SECRET/REL)

Date of the document: July 2012




NSA tasking & reporting: France

On June 23, 2015, Wikileaks, in collaboration with the French paper Libération, the German newspaper Süddeutsche Zeitung and the Italian paper l'Espresso, published the transcript of entries from an NSA tasking database, as well as intelligence reports about high-level French targets.

Reports:
- Espionnage Élysée
- Nsa, intercettati i presidenti francesi Francois Hollande e Nicolas Sarkozy

Documents:
- Top French NSA Targets (no classification available)
- Top French NSA Intercepts (up to TOP SECRET/COMINT-GAMMA)
- Economic Spy Order (SECRET/REL)

Timeframe of the documents: 2004 - July 31, 2012






NSA tasking & reporting: Germany

On July 1, 2015, Wikileaks, in collaboration with Libération and Mediapart, Süddeutsche Zeitung and l'Espresso, published the transcript of entries from an NSA tasking database, as well as intelligence reports about high-level German targets.

Reports:
- NSA Helped CIA Outmanoeuvre Europe on Torture
- I dubbi di Angela Merkel sulla Grecia spiati dalla Nsa americana

Documents:
- Top German NSA Targets (no classification available)
- Top German NSA Intercepts (up to TOP SECRET/COMINT-GAMMA)

Timeframe of the documents: 2005 - August 2011




NSA tasking & reporting: Brazil

On July 4, 2015, Wikileaks published the transcript of entries from an NSA tasking database about high-level Brazilian targets. Unlike similar disclosures about France, Germany and Japan, no intelligence reports about Brazil were disclosed.

Report:
- Bugging Brazil

Document:
- Top Brazilian NSA Targets (no classification available)




NSA tasking & reporting: Japan

On July 31, 2015, Wikileaks, in collaboration with Süddeutsche Zeitung, l'Espresso, The Saturday Paper from Australia and the Japanese newspaper Asahi Shimbun, published the transcript of entries from an NSA tasking database, as well as intelligence reports about high-level Japanese targets.

Reports:
- Target Tokyo
- Wikileaks: 'Nsa spiava il governo giapponese. Sotto controllo anche Mitsubishi'

Documents:
- Top Japanese NSA Targets (no classification available)
- Top Japanese NSA Intercepts (TOP SECRET/COMINT)

Timeframe of the documents: 2007 - 2009




Chinese cyber espionage against the US

On July 30 and August 10, 2015, NBC News published two slides about Chinese cyber espionage against over 600 US companies and government agencies, including access to the e-mail of top government officials since at least 2010.
This leak stands out because the slides are in form, and they support a story that shows the neccessity of NSA - which seems to point to an authorized leak.

Reports:
- Exclusive: Secret NSA Map Shows China Cyber Attacks on U.S. Targets
- China Read Emails of Top U.S. Officials

Documents:
- China: Cyber Exploitation and Attack Units (SECRET)
- U.S. Victims of Chinese Cyber Espionage (SECRET)

Date of the document: February 2014




XKEYSCORE agreement between NSA, BND and BfV

On August 26, 2015, the German newspaper Die Zeit published the transcript of the Terms of Reference (ToR) about the use of NSA's XKEYSCORE system by the German security service BfV.
Being a transcript and being about XKEYSCORE, this could be from the same source as the XKEYSCORE rules, but it's also possible it came from a source within a German government agency.

Report:
- A Dubious Deal with the NSA

Document:
- XKeyscore - the document (SECRET/COMINT)

Date of the document: April 2013




The Drone Papers

On October 15, 2015, The Intercept published a series of documents with details about drone operations by the US military between 2011 and 2013.
In the Citizen Four we see Glenn Greenwald visiting Snowden in Moscow, telling him there's a new source which revealed the role of Ramstein AFB in the drone program, including the chain of command diagram which is part of this batch of documents.

