Government officials and news reports gave conflicting accounts of what caused the latest blasts, the extent of damage, and Iran’s capacity to quickly recover. Initial reports said there was no harm to the Natanz facility, but Iranian officials later acknowledged damage to its centrifuges.

And while media accounts have suggested saboteurs focused on taking out the facility’s electric supply, David Albright, founder and president of the Institute for Science and International Security in Washington, D.C., believes the aim was to destroy centrifuges. Power is easy to restore even when electrical equipment is damaged, allowing enrichment work to quickly resume. But an abrupt blackout that also takes out backup power would have destroyed some centrifuges, Albright says, since they need to be powered down slowly. Failure to do so leads to vibrations that can cause centrifuge rotors and bellows to become damaged and in some cases disintegrate, which is what Albright suspects occurred.

Below is a summary of what we currently know and don’t know about the incident at Natanz.

What Happened?

On Sunday, news organizations reported an electrical blackout at the Natanz uranium enrichment plant, located in the desert about 155 miles south of Tehran. Natanz is critical to Iran’s nuclear program. The heavily secured site is protected by anti-aircraft guns and has two large centrifuge halls buried more than 50 feet underground to protect them from airstrikes. Despite the conflicting reports, it appears the facility’s main power distribution equipment — Natanz has its own grid — was taken out with explosives. Backup emergency electricity also was taken down, and power cut out across the multibuilding compound, Behrouz Kamalvandi, spokesperson for Iran’s Atomic Energy Organization, told Iran’s state-run TV.

Iranian officials initially said there were no casualties or damage to facilities. But Kamalvandi later conceded that the “small explosion” had “damaged sectors [which] can be quickly repaired.” Kamalvandi was speaking from a hospital bed, however, because he had fallen down a 20-foot hole while visiting Natanz after the attack, breaking an ankle and gashing his head. This would suggest that the explosions may have done extensive ground or structural damage.

“This tells me that the damage must be quite a lot in some spots,” says Olli Heinonen, former deputy director of the Safeguards Division of the U.N.’s International Atomic Energy Organization and currently a Distinguished Fellow with the Stimson Center in Washington, DC. “Nuclear installations normally are very safe. There are no open places where you can go down 7 meters just like that. So probably he went to some area that is damaged, and that is a bad sign.”

Reports have indicated that the sabotage set Iran’s uranium enrichment program back nine months. See “How Quickly Can Iran Recover?” below.

Who Was Behind the Explosions?

Iranian Foreign Minister Mohammad Javad Zarif blamed the incident on Israeli sabotage, calling it a “terrorist attack” and “nuclear terrorism.” Both U.S. and Israeli sources have told Western reporters that Israel was indeed behind the attack. Though Israel has not formally taken responsibility for the operation, Lt. Gen. Aviv Kohavi, chief of staff of the Israel Defense Forces seemed to hint at Israel’s involvement during a speech on Sunday at a ceremony for Israeli soldiers.

“The IDF’s actions throughout the Middle East are not hidden from our enemies’ vision, who are observing us, seeing our capabilities and carefully considering their next steps,” he said. “By virtue of clever operational activities, the past year was one of the most secure years that the citizens of the State of Israel have known. We will continue to act, combining power and discretion, determination and responsibility — all of this to guarantee the security of the State of Israel.”

Israel has the most to fear from a nuclear-armed neighbor. Although Iran has long insisted that its controversial nuclear program is peaceful and not a weapons program, the U.S. intelligence community found that Iran did have a nuclear weapons program until 2003, when it halted the program following the U.S.-coalition invasion of Iraq. And although Israel has its own nuclear program, it has worked hard to prevent its close neighbors from developing one as well.

Israel has a long history of sabotaging nuclear facilities in Iraq, Syria, and Iran, both through cyber means — including the sophisticated Stuxnet attack against Iran, which Israel conducted with U.S. and Dutch intelligence agencies — and with conventional bombs and explosives. Israel is also reportedly behind a number of assassinations of Iranian nuclear scientists and officials over the last decade. The Stuxnet attack was particularly significant because it launched the era of cyberwarfare, as it was the first cyberattack known to use a digital weapon that could leap into the physical realm to cause actual destruction of equipment. The highly skilled covert operation was conducted in lieu of a kinetic attack to avoid attribution and an escalation in hostilities with Iran; it remained undetected for three years.

