NSA agents successfully targeted “the entire business chain” connecting foreign cafes to the internet, bragged about an “all-out effort” to spy on liberated Iraq, and began systematically trying to break into virtual private networks, according to a set of internal agency news reports dating to the first half of 2005.
British spies, meanwhile, were made to begin providing new details about their informants via a system of “Intelligence Source Descriptors” created in response to intelligence failures in Iraq. Hungary and the Czech Republic pulled closer to the National Security Agency.
And future Intercept backer Pierre Omidyar visited NSA headquarters for an internal conference panel on “human networking” and open-source intelligence.
These stories and more are contained in a batch of 294 articles from SIDtoday, the internal news website of the NSA’s core Signals Intelligence Directorate. The Intercept is publishing the articles in redacted form as part of an ongoing project to release material from the files provided by NSA whistleblower Edward Snowden.
In addition to the aforementioned highlights, summarized in further detail below, the documents show how the NSA greatly expanded a secret eavesdropping partnership with Ethiopia’s draconian security forces in the Horn of Africa, as detailed in an investigation by longtime Intercept contributor Nick Turse. They describe the NSA’s operations at a base in Digby, England, where the agency worked with its British counterpart GCHQ to help direct drones in the Middle East and tap into communications through the Arab Spring uprisings, according to a separate article by Intercept reporter Ryan Gallagher. And they show how the NSA and GCHQ thwarted encryption systems used to protect peer-to-peer file sharing through the apps Kazaa and eDonkey, as explained here by Intercept technologist Micah Lee.
NSA did not comment for this article.
Members of the U.S. intelligence community routinely thwarted a system designed to mask their identities online by using it for personal shopping and to log on to websites, according to an NSA information technology manager.
The system, called “AIRGAP,” was run by “one of the world’s largest ISPs” and created around 1998 at the behest of the NSA, according to NSA Internet Program Manager Charlie Speight, writing in SIDtoday. Its purpose was to allow “non-attribution internet access,” Speight added, meaning that intelligence analysts could surf the internet without revealing that they were coming from U.S. spy agencies. By 2005, it was used by the whole U.S. intelligence community.
One early concern about the firewall was that it funneled all internet traffic through a single IP address, meaning that if any activity on the address was revealed to be associated with U.S. spies, a broad swath of other activity could then be attributed to other U.S. spies. More IP addresses were subsequently added, but “occasionally we find that the ISP reverts to one address, or does not effectively rotate those assigned,” Speight wrote.
Speight added that the “greater security concern” was the very intelligence agents the system was designed to protect. “Despite rules and warnings to the contrary, all too frequently users will use AIRGAP for registering on web sites or for services, logging into other sites and services and even ordering personal items from on-line vendors,” Speight wrote in a classified passage. “By doing so, these users reveal information about themselves and, potentially, other users on the network. So much for ‘non-attribution.'”
This sort of sloppiness mirrors behavior that has undermined Russian intelligence operatives. A slide presentation by Canadian intelligence, dating to 2011 or later, labeled as “morons” members of a Russian hacking group code-named “MAKERSMARK,” who thwarted a “really well-designed” system to hide their identities by using it to log on to their personal social and email accounts.
The two situations are not perfectly comparable; the U.S. system was managed as part of a network for obtaining unclassified information, while the Russian system was used for the more sensitive activity of staging hack attacks. But Speight hinted at aggressive use of the U.S. system, writing in his piece that the NSA had begun “using AIRGAP for reasons and in volumes not intended in its formation” — the agency thus began developing its own separate firewall.
The NSA had systems with the same goal as AIRGAP — anonymization — but for phone calls. According to a February 2005 SIDtoday article, the NSA controlled 40,000 telephone numbers, but these were almost all prefixed with area- and exchange-code combinations that were publicly associated with the agency. An analyst who needed to make a public phone call without leaking their affiliation could use “anonymous telephones,” most of them registered to Department of Defense, or “cover telephones,” registered using alias names and P.O. boxes. No security protocol lapses were described in connection with the old-fashioned voice networks.
While hiding, or at least trying to hide, its own online operations, the NSA launched an all-encompassing campaign to trace online activity in internet cafes, down to specific seats.