Reports:
- The Assassination Complex
- The Kill Chain

Documents:
- Small Footprint Operations 2/13 (SECRET/NOFORN)
- Small Footprint Operations 5/13 (SECRET/NOFORN)
- Operation Haymaker (SECRET/NOFORN)
- Geolocation Watchlist (TOP SECRET/COMINT)

Timeframe of the documents: 2011 - May 2013






Cellphone surveillance catalogue

On December 17, 2015, The Intercept published a range of pages from a classified catalogue containing cellphone surveillance equipment, including IMSI-catchers like Stingrays and DRT boxes.
Just like the NCTC reports, The Intercept obtained this document from a "source within the intelligence community".

Report:
- Stingrays - A Secret Catalogue of Government Gear for Spying on Your Cellphone

Document:
- Government Cellphone Surveillance Catalogue (SECRET/NOFORN)

Date of the document: after 2012






US military documents: Iraq and Afghanistan

On February 14, 2016, the website Cryptome published a batch of word and some pdf-documents containing various US military manuals and policy papers regarding operations and activities in Iraq and Afghanistan.

Documents:
- Document Dump 16-0214, Batch 0001 (classified up to SECRET)

Timeframe of the documents:




NSA tasking & reporting: EU, Italy, UN

On February 23, 2016, Wikileaks published the transcript of entries from an NSA tasking database, as well as intelligence reports about high-level targets from the European Union, Italy and the United Nations, including German chancellor Merkel and Israeli prime minister Netanyahu.

Reports:
- NSA Targets World Leaders for US Geopolitical Interests
- WikiLeaks reveals the NSA spied on Berlusconi and his closest advisors

Documents:
- EU Targets - EU Intercepts (TOP SECRET/COMINT)
- Italy Targets - Italy Intercepts (TOP SECRET/COMINT)
- UN Targets - UN Intercepts (up to TOP SECRET/COMINT-GAMMA)

Timeframe of the documents: 2006 - 2011




TAO hacking tools (The Shadow Brokers)

On August 15, 2016, someone or a group called The Shadow Brokers published a large set of computer code attributed to the Equation Group, which is considered part of the NSA's TAO division. Many of these hacking tools affected hardware firewalls, from companies such as Cisco and Juniper.

Report:
- Everything you need to know about the NSA hack (but were afraid to Google)

Documents:
- NSA malware files (.zip-file via Cryptome)

Timeframe of the documents: until October 18, 2013






FBI & CBP border intelligence gathering

On October 6, 2016, the website The Intercept published a set of documents and copies of presentation slides about how the FBI cooperates with US Customs and Border Protection (CBP) to gather intelligence from border controls.
These documents were provided by an "intelligence community source familiar with the process who is concerned about the FBI’s treatment of Muslim communities".

Report:
- The FBI’S Secret Methods for Recruiting Informants at the Border

Documents:
- 14 documents, including presentation slides (Unclassified, SECRET and SECRET/NOFORN)

Timeframe of the documents: 2002 - December 2012




TAO IP addresses and domain names

On October 31, 2016, the Shadow Brokers published new files containing some more hacking tools and a list of 352 IP addresses and 306 domain names the Equation Group, considered part of NSA's TAO division, may have used for their operations.

Report:
- NSA Hackers The Shadow Brokers Dump More Files

Documents:
- Trick or Treat (.zip-file via Mega.nz)

Timeframe of the documents:




TAO Windows files

On January 12, 2017, the Shadow Brokers published a final message accompanied by 61 Windows-formatted binary files, including executables, dynamic link libraries, and device drivers, which are also considered to have been tools from the NSA's TAO hacking division.

Report:
- NSA-leaking Shadow Brokers lob Molotov cocktail before exiting world stage

Documents:
-

Timeframe of the documents:




(Added on December 9, 2019:)

CIA information needs about France

On February 16, 2017, Wikileaks published what it called "espionage orders" for all major French political parties in the wake of the French presidential election of 2012. As noted on the weblog emptywheel, this document may be leaked by former CIA employee Joshua Schulte, who is also held responsible for the Vault7-leaks.

Report:
- CIA espionage orders for the 2012 French presidential election

Document:
- CIA espionage orders (SECRET/NOFORN)

Date of the document: November 17, 2011




CIA hacking tools (Vault 7)

On March 7, 2017, Wikileaks published 8761 documents and files, including malware, viruses, trojans, weaponized "zero day" exploits, malware remote control systems and associated documentation, used to penetrate smartphones, smart televisions and computer systems. These files allegedly came from an high-security network inside the CIA's Center for Cyber Intelligence (CCI).

