If you spend enough time perusing the Internet for helpful information on how to build a botnet or hack an online game, you’ll inevitably end up on a discussion board site filled with posts from various hackers eager to share that knowledge and build up their street cred. But even if you use Tor to explore the “dark Web” for such boards, you’ll never reach the 1337est board of them all—the discussion board hosted on the National Security Agency’s NSAnet.
The latest data dump from the archive of NSA webpages leaked by Edward Snowden contains a sampling of posts from the NSA’s internal hacker board by one author in particular—an NSA employee that The Intercept’s Ryan Gallagher and Peter Mass claim
is the person who wrote presentations on attacking the Tor network
. In one of his posts, the author outlines approaches to gaining access to networks used by individuals targeted for surveillance.
That post, entitled, “I hunt sysadmins,” provides a primer for NSA cyber-warriors to identify and target system administrators of networks to exploit their access privileges for the purposes of surveilling or attacking a target that is connected to them. The two-part post and others published by The Intercept show the extent of the NSA’s ability to target and exploit networks worldwide using the automated hacking tools at the agency’s disposal. But the new data also shows how similar the approaches of the NSA’s cyber-operators are to those used by “black hat” hackers and criminal hacking rings, and it offers some hints about the NSA’s internal “hacker” culture.
The power of awesome
The “I hunt sysadmins” post was part of a series of helpful hints written by the unnamed author in response to what he saw as opportunities to exploit the NSA’s massive troves of data for more creative approaches to gathering intelligence. “Our ability to pull bits out of random places of the Internet, bring them back to the mother-base and evaluate and build intelligence off of [it] is just plain awesome!” he wrote in an introductory post. “One of the coolest things about it is how much data we have at our fingertips… If we only collected the data we knew we wanted…yeah, we’d fill some of our requirements, but this is a whole world of possibilities we’d be missing!”
“Up front, sys admins are generally not my end target,” the author continued. “My end target is the extremist/terrorist or government official that happens to be using the network some sys admin takes care of.” But sysadmins hold the keys to getting at the targets; by gaining administrative access to network or telecommunications infrastructure, an NSA operator or analyst could get a wealth of additional detail about both its inner workings and the activities of specific individuals.
The author listed the details available:
This sort of strategy explains why sysadmins at otherwise “friendly” telecommunications networks—like the engineers at Belgacom who were hacked by the GCHQ—find themselves targeted. The attacks on Belgacom were likely a step toward collecting intelligence on a specific individual believed to be in Belgium by tapping into the provider’s network infrastructure, allowing the GCHQ to gain access to SMS messages and other data directly from the network and determine exactly which tower the target’s phone was talking to when they were sent.
The series of “I hunt” posts provides a primer on how NSA operators can use the broad passive collection capabilities of Turmoil and XKeyscore
to identify and target system administrators in order to improve computer network exploitation (CNE) efforts. It’s possible to occasionally get lucky and identify a sysadmin for a network by using “Google-fu” to search for things like forum posts that use both the administrator’s official and personal e-mail addresses in a signature or to look for information within other data captured from the targeted network that might identify a sysadmin. But there are more scientific approaches to finding out who has the keys to a particular network kingdom.
Using analysis of secure shell (SSH) traffic, for example, operators can identify the IP addresses associated with administrators based on the volume of data going back to the client from the server or router.
As the author explained:
Administrators’ IP addresses can also be discovered by using an “awesome” NSA tool called Discoroute, which the author of the post said is “designed to suck up and database router configuration files seen in passively collected telnet sessions.”
Discoroute can also be used to discover which IP addresses can access the router via telnet. And if the contents of telnet sessions are in the clear, they can often be used to expose router passwords, even if they’re hashed. The author said that Cisco’s “password 7” hashing is “ROFL-easy to crack. You can Google ‘cisco password 7 cracker’ and get web pages that allow you to copy the password 7 hash, and it’ll break it for free…anyone can figure out the password for this router.”
All of this data can be searched for within the NSA’s collection of passive data. Once an administrator is identified, the author suggested, his or her Web e-mail accounts or Facebook account can be targeted using a Quantum attack, by using the NSA’s man-in-the-middle capability to insert malware into Web sessions and give the agency’s operators access to the administrator’s personal system.