A program called “MASTERSHAKE” accomplished this by exploiting equipment used by the cafes, including satellite internet modems, according to top-secret information reported by SIDtoday. “MASTERSHAKE targets the entire business chain, from manufacturer to Internet café installation, to ascertain any and all available data regarding … geolocation, the network connectivity of the modem, as well as the actual physical location of the installation,” according to SIDtoday.
MASTERSHAKE data was “enriched” with other information, including “geolocatable phone events,” as well as intelligence from throughout the NSA’s Signals Intelligence Directorate and from the agency’s XKeyscore search system.
The NSA knew the precise location of over 400 internet cafes. For over 50 of these cafes, it could locate a target to a specific seat within the cafe. One goal of the monitoring was to hunt down Al Qaeda leaders, like Abu Musab al-Zarqawi. SIDtoday focused on the use of MASTERSHAKE in Iraq, describing an incident in the city of Ramadi where two “counterterrorism targets” began using a messenger service at an internet cafe, and the two men were arrested. But it also indicated the system was used more broadly, “in the Middle East and Africa.”
As the Intercept previously reported, the NSA has surveilled internet cafes in Yemen, Afghanistan, Syria, Lebanon, and Iran, as detailed in agency documents.
The NSA’s surveillance against Iraqis went far beyond cafe computers. Two years after President George W. Bush’s infamous “Mission Accomplished” speech and a year after the Coalition Provisional Authority handed over the reins to the Iraqi Interim Government, the agency was trying to tap the nation’s communications — and enlist friendly Iraqis and the new government to do likewise.
In a top-secret SIDtoday report, an NSA “data acquisition lead” in Baghdad described “an all-out effort to penetrate Iraqi networks using everything in the tool box of the most sophisticated SIGINT agency in the world.” The “very forward-leaning and aggressive” collection effort brought “our technology to bear at the optimum access points” in the country. The identity of those access points is hinted at by the list of people the NSA staffer met with as the “field rep on a number of projects”: “Iraqi government personnel engaged in telecommunications and IT issues for Iraq; small and medium sized Iraqi communications contractors; the CEO’s and Chief Technical Officers of the major Iraqi telecommunications service providers; [and] Iraqi cabinet level officials,” among others.
Another article confirmed the NSA was spying on Iraqi telecommunications, describing a “dramatic drop” in information the agency collected from links carrying mobile phone traffic between Fallujah and northern Baghdad and a consequent gap in intelligence gathering. A team from the NSA and CIA was able to restore the collection within two weeks by targeting microwave signals carrying the traffic.
In addition to its own electronic spying within Iraq, the NSA sought to rebuild the country’s ability to spy on itself through another joint project with the CIA, along with GCHQ. The Western intelligence entities would build a new Iraqi spy agency, dubbed the Iraq SIGINT Element, according to another SIDtoday article. The Iraqi SIGINT Element’s expertise would come, of course, from veterans of Saddam Hussein’s regime; the NSA and GCHQ made a list of candidates “gleaned from years of targeting the Iraqi civil and military SIGINT units,” SIDtoday reported. The former targets were the new recruits. The CIA assisted in the vetting process with polygraphers, psychologists, and background checks, and the NSA trained the selected candidates on “how we do SIGINT.” The new intelligence agents’ first assignment was to find communications of former Saddam “elements” and insurgents in Baghdad. They went covertly into Baghdad neighborhoods, which U.S. and U.K. forces were unable to do.
It was at the behest of the director of central intelligence that the NSA “moved aggressively to help [Iraq] establish and enhance their signals intelligence capabilities,” SIDtoday reported separately. A similar effort was underway in Afghanistan. “Both relationships come with risks, but the overall benefit to U.S. objectives in the region outweighs these risks,” wrote an NSA foreign affairs staff officer.
Mass surveillance efforts in Iraq were part of a broader NSA effort to address the consequences of the coalition’s victory over Saddam Hussein. Immediately after the Ba’athist government fell to the invading forces in 2003, signals intelligence collection on the regime ceased to exist. NSA staff, some of whom had been monitoring the country for more than a decade, woke up to “no more audio cuts, no more transcripts … no more product reports,” according to an account in SIDtoday. One official wondered, “Will we lose resources because of our success?” Postwar insurgency and sectarian strife ensured this was not the case.