Report:
- Vault 7: CIA Hacking Tools Revealed

Documents:
- Vault 7: Directory (up to SECRET/NOFORN)

Timeframe of the documents: 2013 - 2016




TAO Solaris exploits

On April 8, 2017, the Shadow Brokers were back and released the password for an encrypted data set released when they announced their file auction. The data set includes a range of exploits, including for the Unix operating system Solaris.

Report:
- They're Back: The Shadow Brokers Release More Alleged Exploits

Documents:
- EQGRP Auction File

Timeframe of the documents: 2004 - ?




TAO Windows exploits + SWIFT files

On April 14, 2017, the Shadow Brokers published an archive containing a series of Windows exploits and documents about NSA's infiltration of the banking network SWIFT, for the first time including several Top Secret NSA powerpoint presentations, similar to those leaked by Snowden.

Reports:
- Shadow Brokers Dump Alleged Windows Exploits and NSA Presentations on Targeting Banks
- The New Shadow Brokers Leak Connects the NSA to the Stuxnet Cyber Weapon Used on Iran

Documents:
- EQGRP Lost in Translation (up to TOP SECRET/SI/NOFORN)

Timeframe of the documents: until October 17, 2013




CIA specific hacking projects (Vault 7)

Since March 23, 2017, Wikileaks publishes internal user guides and similar files and documents related to individual CIA hacking tools every week. Until September 7, 2017 these include: Dark Matter, Marble Framework, Grasshopper, Hive, Weeping Angle, Scribbles, Archimedes, AfterMidnight, Assassin, Athena, Pandemic, Cherry Blossom, Brutal Kangaroo, Elsa, OutlawCountry, BothanSpy, Highrise, Imperial, Dumbo, CouchPotato, ExpressLane, Angelfire, and Protego.

Report:
- Vault 7: Releases per project

Documents:
- Vault 7: Projects (up to SECRET/NOFORN/STRAP 2)

Timeframe of the documents: November 19, 2004 - March 1, 2016




NSA report about Russian hacking

On June 5, 2017, The Intercept published an NSA report about a months-long Russian cyber operation against parts of the US election and voting infrastructure.
Only an hour af this publication, the US government announced that they will charge Reality Leigh Winner, who worked as a contractor linguist for NSA, for leaking this report.

Report:
- Top-Secret NSA report details Russian hacking effort days before 2016 election

Document:
- NSA Report on Russia Spearphishing (TOP SECRET//SI//ORCON/REL/FISA)

Date of the document: May 5, 2017




TAO UNITEDRAKE Manual

On September 6, 2017, the Shadow Brokers came with a message on Steemit.com about their "subscription service" for alleged TAO hacking tools. As an example, the manual for the UNITEDRAKE "remote collection system for Windows targets" was released in full.

Report:
- The Shadowbrokers - September 2017 announcement reveals UNITEDRAKE (and many other NSA code names)

Document:
- UNITEDRAKE Manual (pdf)

Date of the document: ?




CIA source code (Vault 8)

Since November 9, 2017, Wikileaks publishes the source code and development logs for CIA hacking tools, including those described in the Vault 7 series. These include: Hive

Report:
- Vault 8

Documents:
- Vault 8 (up to SECRET/NOFORN)

Timeframe of the documents: August 2013 - October 2015





It is difficult to tell exactly from how many different leakers these documents come. The journalists involved will of course do everything to hide their source's identity, including creating distraction and confusion, but also creating the impression that many other leakers followed the example of Edward Snowden.



Some thoughts on the form of the documents

Content-wise the documents from the alleged other sources are not very different from the ones from Snowden. But what seems to distinguish them most, is their form, which is either digital, a transcript or scanned from paper.


Digital

Almost all documents that were attributed to Snowden came in their original digital form (with some very few exceptions that were scanned from paper). This makes it remarkable that only two documents from the other sources are in a similar digital form.

The first one is the famous TAO Product Catalog with hacking and eavesdropping techniques, which also given its content comes closest to the Snowden documents. Despite that, this catalog was never attributed to him.