Timing of the Sabotage

The sabotage on Sunday seemed timed to send a message — both to Iran and to the U.S. and Europe. It occurred just days after talks began in Vienna to revive the 2015 nuclear agreement that the Obama administration had worked hard to broker with Iran to control its uranium enrichment production. The Trump administration, urged on by Israel, unilaterally withdrew from the deal in 2018 and imposed sanctions on Iran.

The sabotage also occurred the same day U.S. Defense Secretary Lloyd Austin visited Tel Aviv to drum up support for reviving that agreement with Iran. Albright believes it was designed to telegraph to the U.S. that Israel won’t support restoring the old agreement and has no problem scuttling them in order to keep Iran’s nuclear program in check.

The timing of the sabotage was also significant for another reason. The day before the Natanz incident, Iran celebrated National Nuclear Technology Day, an annual event marking the nation’s atomic advances. To mark the event and send a message to its negotiating partners, technicians at Natanz began to operate a small batch of IR-6 centrifuges as well. The majority of centrifuges at Natanz are a model known as IR-1, which is much less efficient at enriching uranium than the IR-6 design. The nuclear agreement signed with Iran in 2015 (known as the Joint Comprehensive Plan of Action, or JCPOA) limited it to using only IR-1 centrifuges, so the installation of the IR-6s is widely seen as a provocation designed to give Iran leverage in the revived talks. To add to the tension, Iran has been enriching uranium gas to 20 percent since the Trump administration withdrew from the agreement two years ago. Prior to this, it was enriching uranium to 3 to 5 percent. The higher levels put Iran closer to the 90 percent enrichment that is needed for nuclear weapons, all of which raises the stakes for Israel.

Was It a Cyberattack?

Israeli media, among the first to report on the incident, said the sabotage was caused by a cyberattack, though no details have been reported to support this, and other reports have said the sabotage was caused by explosives. It is possible to produce physical explosions through a cyber assault, however. In 2007, the U.S. Energy Department’s Idaho National Laboratory demonstrated that it was possible to physically destroy a 27-ton electrical generator using nothing more than 21 lines of malicious code, in what is known as the Aurora Generator Test.

The use of explosives at Natanz doesn’t rule out the possibility that the sabotage involved a hybrid attack with explosives taking out the main power distribution equipment and malicious code taking out the emergency backup power supply to manipulate the frequency converters that control the speed at which the centrifuges spin.

It will take days or weeks before we have a clear understanding of what the attack entailed and how the perpetrators pulled it off, but if an outside generator or transformer was destroyed by explosives, this should become apparent in satellite images that will no doubt be available in the next day or so, Albright said.

Were Centrifuges Damaged?

Although the attack targeted the electric distribution at Natanz, the real target was likely the centrifuges. Centrifuges spin in excess of 100,000 revolutions per minute and as noted above, need to be slowed gradually, otherwise they vibrate dangerously, and the rotors and bellows inside can be destroyed.

One reason Iranian officials may have changed their story about the damage at Natanz, initially claiming there was none but later conceding centrifuge damage, is that damage to a centrifuge is generally internal and can’t be seen until technicians remove its outer aluminum casing.

On Monday, the day after the sabotage, Ali Akbar Salehi, head of Iran’s Atomic Energy Organization, said some parts of the enrichment facility are now running on emergency backup electricity, but he didn’t say if this included the centrifuges.

Albright says that to slow down the centrifuges, the sabotage would have needed to target the frequency converters, which are power supplies that regulate the flow of energy to the centrifuges and their speed. To affect these converters, the attackers would have needed to take out the emergency backup power supply, “which is deep inside the plant,” he said.

“The emergency system will come on as soon as the outside power will stop, and that will run for quite a while and that will keep the centrifuges spinning,” Albright said. “But if you can take out the main power supply and the emergency system, then you can stop the centrifuges.”