For example, an NSA team set about thwarting detonation systems for bombs set by insurgents. The bombs, known within the U.S. military as improvised explosive devices, were triggered from a distance, often using high-powered cordless phone systems, in which a common base station, controlled by a triggerman, connects to a cluster of wireless handsets. The team devised a way to locate triggermen: Intercepting and identifying security codes emitted by captured handsets. The codes, intended to tether a handset to a particular base station, could then be used to locate base stations, resulting in military targeting and “hopefully, the IED makers neutralized,” SIDtoday stated.
The NSA may have had a chance to deploy this technique at the end of January 2005, when Iraq’s first parliamentary elections took place. An article in SIDtoday said that signals intelligence helped prevent 50 to 60 suicide bombers from making it into polling centers. Still, 285 other insurgent attacks occurred that day, and CNN reported several incidents of suicide bombings that hit police officers and Iraqis waiting to vote.
In Iraq and elsewhere, the NSA expanded the scope of its intelligence sharing to U.S. government “customers,” as described in a January 2005 article, in which an NSA staffer in Baghdad read a new sharing guideline aloud to a hesitant colleague: “It’s OK to talk about, show and share evaluated, minimized unpublished SIGINT to customers/partners in order to facilitate analytic collaboration.”
Even amid the aggressive intelligence sharing, the NSA was taking note of what could happen when such sharing went terribly wrong. A SIDtoday story about a British government inquiry into prewar intelligence on Iraq, the Butler Review, describes how the U.K.’s signals intelligence agency GCHQ was now required to provide “Intelligence Source Descriptors” on all intel reports. This requirement came in response to the finding that the British foreign spying agency, MI6, did not adequately check human sources and relied on third-hand reporting about Iraqi chemical weapons, including “seriously flawed” information from “another country’s intelligence service.”
The new British source descriptors would include identification of sources by name or role along with judgments on whether the source had direct or indirect access to the information reported. The GCHQ descriptor would also indicate whether a source is “reliable,” “unknown,” or “uncertain” as to reliability. “There are no plans at present to use a like program on NSA reports,” SIDtoday reported.
Despite reporting on fallout from the U.K. postwar review, SIDtoday did not cover a U.S. presidential commission that prominently reported in March 2005 on how the American intelligence community was “dead wrong” in its prewar assessment of weapons of mass destruction in Iraq.
In parallel with its efforts to share information with more U.S. government and intelligence agencies, the NSA also forged connections with foreign partners whose collaboration would have, in previous decades, seemed inconceivable.
In early 2005, the NSA entered into a partnership with Hungary’s Military Intelligence Office, inviting the spy agency to “work with NSA as part of our extended SIGINT enterprise,” according to SIDtoday, and “write SIGINT reports for dissemination through the NSA system to our intelligence community customers.” The partnership allowed the NSA to tap into the Hungarian agency’s “unique access to Serbian and Ukrainian military targets.”
A contemporaneous NSA visit to the Czech Republic, as described in SIDtoday, showed how such “third party” partnerships can come to fruition. The trip was conducted to establish whether the NSA should partner with the Czech External Intelligence Service, or ÚZSI, which wanted to tap NSA expertise “on many technical issues.” In order to win over the Americans, spy agency “personnel essentially opened the door to their SIGINT vault,” displaying an “exceptional degree of openness.” The NSA team came away impressed, judging ÚZSI “exceptionally good at analysis of material associated with Russian [counterintelligence] targets,” and impressed with the agency’s “very good analytic effort against Russian and Ukrainian HF networks” and “overall levels of sophistication, knowledge, practical experience, ingenuity and enthusiasm that allow them to overcome many financial and equipment shortfalls.” Perhaps best of all, ÚZSI “has not requested financial support from the NSA.” The Czech Republic eventually became a third-party partner.
A March 2005 SIDtoday article, summarizing a briefing from the NSA’s principal director for foreign affairs, alluded to agency “relationships” with Pakistan and Ethiopia, “work” with Iraq (discussed elsewhere in this article) and Afghanistan, and a “multinational collaboration in the Pacific.”