The other leak in digital form are the two slides about Chinese cyber espionage, but these probably come from a source in support of the US government.


Transcripts

A number of other leaks didn't provide documents in their original form, but only transcripts thereof. This is the case for the following revelations:
- Chancellor Merkel tasking record
- XKEYSCORE rules: TOR and TAILS
- XKEYSCORE rules: New Zealand
- XKEYSCORE agreement between NSA, BND and BfV
The lists from an NSA tasking database with targets for France, Germany, Brazil and Japan are also transcripts, but for the intelligence reports, which Wikileaks published simultaneously, we have at least one example that is in its original format. All other ones came as transcripts.


Scanned from paper

All other documents that didn't came from Snowden look like they were printed out (some were even recognized as being double-sided) and scanned again. This is the case for:
- NCTC watchlisting guidance
- NCTC terrorist watchlist report
- Ramstein AFB supporting drone operations
- The Drone Papers
- Cellphone surveillance catalogue
- FBI & CBP border intelligence gathering
This doesn't automatically mean they are all from the same source, as two of them are from the civilian NCTC and the other three are clearly from a military context.

We don't know when or where these documents were printed out: maybe it was done by the leaker, for whom it could have been easier to exfiltrate them as hard copy, than on a detectable thumb drive.

It's also possible that they were printed out by the press contact in order to make them look different from the Snowden documents. But on the other hand, publishing them in digital form would have made it more difficult to prove they were not from the Snowden cache.



Some thoughts on the motives behind the leaks

We can also take a look at the motives that could have been behind these leaks. Interestingly, these seem to correspond quite well with the different forms the documents have.


A second source

The disclosures of the transcriptions of the XKEYSCORE rules and the tasking database lists are quite far from being in the public interest. They are about legitimate targets of foreign intelligence and publishing them seems solely meant to discredit the NSA and/or damage US foreign relationships.

The same applies to the TAO Product Catalog, which contains devices and methods that are only used against "hard targets" that cannot be reached by other means, so this is not about spying on ordinary citizens, but does compromise valid US intelligence operations.

At first sight, one would assume that these documents were from the Snowden cache, but published by people like Appelbaum and an organization like Wikileaks, who have a more radical approach than Snowden himself, and maybe therefore could have pretended they came from another source.

However, both Greenwald and security expert Bruce Schneier said these documents were really provided by another leaker. Because a number of them were published by German media, Schneier guesses it might be "either an NSA employee or contractor working in Germany, or someone from German intelligence who has access to NSA documents".

If that's the case, then it's not only remarkable that there's a second source from within or close to NSA, but also that this source is apparently fine with leaking documents that show no abuses, but only seriously harm US interests - which is either treason, or the work of a hostile intelligence agency. Snowden at least acted from his concern about increasing mass surveillance on innocent civilians.

Update:
So far, the last publication that can be attributed to the Second Source were the NSA tasking & reporting files in February 2016. Then in August of that year, someone or a group who called themselves The Shadow Brokers, started a series of leaks, mainly of TAO hacking tools. They are published without an intermediary like media outlets or Wikileaks (although already in August 2016, Wikileaks claimed to have its own copy of the Shadow Brokers files, but never released them).
The Shadow Brokers leaks undermine NSA operations in a similar way as those of the Second Source, so it's very well possible that the same person is behind both series of leaks. Also interesting is that the latest timestamp found in the Shadow Brokers files is October 18, 2013, which is around the same time the first leak from the Second Source came out.


A third source

The documents that are scanned from paper are a somewhat different story. These are about issues that concern a wider range of people. For some of them, The Intercept even gives the reason why the source leaked them: for the cellphone surveillance catalogue it was because of a concern about militarization of domestic law enforcement.

For the drone papers, the source is cited saying: "This outrageous explosion of watchlisting [...] assigning them death sentences without notice, on a worldwide battlefield". Given that he mentions watchlists, it seems very well possible that this source actually also leaked the two NCTC reports about terrorist databases and watchlists.