The frequency converters, notably, were also the target of Stuxnet in 2009 and 2010. The malicious Stuxnet code caused the converters to increase and decrease the speed of the centrifuges for timed periods in order to destroy their motors and bellows and spoil the uranium gas inside the centrifuges. The computer systems controlling the frequency converters at Natanz are not connected to the internet, so in that attack, the perpetrators snuck the first version of Stuxnet into the facility on a USB stick carried in with a mole working for Dutch intelligence. Subsequent versions were delivered to Natanz computers by infecting the laptops of outside engineers who worked at the plant and who then unwittingly carried Stuxnet into Natanz on their computers.,

Although Iran has been testing a number of different models of centrifuge at Natanz, the vast majority of centrifuges there are IR-1s. Iran has 6,000 of these at Natanz and over the last five months has also installed 1,000 IR-2m centrifuges. Salehi told Iranian news media that the only centrifuges damaged in Sunday’s attack were IR-1s: the same centrifuge model that Stuxnet targeted a decade ago.

IR-1 centrifuges are very difficult to stop when they are spinning at full speed, Albright says.

“It requires slowing down the speed, stopping, and waiting for the centrifuge to stabilize [at several stages]. If you don’t do that, then the centrifuge can just crash. At a certain speed of revolutions, they will start to shake like a vibrating string.”

Without pauses to stabilize, the vibrations will increase, causing the rotor inside to scrape the side of the aluminum casing, which is just a few millimeters away from the rotor, and destroy the rotor and internal casing.

“It will be like shrapnel going off, and you’ll hear it break,” Albright said. “They would hear it all through the plant if these things are breaking.”

How Quickly Can Iran Recover?

It remains to be seen how long it will take Iran to recover. News reports have said the sabotage set the program back nine months. Salehi has said, “Enrichment in Natanz has not stopped and is moving forward vigorously.”

Heinonen, the former U.N. atomic safeguards official, says it would not take nine months just to replace a destroyed transformer or generator and the destroyed centrifuges.

“If you need to replace the transformer or the electric supply, that may take some time; it’s not something you take from the shelf. It’s custom-designed for the purpose,” he said. But it would take only a few weeks to replace it.

He says the issue is likely that Iran will have to rebuild entire cascades; cascades are clusters of centrifuges joined by pipes that carry uranium gas from one to the next as it goes through stages of enrichment. If shrapnel and metal dust created by the rotor scraping the casing got into the piping, that would all have to be replaced.

“[That dust] probably will break additional centrifuges,” he said. “To replace a centrifuge, you need to clean the whole mess, including the cascade piping. If there are small pieces here and there, it’s very difficult to clean such small pipes, so you have to replace them. That is a very time-consuming operation.”

If the frequency converters were damaged as well, then this will add to the recovery time. The devices are tailor-made, and Heinonen said it’s not clear how many Iran has in stock.

Heinonen said Iran can recover more quickly by simply abandoning the affected cascades and centrifuges and building new cascades in an empty corner of the hall, and installing IR-2m centrifuges that are more efficient than the damaged IR-1s. If Iran has everything it needs for this, it will take six months to rebuild, he said. Not only will Iran be up and running by the end of summer, it will have a more efficient operation.

With 1,500 IR-2m centrifuges, “you are actually exactly where you were last week in terms of enrichment capacity, because these are four times more powerful than the IR-1s,” he said. “So I would install them and show to the world that [they] are back in business, and that will take a few months, provided that the electricity is there.”

This appears to be what Iran is planning to do, not only to recover from the sabotage but also to secure a stronger bargaining position in its nuclear negotiations. Zarif, the Iranian foreign minister, has stated, “Natanz will be stronger than ever with more advanced machines, and if they think our hand in negotiation is weak, this act will strengthen our position in the negotiations.”

How Will Iran Respond to the Attack?

An Iranian official announced on Tuesday that Iran will begin to enrich uranium to 60 percent in response to the attack on Natanz. Whether Iran is just using this to gain leverage in the Vienna talks is unclear. But if the enrichment plan proceeds, it would put Iran closer to having weapons-grade uranium than it has ever been, introducing a new level of destabilization in the Middle East.

Iran is also under pressure from lawmakers in Tehran to halt the nuclear talks in Vienna. “Talks under pressure have no meaning,” Abbas Moghtadaie, deputy chair of the Iranian parliament’s national security and foreign policy committee, said in a Clubhouse talk on Monday, according to the New York Times.

In addition, Iran has vowed to get revenge for the sabotage. It’s unclear whether this will involve cyberattacks against Israel — similar to attacks that were launched against Israel’s water supply following the previous sabotage at Natanz last July — or include a kinetic response, such as rockets launched across Israel’s northern border by Iran-backed Hezbollah. Whatever the retaliation, it will likely escalate further response from Israel.

