The United States intelligence community and its counterparts in law enforcement are quite secretive about their surveillance methods and the targets of those operations. Few people are privy to information about ongoing surveillance, but now it turns out that the Chinese government may have a better handle on who some of those targets are than the average U.S. citizen or politician does.
When Google admitted publicly a couple of years ago that it’s infrastructure had been penetrated by attackers from China, the company said that the attackers looked to be going after the accounts of some Chinese activists. Google officials said they saw indications that the attack team was specifically targeting anti-government Chinese activists and journalists. However, the attackers also apparently were trying to access the database at Google that shows which of the company’s users are targets of lawful intercept operations.
In other words, the attackers wanted to know which of the intelligence agents it had inside the U.S. were under surveillance by the government. If the attackers were able to access that information, as has been reported, it’s a massive loss, well beyond what was originally thought to be taken during the attack, which included Google source code. The warrants issued to conduct that kind of surveillance are issued by the Foreign Intelligence Surveillance Court and are typically secret.
“This was a major loss. Those records aren’t limited to the Chinese, it’s everybody,” said Anup Ghosh, CEO of Invincea. “Everybody that they’re able to get a warrant for under FISA is considered a national security risk. From a counterintelligence operations point of view, trying to find out whether your agents are burned is a great offensive strategy.”
One of the unanswered questions in this operation is whether the surveillance warrant database was the actual target of the attack team or whether they just happened upon it while on Google’s network. It’s unlikely that question will be answered anytime soon, Ghosh said, but the incident reveals another major issue: the storage of sensitive national security data on private networks.
“I don’t know whether it was a targeted operation for counterintelligence purposes and the IP theft was a red herring, or whether they incidentally came upon the database,” he said. “What we do know is that really important national assets are stored on private networks. This was a spear-phishing attack. Once you get that beach head, you start moving around the network and you’re looking for assets. Now they have incredible intelligence. This was an unknown element of the attack.
“It goes to the point that so much of our national security apparatus lives on private networks. We all think of the military as living at the Pentagon, but a lot of the intellectual property lives in the private sector, so the security of these networks is now a matter of national security.”
Attackers gaining access to a sensitive database with information on FISA surveillance targets is simply the most dramatic and troubling example of the coordinated attacks that have been hitting U.S. government and private networks for many years now. There have been many other incidents, both publicly known and otherwise, and security experts say there’s no reason to believe that the attacks are going to stop in the near future.
“The Chinese are not going to stop. Neither are the other groups. This is a treasure trove to be mined by anyone,” Ghosh said. “At what point are we going to say we need to take this threat seriously and we need to innovate our way out of it? We can’t count on every user to make the right decision on every email. At what point are we going to say, gosh, I didn’t realize I was depending on a single user for national security? We’ve punted security to the users. At some point we need to stop kidding ourselves.”