Combining this with the fact that both the NCTC reports and the cellphone surveillance catalog were from a source "within the intelligence community" seems to confirm that all the documents that came as scanned from paper are from the same leaker - maybe someone from a military intelligence agency like the DIA.

Also from an "intelligence community source" are several FBI & CBP documents about intelligence gathering at US border controls - something that is also closely related to watchlisting.


Conclusion

Given these thoughts on the form of the leaked documents and the possible motives behind these leaks, it seems that they can be attributed to at least three other sources, beside Snowden: (updated December 9, 2019)

Source nr. 1 (Edward J. Snowden)
- Thousands of documents about NSA and the 5 Eyes
Source nr. 2 (NSA insider and/or hostile intelligence?)
- Chancellor Merkel tasking record
- TAO's ANT product catalog
- XKEYSCORE rules: TOR and TAILS
- XKEYSCORE rules: New Zealand
- NSA tasking & reporting: France, Germany, Brazil, Japan
- XKEYSCORE agreement between NSA, BND and BfV
- NSA tasking & reporting: EU, Italy, UN
Source nr. 3 (Daniel E. Hale)
- NCTC watchlisting guidance
- NCTC terrorist watchlist report
- Ramstein AFB supporting drone operations
- The Drone Papers
- Cellphone surveillance catalogue
- Clapper's classified blog posting
Source nr. 3a (someone from FBI or CBP?)
- FBI & CBP border intelligence gathering
Source nr. 4 (on behalf of the US government?)
- Chinese cyber espionage
Source nr. 5 (low-level military person)
- US military documents: Iraq and Afghanistan
Source nr. 6 ("The Shadow Brokers")
- TAO hacking tools
- TAO IP addresses and domain names
- TAO Windows files
- TAO Solaris exploits
- TAO Windows exploits + SWIFT files
- TAO UNITEDRAKE Manual
Source nr. 7 (Joshua A. Schulte)
- CIA information needs about France?
- CIA hacking tools (Vault 7)
- CIA specific hacking projects (Vault 7)
- CIA source code (Vault 8)
Source nr. 8 (Reality L. Winner)
- NSA report about Russian hacking

UPDATES:

On October 6, 2016, The New York Times reported that on August 27, 2016, the FBI arrested 51-year old Harold T. Martin III, who worked at NSA as a contractor for Booz Allen Hamilton. He was described as a hoarder and on February 8, 2017 he was only indicted on charges of stealing and retaining the largest heist of classified information in US history: from the 1990s until 2016, he took documents from US Cyber Command, CIA, National Reconnaissance Office (NRO) and NSA. Martin was not accused of passing information to foreigners, nor of being the source for the Shadow Brokers publications.


On November 19, 2016, it was reported by the Washington Post that there had been yet another, previously undisclosed breach of cybertools, which was discovered in the summer of 2015. This was also carried out by a TAO employee, who had also been arrested, but his case was not made public. An official said that it is not believed that this individual shared the material with another country.

In October 2017, the Wall Street Journal and the Washington Post revealed that this anonymous TAO employee had taken hacking tools home to work on it on his private laptop, which ran Kaspersky antivirus software. This program detected the hacking files after which Russian hackers targeted his laptop. The TAO employee was removed from his job in 2015, but was not thought to have taken the files to provide them to a foreign spy agency.

From the court documents, we learn that this TAO employee is 67-year old Nghia H. Pho from Ellicott City, Maryland, who was born in Vietnam and naturalized as a US citizen. From 2006 to 2016, he worked as a software developer at NSA's TAO division, and from 2010 till March 2015, he took classified documents home, both digital and hard copy.

On April 20, 2017, CBS News reported that CIA and FBI started a joint investigation into the leak of the CIA hacking tools that were published by Wikileaks under the name "Vault 7". Investigators are apparently looking for an insider, either a CIA employee or contractor, who had physical access to the material.

An updated overview of the Shadow Brokers story was published by the New York Times on November 12, 2017, saying that investigators were worried that one or more leakers may still be inside NSA and also that the small number of specialists who have worked both at TAO and at the CIA came in for particular attention, out of concern that a single leaker might be responsible for both the Shadow Brokers and the files published by Wikileaks as part of their Vault7 and Vault8 series (although the CIA files are more recent).