Regardless of what Iran does to retaliate, it’s clear that attacks against Iran’s nuclear program won’t end, says Albright.

“The Israelis … want to make the point that this isn’t simply about going back to the [old agreement with Iran]. The fact that the U.S. secretary of defense was there when it happened is a pretty strong signal to the U.S. and Europe that JCPOA … is not going to cut it [going forward].”

The post Israel May Have Destroyed Iranian Centrifuges Simply by Cutting Power appeared first on The Intercept.

In addition to the critical infrastructure companies, the SolarWinds software also infected three firms that provide services for such companies, says Rob Lee, CEO of Dragos, Inc., which specializes in industrial control system security and discovered some of the infections.

The service companies are known within the industry as original equipment manufacturers, or OEMs. They sometimes have remote access to critical parts of customer networks, as well as privileges that let them make changes to those networks, install new software, or even control critical operations. This means that hackers who breached the OEMs could potentially use their credentials to control critical customer processes.

“If an OEM has access to a network, and it’s bi-directional, it’s usually for more sensitive equipment like turbine control, and you could actually do disruptive actions,” Lee told The Intercept. “But just because you have access doesn’t mean you know what to do or how to do it. It doesn’t mean they can then flip off the lights; they have to do more after that.”

But compromising an OEM does magnify the potential risks to infrastructure.

“[I]t’s particularly concerning because … compromising one OEM, depending on where you compromise them, could lead to access to thousands of organizations,” said Lee, a former critical infrastructure threat intelligence analyst for the NSA. “Two of the … OEMs that have been compromised … have access to hundreds of ICS networks around the world.”

“Compromising one OEM could lead to access to thousands of organizations.”

Lee notes that in some cases the OEMs don’t just have access to customer networks — they actually directly infected their customers with the SolarWinds software. That’s because some of them use SolarWinds not just on their own networks, but also have installed it on customer networks to manage and monitor those, sometimes without the customers being aware this was done.

Lee wouldn’t identify the OEMs and doesn’t know if the SolarWinds hackers took an interest in them.

SolarWinds was compromised in March, modified with a so-called “backdoor” to provide an attacker access to the network of anyone who downloaded it. Government officials have linked the hack to Russia. The backdoor, which security researchers at cybersecurity company FireEye have dubbed SUNBURST, gathers information about the infected network, then waits about two weeks before sending a beacon to a server owned by the hackers, along with information about the infected network, to signal that the infected system is open for them to surreptitiously enter. The hackers would have used that information to  determine which targets they wanted to burrow into further. Once inside an infected system, the hackers could download more malicious tools and steal employee credentials to gain access to more critical parts of the network — collecting information or altering data or processes there.

Kevin Mandia, CEO of FireEye, has said the attackers only entered about 50 of the thousands of entities that were infected with the backdoor.

Lee said the infections in the critical infrastructure sector occurred not just on companies’ IT networks but also sometimes on actual industrial control system networks that manage critical functions.

There is currently no evidence, however, that the hackers used the backdoor in the SolarWinds software to gain access into the 15 electric, oil, gas, and manufacturing entities that were infected with the software. But Lee notes that it may not be possible to uncover such activity if the attackers did access them and burrow further into the industrial control networks, because critical infrastructure entities generally don’t do extensive logging and monitoring of their control system networks.

“In these ICS networks, most organizations don’t have the data and visibility to actually look for the breach,” says Lee. “So they might determine if they are compromised, but … almost none of them have network logs to … determine if there is follow-on activity [in their network].”

He says all of the infected companies are “doing the necessary hunting and [are] assuming they are compromised.” But without logging to catch the infection and track the hackers’ movements through the network, the companies have to hunt for what looks like malicious behavior. “And this is an adversary that burrows in deep and is very very hard to root out.”

“Almost none of them have network logs.”

If the hackers came in through the infected OEMs instead, using those companies’ credentials and privileged access, it could be even more difficult for OEM customers to spot the hackers’ activity since it would look legitimate.

Dragos notified the three OEMs that they were infected, as well as government officials and officials in President-elect Joe Biden’s incoming administration. An alert published last week by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency noted that critical infrastructure entities were compromised by SolarWinds software, but didn’t indicate which industries were affected and didn’t note that this included the OEMs for critical infrastructure.

