SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
10 Feb 2015

Spy agencies secretly rely on hackers

The governments of the USA, UK and Canada characterize hackers as a criminal menace, warn of the threats they allegedly pose to critical infrastructure, and aggressively prosecute them, but they are also secretly exploiting their information and expertise, according to top secret documents.

In some cases, the surveillance agencies are obtaining the content of emails by monitoring hackers as they breach email accounts, often without notifying the hacking victims of these breaches.

“Hackers are stealing the emails of some of our targets… by collecting the hackers’ ‘take,’ we . . .  get access to the emails themselves,” reads one top secret 2010 National Security Agency document. These and other revelations about the intelligence agencies’ reliance on hackers are contained in documents provided by whistleblower Edward Snowden. The documents — which come from the UK Government Communications Headquarters agency and NSA — shed new light on the various means used by intelligence agencies to exploit hackers’ successes and learn from their skills, while also raising questions about whether governments have overstated the threat posed by some hackers.

By looking out for hacking conducted “both by state-sponsored and freelance hackers” and riding on the coattails of hackers, Western intelligence agencies have gathered what they regard as valuable content:

Recently, Communications Security Establishment Canada (CSEC) and Menwith Hill Station (MHS) discovered and began exploiting a target-rich data set being stolen by hackers. The hackers’ sophisticated email-stealing intrusion set is known as INTOLERANT. Of the traffic observed, nearly half contains category hits because the attackers are targeting email accounts of interest to the Intelligence Community. Although a relatively new data source, [Target Offices of Primary Interest] have already written multiple reports based on INTOLERANT collect.

The hackers target a wide range of diplomatic corps, human rights and democracy activists and even journalists:

    INTOLERANT traffic is very organized. Each event is labeled to identify and categorize victims. Cyber attacks commonly apply descriptors to each victim – it helps herd victims and track which attacks succeed and which fail. Victim categories make INTOLERANT interesting:

    A = Indian Diplomatic & Indian Navy

    B = Central Asian diplomatic

    C = Chinese Human Rights Defenders

    D = Tibetan Pro-Democracy Personalities

    E = Uighur Activists

    F = European Special Rep to Afghanistan and Indian photo-journalism

    G = Tibetan Government in Exile

In those cases, the NSA and its partner agencies in the United Kingdom and Canada were unable to determine the identity of the hackers who collected the data, but suspect a state sponsor “based on the level of sophistication and the victim set.” In instances where hacking may compromise data from the USA and UK governments, or their allies, notification was given to the “relevant parties.”

In a separate document, GCHQ officials discuss plans to use open source discussions among hackers to improve their own knowledge. “Analysts are potentially missing out on valuable open source information relating to cyber defence because of an inability to easily keep up to date with specific blogs and Twitter sources,” according to one document.

GCHQ created a program called LOVELY HORSE to monitor and index public discussion by hackers on Twitter and other social media. The Twitter accounts designated for collection in the 2012 document:

These accounts represent a cross section of the hacker community and security scene. In addition to monitoring multiple accounts affiliated with Anonymous, GCHQ monitored the tweets of Kevin Mitnick, who was sent to prison in 1999 for various computer and fraud related offenses. The US Government once characterized Mitnick as one of the world’s most villainous hackers, but he has since turned security consultant and exploit broker.

Among others, GCHQ monitored the tweets of reverse-engineer and Google employee, Thomas Dullien. Fellow Googler Tavis Ormandy, from Google’s vulnerability research team Project Zero, is featured on the list, along with other well known offensive security researchers, including Metasploit’s HD Moore and James Lee (aka Egypt) together with Dino Dai Zovi and Alexander Sotirov, who at the time both worked for New York-based offensive security company, Trail of Bits (Dai Zovi has since taken up a position at payment company, Square). The list also includes notable anti-forensics and operational security expert “The Grugq.”

GCHQ monitored the tweets of former NSA agents Dave Aitel and Charlie Miller, and former Air Force intelligence officer Richard Bejtlich as well as French exploit vendor, VUPEN (who sold a one year subscription for its binary analysis and exploits service to the NSA in 2012).

The GCHQ document states that they “currently have a list of around 60 blog and Twitter sources” that were identified by analysts for collection. A prototype of the LOVELY HORSE program ensured that “Twitter smart messenger and (and subject to legal/security approval) blog content [was] manually scraped and uploaded to GCDesk.” A later version would upload content in real time.

Several of the accounts to be mined for expertise are associated with the hactivist collective Anonymous. Documents previously published by The Intercept reveal extensive, and sometimes extreme, tactics employed by GCHQ to infiltrate, discredit and disrupt that group. The agency employed some of the same hacker methods against Anonymous (e.g., mass denial of service) as governments have prosecuted Anonymous for using.

A separate GCHQ document details the open-source sites monitored and collected by the agency, including blogs, websites, chat venues and Twitter. It describes Twitter messenger monitoring undertaken for “real-time alerting to new security issues reported by known security professionals, or planned activity by hacking groups, e.g. Anonymous.” The agency planned to expand its monitoring and aggregation program to a wide range of web locations, including IRC chat rooms and Pastebin, where “an increasing number of tip-offs are coming from . . . as this is where many hackers anonymously advertise and promote their exploits, by publishing stolen information.”

One classified document casts serious doubt on warnings about the threat posed by Anonymous (in early 2012 then-NSA chief Keith Alexander reportedly warned that Anonymous could shut down parts of the power grid).

That document, containing “talking points” prepared by Jessica Vielhuber of the National Intelligence Council in September 2011 for a NATO meeting on cyber-threats, describes the threat from Anonymous as relatively small. “Although ‘hacktivist’ groups such as Anonymous have made headlines recently with their theft of NATO information, the threat posed by such activity is minimal relative to that of nation-states,” she wrote.

In response to The Intercept‘s questions, an agency spokesperson said that “NSA will not comment on the Intercept’s speculation,” and noted that NSA “defends the nation and our allies from foreign threats while going to great lengths to safeguard privacy and civil liberties.” The spokesperson added that “over the last year, at the president’s direction, the U.S. intelligence community engaged in an unprecedented effort to examine and strengthen the privacy and civil liberty protections afforded to all people, regardless of nationality.”

GCHQ declined to answer questions for this article, or to comment on the programs involved, but instead provided a boiler plate statement, which says the agency’s work is legal and subject to government oversight. “It is longstanding policy that we do not comment on intelligence matters,” the agency notes.

Tags:
hackers USA UK NSA surveillance Twitter Snowden GCHQ
Source:
The Intercept
2399
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015