In May 2018 it was reported that in March 2017, two months after Wikileaks started publishing its Vault7 series, the FBI arrested Joshua Adam Schulte. From May 2010 until November 2016 he worked at the Directorate of Science & Technology (DS&T) of the CIA's National Clandestine Service (NCS), developing Windows and Linux tools to support clandestine operations. On June 18, 2018, Schulte was charged for stealing the hacking files and providing them to Wikileaks.

On May 9, 2019, the FBI arrested former intelligence analyst Daniel E. Hale, who was identified as the source of the The Drone Papers, which were published by The Intercept in October 2015.



So, besides the various sources who stole classified material that was leaked to the public, there are at least the following leaks from which (so far, and as far as we know) no documents have been published:


Leak nr. 9 (Harold T. Martin III)
- Classified documents from multiple agencies
Leak nr. 10 (via Kaspersky AV from Nghia H. Pho's computer)
- TAO documents and hacking tools

In December 2021, former Principal Deputy Director of National Intelligence Sue Gordon and former DOD Chief of Staff Eric Rosenbach asserted that the files leaked in 2016 and 2017 by Shadow Brokers came from Nghia Pho and Harold Martin, who brought CIA hacking files home from work. There, the Russians may have found them, for example via the Kaspersky Anti-Virus software which Pho had on his inadequately protected computer.



Links and Sources

- Emptywheel: 31 flavors of stolen classified documents (2023)
- NewYorker.com: The Surreal Case of a C.I.A. Hacker’s Revenge (2022)
- Internal report of the CIA's Wikileaks Task Force (2020)
- Politico: Exclusive: How a Russian firm helped catch an alleged NSA data thief (2019)
- The New York Times: Security Breach and Spilled Secrets Have Shaken the N.S.A. to Its Core (2017)
- Wired.com: The NSA Officially has a Rogue Contractor Problem (2017)
- Schneier.com: Who is Publishing NSA and CIA Secrets, and Why? (2017)
- ForeignPolicy.com: Trove of Stolen NSA Data Is ‘Devastating’ Loss for Intelligence Community (2017)
- LawfareBlog.com: Weaponized Wikileaks: Nick Reads Wikileaks So You Don't Have To (2015)
- Schneier.com: The US Intelligence Community has a Third Leaker (2014)

More comments on Hacker News

December 6, 2015

How NSA targeted the Venezuelan oil company PdVSA


There aren't many new revelations from the Snowden-documents anymore, but recently an NSA document was published telling how the agency prepared the interception of communications from the Venezuelan oil company Petróleos de Venezuela, S.A. (PdVSA).

It's not a very spectacular disclosure, but it gives a nice insight in what an NSA analyst actually does. The story was published on November 18 by the website The Intercept and the Latin-American broadcaster teleSUR.

Most people will have read The Intercept's report, but that misses one of the most interesting details of the story. Here, the disclosed NSA document will be discussed in full, with details explained based upon information from earlier disclosures.



Building of PdVSA in Maracaibo with on its facade Fidel Castro's motto
"Patria, Socialismo o Muerte" (Fatherland, Socialism or Death)
(Photo: Reportero24)


The document that was published is an excerpt from SIDtoday, the internal newsletter of the NSA's Signals Intelligence Division from March 23, 2011 (which was apparently accessed (by Snowden?) on Saturday, November 10, 2012). It contains a story that is told by a Signals Intelligence Development (SIGDEV) analyst from the NSA's Transnational & Strategic Partnerships SIGDEV branch.

A SIGDEV analyst is someone who looks for new targets or new means to access communications of existing targets. His unit S2C13 is part of the International Security Issues (ISI) Product Line, which is responsible for analysis and production of intelligence about countries in Europe, South-America and elsewhere.


Intelligence requirements

As the analyst recalls, a year-end review had shown that there was no progress on the "Venezuelan Energy target set" as most reporting came from warranted collection. That could refer to PRISM and Upstream collection under section 702 FAA, but that only requires annual certifications approved by the FISA Court. Strictly spoken, individual warrants are only needed for "traditional FISA" collection, like for example for eavesdropping on the Venezuelan embassy in Washington.