Potential Operations Against a “Pretty Resilient” U.S. Power Grid

It’s not the first time an OEM in the industrial control system has been hacked. In 2012, hackers believed to be from China breached an OEM called Telvent and stole engineering drawings and accessed files used to program industrial control systems. Telvent is a division of Schneider Electric that is headquartered in Spain, but its software is used in oil and gas pipelines across the U.S. and Canada, as well as some water control system networks. The breach raised concerns at the time that the hackers could have embedded malicious code in the software to infect customer control systems.

“When you look at industrial networks, many people still believe them to be highly segmented, but that only means segmented from the” corporate enterprise network, Lee said. “While they might be segmented from the enterprise, they have a vast series of connections to OEMs and others who are connected to those networks for maintenance and other [purposes].”

The SolarWinds hacking campaign came to light earlier this month when FireEye revealed that it had been breached by hackers who took software tools the company uses to find vulnerabilities in customer systems. The company then revealed days later that the intruders had gained access to their network using a backdoor that had been implanted in network monitoring software made by the Austin-based company SolarWinds. The software is used widely across government and industry to manage and monitor networks, and SolarWinds has revealed that up to 18,000 customers could have downloaded the infected code.

Investigators in the security community have said they have seen nothing to attribute the SolarWinds campaign to a particular known hacking group or nation, but officials in the government have attributed the operation to Russia, though they haven’t indicated what has led them to this conclusion.

“It’s so many different people in the government [attributing this to Russia], you wouldn’t get this sort of statement if there wasn’t something there,” says James Lewis, a former government official who oversees cybersecurity programs at the Center for Strategic and International Studies. “[T]he forensic guys are looking at what’s left behind [on networks], and that may not be the best way to attribute something. Governments use other methods to look for attribution. So the fact that the forensic people haven’t discovered it isn’t determinative; they don’t have the full picture.”

Russia has denied responsibility for the hacking operation.

The scope of the hacking operation is still unknown, but so far reports indicate that the departments of Homeland Security, Commerce, and the Treasury; at least two national laboratories; the Federal Energy Regulatory Commission; and the National Nuclear Safety Agency, which maintains the nation’s stockpile of nuclear weapons, were all infected. Microsoft, Cisco, and Intel are among those in the tech sector that were also infected. A number of the intrusions at government agencies went beyond merely being infected by the SolarWinds malware. Sen. Ron Wyden revealed this week that the hackers were able to read and steal emails of some of the top officials at the Treasury Department.

Currently, the campaign is being characterized by security professionals and government officials as an espionage operation. But the compromise of critical infrastructure could have put the hackers in a position to do more than simply steal data, if they wanted to do so. Although there is currently no evidence this was or would have been their intention, Russia has a history of engaging in disruptive operations in critical infrastructure.

In 2015, Russia hacked several Ukrainian power distribution plants and took out power for about 230,000 customers for up to six hours in some cases, in the middle of winter. They repeated their operation again in Ukraine in 2016, taking out power to some customers for about an hour, and also struck the State Administration of Railway Transport, which manages Ukraine’s national railway system. The operations led experts to conclude that the Russians were using Ukraine as a test bed to refine hacking techniques that could be used in other countries, such as the U.S.

On Sunday, speaking on CNN’s “State of the Union,” Sen. Mitt Romney said, “What Russia has done is put in place a capacity to potentially cripple us in terms of our electricity, our power, our water, our communications.” He continued, “This is the same sort of thing one can do in a wartime setting, and so it’s extraordinarily dangerous, and it’s an outrageous affront on our sovereignty and one that’s going to have to be met with a very strong response.”

But Suzanne Spaulding, former undersecretary for the Department of Homeland Security who led the division that oversees critical infrastructure security, cautions that the intentions of the SolarWinds adversary are still unknown, and even if they breached networks in the electric, oil, and gas industries, this isn’t the same as having the ability to cause disruption or damage.

“But you can [still] get a lot of information … that can help you to plan a truly disruptive attack,” she noted. Because the hackers in the SolarWinds campaign were also able to breach FERC, this could have provided them with information on vulnerabilities and security measures in the U.S. grid that they could later leverage for an attack. She points to the 2015 Russian hack of the Ukrainian distribution plants: The hackers were in the plant networks at least six months doing reconnaissance to understand the equipment and how it worked before taking out the power in December that year.

