Inside the NSA’s Secret Efforts to Hunt and Hack System Administrators

The Intercept
March 20, 2014
(This article was co-written with Ryan Gallagher.)

Across the world, people who work as system administrators keep computer networks in order – and this has turned them into unwitting targets of the National Security Agency for simply doing their jobs. According to a secret document provided by NSA whistleblower Edward Snowden, the agency tracks down the private email and Facebook accounts of system administrators (or sys admins, as they are often called), before hacking their computers to gain access to the networks they control.

The document consists of several posts – one of them is titled “I hunt sys admins” – that were published in 2012 on an internal discussion board hosted on the agency’s classified servers. They were written by an NSA official involved in the agency’s effort to break into foreign network routers, the devices that connect computer networks and transport data across the Internet. By infiltrating the computers of system administrators who work for foreign phone and Internet companies, the NSA can gain access to the calls and emails that flow over their networks.

The classified posts reveal how the NSA official aspired to create a database that would function as an international hit list of sys admins to potentially target. Yet the document makes clear that the admins are not suspected of any criminal activity – they are targeted only because they control access to networks the agency wants to infiltrate. “Who better to target than the person that already has the ‘keys to the kingdom’?” one of the posts says.

The NSA wants more than just passwords. The document includes a list of other data that can be harvested from computers belonging to sys admins, including network maps, customer lists, business correspondence and, the author jokes, “pictures of cats in funny poses with amusing captions.” The posts, boastful and casual in tone, contain hacker jargon (pwn, skillz, zomg, internetz) and are punctuated with expressions of mischief. “Current mood: devious,” reads one, while another signs off, “Current mood: scheming.”

The author of the posts, whose name is being withheld by The Intercept, is a network specialist in the agency’s Signals Intelligence Directorate, according to other NSA documents. The same author wrote secret presentations related to the NSA’s controversial program to identify users of the Tor browser – a privacy-enhancing tool that allows people to browse the Internet anonymously. The network specialist, who served as a private contractor prior to joining the NSA, shows little respect for hackers who do not work for the government. One post expresses disdain for the quality of presentations at Blackhat and Defcon, the computer world’s premier security and hacker conferences:

When I first went to Blackhat/Defcon, it was with the wide-eyed anticipation of, ‘I’m going to go listen to all of the talks that I can, soak up all of the information possible, and become a supar-1337-haxxor.’ What a let-down of an experience that was. You find the most interesting topics and briefings, wait in lines to get a seat, and find yourself straining your ears to listen to someone that has basically nothing new to say. Most of the talks get hyped up exponentially past any amount of substance they actually provide, most of the ‘interactive sessions’ end up in a ‘oh! woe is the state of the security industry!’ chant, and leave the audience no better off than before.

It is unclear how precise the NSA’s hacking attacks are or how the agency ensures that it excludes Americans from the intrusions. The author explains in one post that the NSA scours the Internet to find people it deems “probable” administrators, suggesting a lack of certainty in the process and implying that the wrong person could be targeted. It is illegal for the NSA to deliberately target Americans for surveillance without explicit prior authorization. But the employee’s posts make no mention of any measures that might be taken to prevent hacking the computers of Americans who work as sys admins for foreign networks. Without such measures, Americans who work on such networks could potentially fall victim to an NSA infiltration attempt.

The NSA declined to answer questions about its efforts to hack system administrators or explain how it ensures Americans are not mistakenly targeted. Agency spokeswoman Vanee’ Vines said in an email statement: “A key part of the protections that apply to both U.S. persons and citizens of other countries is the mandate that information be in support of a valid foreign intelligence requirement, and comply with U.S. Attorney General-approved procedures to protect privacy rights.”

As The Intercept revealed last week, clandestine hacking has become central to the NSA’s mission in the past decade. The agency is working to aggressively scale its ability to break into computers to perform what it calls “computer network exploitation,” or CNE: the collection of intelligence from covertly infiltrated computer systems. Hacking into the computers of sys admins is particularly controversial because unlike conventional targets – people who are regarded as threats – sys admins are not suspected of any wrongdoing.