More generally, third parties became vital at this time simply for providing additional staffing and coverage. For instance, after the U.S. closed several bases, the NSA developed a reliance on third-party partners to participate in High Frequency Directional Finding networks for locating the origins of targeted radio signals. And the U.S. partnered with Hungary’s military intelligence organization in part because it “has been instrumental in providing intelligence that answers high-priority CIA and DIA (Defense Intelligence Agency) requirements that NSA would otherwise not be able to answer due to manpower constraints.”
Back in the U.S., the NSA’s post-9/11 “transformation,” initiated by Director Michael Hayden, promoted information sharing and collaboration to the traditionally closed community at Fort Meade. Invitations to participate at agency seminars and conferences were made not just to partners from the intelligence and military communities, but also to members of private industry and academia.
An announcement in SIDtoday for the third annual Analysis Conference from the NSA’s Analysis and Production division proclaimed the need to “keep communications open and leverage our partners’ insights.” Speakers at the May 2005 event, held at agency headquarters, included authors, U.S. senators, corporate executives, and journalists.
One “high-powered panel” at the conference on “human networking” featured eBay founder Pierre Omidyar, who would go on to provide funding for The Intercept, which covers and is frequently critical of the NSA. A separate SIDtoday article touting the panel indicated that corporate anthropologist Karen Stephenson and Wired founding executive editor Kevin Kelly also participated and that panelists were recruited through the Global Business Network, a consulting firm specializing in scenario-based forecasting. The GBN had been asked to harness its network of experts, “most of whom have had no previous involvement with the intelligence community,” to apply strategies from “the competitive marketplace” to NSA challenges.
Omidyar told The Intercept that the GBN “asked me to participate in an unclassified meeting at NSA headquarters at Fort Meade on the topic of ‘open source’ intelligence. My recollection of the people I met there is that they were very smart and genuinely interested in bringing outside ideas into the agency. I stayed involved with the GBN for some time after that meeting but when they approached me many months later to participate in additional meetings with the NSA, I declined. The invitation was made after news broke in December 2005 about the agency’s ‘warrantless wiretapping’ — and those events were deeply concerning to me. In addition, I didn’t have anything else to add beyond what I had already shared. I was not asked to meet with the NSA again after declining that invitation.”
Omidyar said he was not paid for his appearance.
A series of nuclear weapons tests conducted by India in the spring of 1998 took the intelligence community by surprise, prompting an internal investigation into why these tests had not been foreseen; a subsequent report was harshly critical of the U.S. intelligence community. A similar lapse in data gathering would not happen again in 2005. An Australian NSA site, RAINFALL, isolated a signal it suspected was associated with an Indian nuclear facility, according to SIDtoday. Collaboration between RAINFALL and two NSA stations in Thailand (INDRA and LEMONWOOD) confirmed the source of the signals and allowed for the interception of information about several new Indian missile initiatives. Although these missile systems did not come to public attention for several more years (the Sagarika submarine-launched ballistic missile was first tested in 2008), the NSA’s access to these signals gave them foreknowledge of their Third Party SIGINT partner’s (see last image) actions.
An NSA working group focused on virtual private networks, or VPNs, was established in November 2004 to “conduct systematic and thorough SIGINT Development of VPN communications (typically encrypted),” SIDtoday reported — meaning that the agency wanted to break into the networks. The group published regular “VPN Target Activity Reports” on a large number of countries throughout Europe, the Middle East, North Africa, Russia, and China, as well as “specific financial, governmental, communication service providers and international organizations.” These reports may help analysts “exploit targets’ VPNs more successfully.”
Sonia Kovalevsky Days take place at schools and colleges nationwide, with competitions and talks to encourage young women to pursue careers in mathematics. Although the events’ namesake was a radical socialist and pioneering female mathematician, members of the NSA’s Women in Mathematics Society participated as part of the agency’s effort to recruit more female mathematicians. The NSA believed itself to be the largest employer of mathematicians in the country, but between 1987 to 1993, only one of the 30 math Ph.D.s the agency hired identified as a woman, and only 26 percent of women hired into the agency’s mathematics community had an advanced degree, according to SIDtoday. After the Women in Mathematics Society was formed, from 1994 through 2005, about 38 percent of women mathematicians hired into NSA had a doctoral degree and 27 percent held a master’s degree.