“You can get a lot of information … that can help you to plan a truly disruptive attack.”

But even an attack aimed at disrupting the U.S. electric grid would be limited in its effect, she notes.

“It’s hard to have a really impactful attack, particularly on our electric grid, which is pretty resilient,” she said. “[But] we don’t know that that’s what they’re doing.”

In the past, when Russian hackers have targeted the oil and gas industry in hacking operations, Spaulding said the U.S. government assessed that they may have just been looking for information that could make their own oil and gas industry more efficient. “So I don’t think that we can know that their objective here is reconnaissance for being in a position to potentially disrupt critical infrastructure,” Spaulding said. “I do think that we should always, for planning purposes, assume that and take measures to reduce the damage that could be done. But we can’t know that [this is their intention]. And there’s a difference between assuming that for planning purposes and for mitigation, and assuming that for a [U.S. government] response to Russia.”

Spaulding says this doesn’t mean anyone should take the SolarWinds campaign lightly.

“I don’t think this is just traditional spy vs. spy espionage. This is of a scale and scope that really is beyond traditional espionage,” she said. “Particularly because we have been told that over half the victims were not government, but were private sector. And if it’s critical infrastructure, not just defense-industrial base, that is not traditional kinds of espionage and that’s very serious.”

Lee cautions that there is no indication yet that the SolarWinds hacking campaign is anything other than espionage at the moment, but just being in critical infrastructure networks gives the adversary potential political power they might not otherwise have. “I’m thinking about president-elect Biden. The last thing I want him to have to worry about is getting into international relation discussions with Putin or others and not knowing if a foreign adversary can turn their access [in these networks] into a foreign operation on key parts of the infrastructure.”

Although other intruders have been inside the U.S. electric grid before, Lee says this is different. If Iran or China compromises industrial control systems in critical infrastructure, “you assume they could [disrupt operations] but you don’t know [if they have the knowledge and ability],” Lee said. But if Russia is behind the SolarWinds attack, “Russia has shown an ability to go beyond access to disruption. So when they get access you no longer have the question could they use it? The question is how long would it take them and would they?”

The post SolarWinds Hack Infected Critical Infrastructure, Including Power Industry appeared first on The Intercept.

Although the press release and memo didn’t say what form the support and surveillance would take, it’s likely that the two agencies were being asked to assist police for a particular reason. Both the DEA and the Marshals possess airplanes outfitted with so-called stingrays or dirtboxes: powerful technologies capable of tracking mobile phones or, depending on how they’re configured, collecting data and communications from mobile phones in bulk.

Stingrays have been used on the ground and in the air by law enforcement for years but are highly controversial because they don’t just collect data from targeted phones; they collect data from any phone in the vicinity of a device. That data can be used to identify people — protesters, for example — and track their movements during and after demonstrations, as well as to identify others who associate with them. They also can inject spying software onto specific phones or direct the browser of a phone to a website where malware can be loaded onto it, though it’s not clear if any U.S. law enforcement agencies have used them for this purpose.

Although law enforcement has been using the technologies since the 1990s, the general public learned about them only in the last decade, and much about their capabilities remains unknown because law enforcement agencies and the companies that make the devices have gone to great lengths to keep details secret. Stingrays are routinely used to target suspects in drug and other criminal investigations, but activists also believe the devices were used during protests against the Dakota Access pipeline, and against Black Lives Matter protesters over the last three months. The Justice Department requires federal agents to obtain a probable cause warrant to use the technology in criminal cases, but there is a carve-out for national security. Given that President Donald Trump has referred to protesters as “terrorists,” and that paramilitary-style officers from the Department of Homeland Security have been deployed to the streets of Portland, Oregon, it’s conceivable that surveillance conducted at recent demonstrations has been deemed a national security matter — raising the possibility that the government may have used stingray technology to collect data on protesters without warrants.

To better understand the kind of surveillance that may be directed at protesters, here’s a breakdown of what we know and still don’t know about stingrays, and why their use is so controversial.

What is a stingray?

Stingray is the generic name for an electronic surveillance tool that simulates a cell phone tower in order to force mobile phones and other devices to connect to it instead of to a legitimate cell tower. In doing so, the phone or other device reveals information about itself and its user to the operator of the stingray. Other common names for the tool are “cell-site simulator” and “IMSI catcher.”

Why is it called a stingray?

