The latest set of Snowden documents reveal details on perhaps the biggest no-brainer from the National Security Agency’s point of view during these nine months of leaks: the targeting of system administrators.
Classified presentations, documents and notes portray the NSA as confident and unrelenting in their ability to build a database of personal email and social media activity correlated to network and system administrators worldwide. Those reconnaissance efforts would aid the NSA in hacking the sys admins’ work computers that ultimately could be tapped at a moment’s notice by the agency’s QUANTAM program.
QUANTAM involves the use of hacking tools to inject malware onto a target’s system. In the past, the NSA has used these techniques to hack computers by injecting malware implants posing as legitimate Facebook traffic. The malware gives agency analysts a foothold on a compromised machine for the exfiltration of data and system information.
The latest documents, entitled “I hunt sys admins” were written two years ago by an official whose job it is to hack into foreign networks via weaknesses in routers, said a report in The Intercept. The publication said it is keeping the author’s identity a secret. The documents specify the agency’s hunt not only for infrastructure credentials, but also network topology, access lists that detail which machines are allowed access to which resources, and other network configuration intelligence.
“Up front, sys admins generally are not my end target. My end target is the extremist/terrorist or government official that happens to be using the network some admin takes care of,” the document said. “Sys admins are a means to an end.”
These ventures are by law supposed to be limited to foreign targets only, but in the past, the agency’s dragnet surveillance efforts around phone call metadata, for example, has also snared activity of Americans, whose data is not supposed to be targeted or collected without a warrant or court order.
Much like advanced hackers who scour social networks and discussion forums for any scrap of usable insight into a target, the NSA, too, is adept at Facebook creeping. The author, for example, writes in the documents that in order to get computer network exploitation (CNE) access to the admin, a webmail or Facebook account is a better first step than spamming the target.
“There’s a couple ways you could try this: dumpster-dive for alternate selectors in the big SIGINT (signals intelligence) trash can, or pull out your wicked Google-fu to see if they’ve posted on any forums and list both their official and non-official emails in a signature block,” the author wrote.
The how-to written by this unnamed person is littered with arrogance, snark and hacker jargon—even a swipe at the quality of content presented at the Black Hat and Def Con security conferences. There are detailed instructions on a number of techniques for finding personal accounts and using those to hack upstream to the agency’s ultimate target should the need arise. The NSA was also interested in building a database of sys admin contact information that could be utilized by its elite Tailored Operations Unit (TAO).
“Who better to target than the person that already has the keys to the kingdom,” the author wrote. “Many times, as soon as I can see a target show up on a network, one of my first goals is ‘Can we get CNE access to the admins on that network in order to get access to the infrastructure the target is using.”