“Spam affects NSA by impeding our collection, processing and storage of [Digital Network Intelligence] traffic,” said the author of a February 2005 SIDtoday article. “Unfortunately, filtering out spam has proven to be an extremely difficult and cumbersome task.”According to the author, analysts developed technology that tagged “an average of 150,000 spam sessions a day,” which greatly reduced the amount of spam that shows up in “daily searches” of intercepted emails.
Correction: September 13, 2017, 9:15 p.m.
Due to an editing error, an earlier version of this story gave an incorrect year for the NSA’s third annual Analysis Conference; the event occurred in May 2005, not May 2015.
Top photo: In this May 1, 2003 file photo, President George W. Bush gives a “thumbs-up” sign after declaring the end of major combat in Iraq as he speaks aboard the aircraft carrier USS Abraham Lincoln off the California coast.
I watched an interview with Assange the other day where he said something like 97% of the Snowden material hasn’t been released yet. And he released it to journalists with connections to The Guardian, NYT, and more; hardly the reach of The Intercept today.
As Anon said on this page, it’s still great to have this material released.
The Iraqi SIGINT Element’s expertise would come, of course, from veterans of Saddam
Hussein’s regime; the NSA and GCHQ made a list of candidates “gleaned from years of
targeting the Iraqi civil and military SIGINT units,…”
Years? How about decades? The U.S. Army Security Agency, the Army’s (ASA) signals intelligence branch from 1945 to 1976, had a civilian clothes embassy detachment in Baghdad possibly as early as the late 1940’s. By the 1960’s knowledge of the “embassy duty” sites was widespread. ASA recruiters told prospective enlistees that they might be assigned to embassies in order to get them to enlist in the ASA for four years instead of being drafted for two years.
How typical of the NSA to take credit for disrupting phone activated IEDs, giving no credit to DARPA or the Army. Check out “software defined radio”; “digital receiver technology”
Spam is a thin reed on which to pin humanity’s hope for freedom. Many people consider spam to be an annoyance. But the next time you delete a spam e-mail, you will have crushed a tiny bit of freedom.
Everyone can do their part. Give out as many business cards as possible at trade shows. This guarantees you will be placed on a number of spam e-mailing lists. Always respond to spam, even if it takes time, and click on any links contained in the e-mail (this can be a bit risky, as it will allow the sender to take over your computer, but freedom is always risky). This will show your are a spam supporter and encourage the spam producers to send you more spam e-mails.
The alternative is a spamless world, where, powerless, you sit naked and exposed to the eye of Mordor.
Here’s some spam for you, benitoe; I’m a big proponent of OSINT (open source intelligence) and HUMINT (human source intelligence) because I go outside and talk to people.
Good one! , but nobody actually talks to anyone anymore. The other day, I watched a young couple walking with one arm around each other’s waist while with the their free hands, they texted each other.
Ahhhh, yes…. Pierre…
It’s safe to say that because Pierre is still among the living nothing is really ever as it seems.
Perhaps The Intercept itself is one huge disinformation campaign. For what purpose Christ knows. They’ve outed their owner (who was already outed long ago)…. was there no other plutocrat willing to sponsor TI?
It would be interesting to see just how entangled the eBay/PayPal crowd are with Americas overlords.
Pretty effing deeply entangled it seems to me. All of them.
Peter Theil
Elon Musk
Pierre Omidyar
Same could be said for google… or Oracle (there first client as CIA). It seems as though America’s tech industry IS America’s intelligence community.
Kaspersky is a piker compared to these guys
First paragraph: There was no “liberated” Iraq in 2005. Let’s not appropriate Bush-era propaganda. The Intercept can do better than that.
Hey NSA, how’s things in Iraq? Did ya win yet? No?
Iran won? Say it ain’t so!
Anyone who trusts that they don’t do these same sorts of things here in the USA to us is a real fool.
And to what extent they don’t do it because, you know, laws and such, they’ll just direct their “partners around the globe” to collect it for them – with their help – and then obtain the information from them, legally. We have other circumstances where they’ve been known to do exactly this to get around the U.S. Constitution. . .