The analyst decided to do a "target reboot", which he describes as "taking a fresh look at opportunities for collection". He first looked at specific Information Needs (INs) and used SURREY, which is the main NSA requirements database.

These requirements are the outcome of an administrative process, that starts with the US president setting the highest priorities for foreign intelligence collection. These priorities are then translated into the National Intelligence Priorities Framework (NIPF) for the US Intelligence Community as a whole.


Strategic Mission List

For Signals Intelligence (SIGINT), it's the National Signals Intelligence Committee (SIGCOM) that collects the requests for information from the various intelligence "consumers", checks whether they are consistent with the NIPF and assignes them a priority. An overview of the SIGINT priorities can be found in the 2007 Strategic Mission List, which was published in November 2013.

This document lists Venezuela as one of six countries that are treated as "enduring targets". According to this document, NSA should "Provide U.S. decision makers with a holistic SIGINT perspective of regional trends and developments" and also "Provide indicators of regime stability, particularly in the energy sector":



Section about Venezuela in the 2007 Strategic Mission List
(Click to enlarge)


Economic or commercial espionage?

The Intercept makes a point out of NSA targeting a petroleum company "for economic espionage" - earlier disclosures had already brought up the names of the Brazilian company Petrobras and Gazprom from Russia. Why that should be a problem isn't explained however: all three companies are government-controlled and oil is an issue of strategic interest for almost any country.

The website also cites US Director of National Intelligence James Clapper, who explained the difference between gathering intelligence on economic issues for government policy makers (which the US admits doing), and stealing trade secrets of foreign companies to help individual American corporations (which the US strongly denies doing). And in this case, there's (again) no evidence for the latter.


Collaboration

The story of the analyst then continues with that he met with the Target Office of Primary Interest (TOPI) responsible for Venezuelan targets, in order to "re-assure myself that we were both on the same page in regards to our goals". A TOPI consists of analysts who analyse the communications that come in as a result of the collection process and who prepare the intelligence reports.

These first steps show that NSA analysts work within a bureaucratic framework that requires collaboration with colleagues and superiors who make sure their activities are in accordance with the goals set by the government - as a rule, they're not free to target anyone at will, which is the impression people can get when listening to Edward Snowden.


Get started

The TOPI analyst wanted information from the highest level of PdVSA, i.e. from the president and members of the Board of Directors, as much of it as possible in the form of internet communications, which, unlike phone calls, don't have to be transcribed. Also there was no time for "extensive target development".

Then the SIGDEV analyst started his work. He first visited the PdVSA website on the internet for the names of the Board of Directors. He put them into a new document in Analyst's Notebook, which is an analysis tool widely used by intelligence and law enforcement agencies all over the world.



Demonstration of a "Pattern-of-Life Analysis" using Analyst's Notebook


Sigint already-collected

The next step was looking at what had already been collected about his targets. For this he first accessed the PINWALE database, which is NSA's main repository for all kinds internet content that was collected by using specific selectors (i.e. no bulk content collection).

A few queries, using the names he had found on the website, returned not much of interest: a lot of e-mails in which these persons were "cc-ed", but hardly anything to or from them personally. This also provided some e-mail addresses, but the analyst already knew these.

He entered the mail addresses into CADENCE, which is NSA's tasking tool for internet communications, and also into the Unified Targeting Tool (UTT). This would show whether these e-mail addreses were already tasked, which means whether the actual collection facilities had been instructed to collect the related communications.


Finding new selectors

Apparently collection against PdVSA did take place in the past, as PINWALE kept providing documents containing the target's names. This weren't communications, but some kind of information forms with contact details and organizational information about PdVSA employees.

The analyst says that these forms were similar to what is in NSA's SEARCHLIGHT database, which is the agency's internal personnel information system. As these information forms mention who within PdVSA is somebody's supervisor, they resulted in a whole tree of entries and names:



Internal PdVSA information form which shows president of the board
Rafael Ramirez as supervisor of another board member, Luis Vierma


Lots of them

The new selectors include business and private e-mail addresses and work, home and cell phone numbers. The newly found e-mail addresses could again be entered into CADENCE and the UTT, while the phone numbers could be used to enter them in OCTAVE, which is NSA's tasking tool to initiate the interception of telephone conversations. It's not said whether this happened or not - the TOPI analyst at least didn't prefer phone calls.