The name stingray comes from the brand name of a specific commercial model of IMSI catcher made by the Florida-based Harris Corporation. That company’s StingRay is a briefcase-sized device that can be operated from a vehicle while plugged into the cigarette lighter. Harris also makes products like the Harpoon, a signal booster that makes the StingRay more powerful, and the KingFish, a smaller hand-held device that operates like a stingray and can be used by a law enforcement agent while walking around outside a vehicle. About a dozen other companies make variants of the stingray with different capabilities. The surveillance equipment is pricey and often sold as a package. For example, in documents obtained by Motherboard in 2016, Harris offered a KingFish package that cost $157,300 and a StingRay package that cost $148,000, not including training and maintenance. Documents obtained this year by the American Civil Liberties Union indicate that Harris has upgraded the StingRay to a newer device it calls a Crossbow, though not a lot of information is known about how it works. Separately, a classified catalog of surveillance tools leaked to The Intercept in 2015 describes other similar devices.

How does the stingray work?

Phones periodically and automatically broadcast their presence to the cell tower that is nearest to them, so that the phone carrier’s network can provide them with service in that location. They do this even when the phone is not being used to make or receive a call. When a phone communicates with a cell tower, it reveals the unique ID or IMSI number (International Mobile Subscriber Identity) associated with the SIM card in the phone. The IMSI number identifies that phone and its owner as a paying customer of a cell carrier, and that number can be matched by the carrier to the owner’s name, address, and phone number.

A stingray masquerades as a cell tower in order to get phones to ping it instead of legitimate cell towers, and in doing so, reveal the phones’ IMSI numbers. In the past, it did this by emitting a signal that was stronger than the signal generated by legitimate cell towers around it. The switch to 4G networks was supposed to address this in part by adding an authentication step so that mobile phones could tell if a cell tower is legitimate. But a security researcher named Roger Piqueras Jover found that the authentication on 4G doesn’t occur until after the phone has already revealed its IMSI number, which means that stingrays can still grab this data before the phone determines it’s not communicating with an authentic cell tower and switches to one that is authenticated. That vulnerability still exists in the 5G protocol, says Jover. Though the 5G protocol offers a feature that encrypts the IMSI when it’s disclosed during pre-authentication communication, law enforcement would simply be able to ask phone carriers to decrypt it for them. And a group of researchers from Purdue University and the University of Iowa also found a way to guess an IMSI number without needing to get a carrier to decrypt it.

Because a stingray is not really a tower on the carrier’s network, calls and messages to and from a phone can’t go through while the phone is communicating with the stingray. So after the stingray captures the device’s IMSI number and location, the stingray “releases” the phone so that it can connect to a real cell tower. It can do this by broadcasting a message to that phone that effectively tells the phone to find a different tower.

What can law enforcement do with the IMSI number?

Law enforcement can use a stingray either to identify all of the phones in the vicinity of the stingray or a specific phone, even when the phones are not in use. Law enforcement can then, with a subpoena, ask a phone carrier to provide the customer name and address associated with that number or numbers. They can also obtain a historical log of all of the cell towers a phone has pinged in the recent past to track where it has been, or they can obtain the cell towers it’s pinging in real time to identify the user’s current location. By catching multiple IMSI numbers in the vicinity of a stingray, law enforcement can also potentially uncover associations between people by seeing which phones ping the same cell towers around the same time.

If law enforcement already knows the IMSI number of a specific phone and person they are trying to locate, they can program that IMSI number into the stingray and it will tell them if that phone is nearby. Law enforcement can also home in on the location of a specific phone and its user by moving the stingray around a geographical area and measuring the phone’s signal strength as it connects to the stingray. The Harris StingRay can be operated from a patrol vehicle as it drives around a neighborhood to narrow a suspect’s location to a specific cluster of homes or a building, at which point law enforcement can switch to the hand-held KingFish, which offers even more precision. For example, once law enforcement has narrowed the location of a phone and suspect to an office or apartment complex using the StingRay, they can walk through the complex and hallways using the KingFish to find the specific office or apartment where a mobile phone and its user are located.

Does the device only track mobile phones?