Who cares? Arab dictatorships used the office of the Secretary of State under crooked Hillary to do their personal shopping:
Saudi Arabia: $25,000,000 – State Dept. approval for U.S. arms sales to Saudi Arabia
Prince of Abu Dhabi: $5,000,000 – Muted criticism by State of Bahrain’s abysmal human rights practices.
Brunei: $5,000,000 – State Dept. clearance for U.S. weapons sales to Brunei.
GEMS Education, Dubai: $5,600,000 – Bill Clinton made honorary chairman.
Kuwait: $10,000,000 – State Dept. clearance for U.S. weapons sales to Kuwait.
Sheikh Mohammed H. Al Amoudi: $10,000,000 – Influence-buying within the Clinton State Dept.
Qatar: $5,000,000 – State Dept. approval for U.S. arms sales to Qatar.
United Arab Emirates: $5,000,000 – State Dept. approval for U.S. weapons sales to the UAE.
Oman: $5,000,000 – State clearance for U.S. weapons sales to Oman.
bingo!
the criminals running the usg always want to look like heroes by sacrificing reqular working stiffs whom they set up for a fall while these criminals fleece the country.
cynthia – who did not sign a pledge of allegiance to israel and subordinate the US – grills rumsfeld
where are those trillions?
https://www.youtube.com/watch?v=Px1t1-a9uxk
One of the things I’ve been itching to see in TI’s SIDToday articles, as indictable news about empire’s war on terra became publicly known (like torture and fabricated pre-war intelligence), is whether such abuses were ever addressed in intelligence community Top Secret internal propaganda – or just ignored.
I’ll also say for someone now a bit of a technophobe there are weeks I want something like a matrix jack to upload my accumulated reading list. :(
Thank you Talya, Margot and Micah. The last few years I sit on an exercise ball at my desk instead of a chair. It’s good for the core and I think I wore out the edge of my seat during TI’s first 6 months; just kidding, but not really. ;) So PLEASE keep at it and I’ll keep reading and making popcorn.
I wondered why ‘Discounts for Spies.com’ didn’t work from my IP address.
Try without the spaces.
I’ve perfected reading The Intercept articles. 1) Read the headline 2) Search for Benito’s comment.
Pure pleasure!
Benito, do you know what happened to the Zika virus?
@Uncle Bob and @Gladio bring up good points about NSA ties to Equifax.
Someone I know has worked with the same temp agency, on and off for the past three years.
Yesterday they sent her an email (out of the blue) requesting an extensive background check – very similar to forms SF 85 / SF 86.
She doesn’t work with any personal or secure information, and isn’t even required to lock her computer screen when she leaves her desk.
Staffing agencies depend largely upon third party relationships. I believe this background check demand may be tied into the Equifax breach, as some sort of recovery effort.
This is what happens when lawyers get involved in your business. They always contrive some laborious labyrinth of ludicrous demands – then fault you to hell if you skip a beat. From their offices in the HMS CYA, they grind out more proclamations of absolution than the IRS has rules. Incessant tinkering and revisions grow like ivy reaching for the moon. Over time the business mutates from an inventive creative exciting place into a mortuary for the living dead.
NSA secret shoppers are just one of the many tools in the toolbox to keep our country safe from terror
Alright … anybody know the secret IP address? (After all, there’s a chance they’re still using it…)
I was amused to see that they had not disabled HTML-Referer! I gotta ask … can SIPRNet addresses be passed via this mechanism? It used to be that imitation was the highest form of flattery, but it might be a contender to get traffic to your website linked from the seeekrit web network only 500,000 people and Bradley Manning’s confidants get access to.
Thank you for the release.
I really do appreciate it, but is there a way to make these releases more timely? I mean Mr. Snowden gave you this stuff 4 years ago now…
How many NSA people now work for Equifax.
the msm sure dropped the equifax story like a hot potato.
the criminal network running the US is very co-ordinated, must be a tite nit family.
n 2016, the Equifax Inc. political action committee gave 85% of its contributions to Republicans and 15% to Democrats
Yawning..
Both houses of Congress will perform obligatory verbal floggings on Equifax and pass consumer protection legislation aimed at proactive, defensive steps to prevent such breaches in the future..