The Intercept writes that NSA apparently "collects so much communications data from around the world that it often fails to realize what it has". This however applies to most intelligence and law enforcement agencies that conduct automated eavesdropping: there are often way too many phone calls to listen in to, let alone digital communications to translate, read and analyse.


Internal network

When the SIGDEV analyst was analysing the PdVSA forms (of which there were over 10.000 in the PINWALE database), he discovered that they all came from IP addresses starting with 10.x.x.x and 172.18.x.x, which are from address ranges that are reserved for use within private networks. The analyst now realised these entries came from the internal PdVSA network, and not from communications over the public internet.

One of the most interesting details of this whole story is how NSA had been able to get access to PdVSA's internal network - which isn't told in the report by The Intercept, but only in the one from teleSUR...



Front side of the US embassy in Caracas, Venezuela
(Photo: Yongo @ SkyScraperCity.com)


Special Collection Service

After the analyst discovered that he was looking at information from the internal PdVSA network, he "fired off a few emails to F6 here and in Caracas, and they confirmed it!"

F6 is the NSA's internal designator for the Special Collection Service (SCS) units in which specialists from NSA and CIA cooperate against targets that require "close access". These units operate out of some 80 US embassies all over the world.

This means it was the SCS unit from the US embassy in Caracas that had been able to get access to the internal network of PdVSA. The story doesn't tell how they did this, but probably they found a way to secretly tap a network cable or switch over which the oil company's computer network runs. If this access was still active, it has now has certainly been compromised.


SCS operations

From an earlier revelation we know that the SCS unit in the US embassy in Berlin was responsible for eavesdropping on the (non-secure) mobile phone of German chancellor Merkel. Maybe that was also done by tapping a local telephone network, or by just intercepting the cell phone's airwave signals.

For such wireless interception operations, many US embassies have a rooftop structure that conceals sophisticated antenna and other eavesdropping equipment. Such a structure is also clearly visible on the roof of the US embassy in Caracas:



Back side of the US embassy in Caracas, with the rooftop structure
(Photo: Carlos Garcia Rawlins/Reuters - Click to enlarge)


XKEYSCORE

After finding out the source of those PdVSA forms, the SIGDEV analyst started to coordinate his work with the F6 unit in Caracas. Apparently they fed data from their network access into XKEYSCORE, which is NSA's system to buffer, index and search internet communications, not only from large submarine cables, but also from smaller accesses, like from the SCS units.

This enabled the analyst at NSA headquarters to search through a rolling buffer of several days worth of content, which is especially useful to find files which aren't directly associated with hard selectors like e-mail addresses.

This resulted in "several juicy pdf documents" and one of them was eventually used for preparing a serialized report (number 3/OO/505480-11) dated January 2011 and titled "Venezuela State-Owned Oil Company Information Shows a Decrease in Overall Oil Thefts and Losses" - which doesn't sound like a trade secret that would benefit individual US oil companies, but on the other hand shows that such high-level accesses are also used for rather general intelligence information.


Hacking opportunities

Through XKEYSCORE, the analyst also found over 900 username and password combinations of PdVSA employees, which he handed over to NSA's hacking division, Tailored Access Operations (TAO). With a username and password one doesn't have to "break in" into a network, which makes the access almost impossible to detect.

The analyst also provided TAO with some other data along with a targeting request, especially aimed at getting access to the e-mail boxes of the PdVSA board members.


It is not known whether this was successful, but The Intercept and teleSUR mention that in May 2011, which is two months after the analyst's story in SIDtoday, the US State Department announced sanctions to be imposed on PdVSA because it had delivered at least two cargoes of reformate (used to produce gasoline) to Iran between December 2010 and March 2011, worth approximately $ 50 million.



> See also: An NSA eavesdropping case study about targeting the presidents of Mexico and Brazil.



In Dutch: Meer over het wetsvoorstel voor de Tijdelijke wet cyberoperaties