In a post calling sys admins “a means to an end,” the NSA employee writes, “Up front, sys admins generally are not my end target. My end target is the extremist/terrorist or government official that happens to be using the network some admin takes care of.”

The first step, according to the posts, is to collect IP addresses that are believed to be linked to a network’s sys admin. An IP address is a series of numbers allocated to every computer that connects to the Internet. Using this identifier, the NSA can then run an IP address through the vast amount of signals intelligence data, or SIGINT, that it collects every day, trying to match the IP address to personal accounts.

“What we’d really like is a personal webmail or Facebook account to target,” one of the posts explains, presumably because, whereas IP addresses can be shared by multiple people, “alternative selectors” like a webmail or Facebook account can be linked to a particular target. You can “dumpster-dive for alternate selectors in the big SIGINT trash can” the author suggests. Or “pull out your wicked Google-fu” (slang for efficient Googling) to search for any “official and non-official e-mails” that the targets may have posted online.

Once the agency believes it has identified a sys admin’s personal accounts, according to the posts, it can target them with its so-called QUANTUM hacking techniques. The Snowden files reveal that the QUANTUM methods have been used to secretly inject surveillance malware into a Facebook page by sending malicious NSA data packets that appear to originate from a genuine Facebook server. This method tricks a target’s computer into accepting the malicious packets, allowing the NSA to infect the targeted computer with a malware “implant” and gain unfettered access to the data stored on its hard drive.

“Just pull those selectors, queue them up for QUANTUM, and proceed with the pwnage,” the author of the posts writes. (“Pwnage,” short for “pure ownage,” is gamer-speak for defeating opponents.) The author adds, triumphantly, “Yay! /throws confetti in the air.”

In one case, these tactics were used by the NSA’s British counterpart, Government Communications Headquarters, or GCHQ, to infiltrate the Belgian telecommunications company Belgacom. As Der Speigel revealed last year, Belgacom’s network engineers were targeted by GCHQ in a QUANTUM mission named “Operation Socialist” – with the British agency hacking into the company’s systems in an effort to monitor smartphones.

While targeting innocent sys admins may be surprising on its own, the “hunt sys admins” document reveals how the NSA network specialist secretly discussed building a “master list” of sys admins across the world, which would enable an attack to be initiated on one of them the moment their network was thought to be used by a person of interest. One post outlines how this process would make it easier for the NSA’s specialist hacking unit, Tailored Access Operations (TAO), to infiltrate networks and begin collecting, or “tasking,” data:

So, by combining all of that information, you end up with a list of public IP addresses that probably belong to sys admins as well as personal accounts that probably belong to those admins. All you have to do is put all this info in a database somewhere, and what you end up with is a list of networks as well as personal accounts of probable admins for those networks! Then, as soon as one of those networks becomes a target, all TAO has to do is query the database, see if we have any admins pre-identified for that network, and if we do, automatically queue up tasking and go-go- CNE!

Aside from offering up thoughts on covert hacking tactics, the author of these posts also provides a glimpse into internal employee complaints at the NSA. The posts describe how the agency’s spies gripe about having “dismal infrastructure” and a “Big Data Problem” because of the massive volume of information being collected by NSA surveillance systems. For the author, however, the vast data troves are actually something to be enthusiastic about.

“Our ability to pull bits out of random places of the Internet, bring them back to the mother-base to evaluate and build intelligence off of is just plain awesome!” the author writes. “One of the coolest things about it is how much data we have at our fingertips.”

Micah Lee contributed to this report.

Author: Peter Maass

I was born and raised in Los Angeles. In 1983, after graduating from the University of California at Berkeley, I went to Brussels as a copy editor for The Wall Street Journal/Europe. I left the Journal in 1985 to write for The New York Times and The International Herald Tribune, covering NATO and the European Union. In 1987 I moved to Seoul, South Korea, where I wrote primarily for The Washington Post. After three years in Asia I moved to Budapest to cover Eastern Europe and the Balkans. I spent most of 1992 and 1993 covering the war in Bosnia for the Post.