No. In 2008, authorities used a StingRay and a KingFish to locate a suspect who was using an air card: an internet-connectivity device that plugs into a computer and allows the user to get online through a wireless cellular network. The suspect, Daniel Rigmaiden, was an identity thief who was operating from an apartment in San Jose, California. Rigmaiden had used a stolen credit card number and a fake name and address to register his internet account with Verizon. With Verizon’s help, the FBI was able to identify him. They determined the general neighborhood in San Jose where Rigmaiden was using the air card so they could position their stingray in the area and move it around until they found the apartment building from which his signal was coming. They then walked around the apartment complex with a hand-held KingFish or similar device to pinpoint the precise apartment Rigmaiden was using.

What is a dirtbox?

A dirtbox is the common name for specific models of an IMSI catcher that are made by a Boeing subsidiary, Maryland-based Digital Receiver Technology — hence the name “DRT box.” They are reportedly used by the DEA and Marshals Service from airplanes to intercept data from mobile phones. A 2014 Wall Street Journal article revealed that the Marshals Service began using dirtboxes in Cessna airplanes in 2007. An airborne dirtbox has the ability to collect data on many more phones than a ground-based stingray; it can also move more easily and quickly over wide areas. According to the 2006 catalog of surveillance technologies leaked in 2015, models of dirtboxes described in that document can be configured to track up to 10,000 targeted IMSI numbers or phones.

Do stingrays and dirtboxes have other capabilities?

Stingrays and dirtboxes can be configured for use in either active or passive mode. In active mode, these technologies broadcast to devices and communicate with them. Passive mode involves grabbing whatever data and communication is occurring in real time across cellular networks without requiring the phone to communicate directly with the interception device. The data captured can include the IMSI number as well as text messages, email, and voice calls. 

If that data or communication is encrypted, then it would be useless to anyone intercepting it if they don’t also have a way to  decrypt it. Phones that are using 4G employ strong encryption. But stingrays can force phones to downgrade to 2G, a less secure protocol, and tell the phone to use either no encryption or use a weak encryption that can be cracked. They can do this because even though most people use 4G these days, there are some areas of the world where 2G networks are still common, and therefore all phones have to have the ability to communicate on those networks.

The versions of stingrays used by the military can intercept the contents of mobile communications — text messages, email, and voice calls — and decrypt some types of this mobile communication. The military also uses a jamming or denial-of-service feature that prevents adversaries from detonating bombs with a mobile phone. 

In addition to collecting the IMSI number of a device and intercepting communications, military-grade IMSI catchers can also spoof text messages to a phone, according to David Burgess, a telecommunications engineer who used to work with U.S. defense contractors supporting overseas military operations. Burgess says that if the military knows the phone number and IMSI number of a target, it can use an IMSI catcher to send messages to other phones as if they are coming from the target’s phone. They can also use the IMSI catcher for a so-called man in the middle attack so that calls from one target pass through the IMSI catcher to the target phone. In this way, they can record the call in real time and potentially listen to the conversation if it is unencrypted, or if they are able to decrypt it. The military systems can also send a silent SMS message to a phone to alter its settings so that the phone will send text messages through a server the military controls instead of the mobile carrier’s server.

Can the devices be used to infect phones with malware?

Versions of the devices used by the military and intelligence agencies can potentially inject malware into targeted phones, depending on how secure the phone is. They can do this in two ways: They can either redirect the phone’s browser to a malicious web site where malware can be downloaded to the phone if the browser has a software vulnerability the attackers can exploit; or they can inject malware from the stingray directly into the baseband of the phone if the baseband software has a vulnerability. Malware injected into the baseband of a phone is harder to detect. Such malware can be used to turn the phone into a listening device to spy on conversations. Recently, Amnesty International reported on the cases of two Moroccan activists whose phones may have been targeted through such network injection attacks to install spyware made by an Israeli company.

U.S. law enforcement use of stingrays domestically is more curtailed, given that they, unlike the military, need to obtain warrants or court orders to use the devices in federal investigations. But there is little transparency or oversight around how the devices are used by federal agents and local police, so there is still a lot that is unknown: for example, whether they’ve ever been used to record the contents of mobile phone communications or to install malware on phones.

News stories suggest that some models of stingrays used by the Marshals Service can extract text messages, contacts, and photos from phones, though they don’t say how the devices do this. Documents obtained by the ACLU in 2015 also indicate such devices do have the ability to record the numbers of incoming and outgoing calls and the date, time, and duration of the calls, as well as to intercept the content of voice and text communications. But the Justice Department has long asserted publicly that the stingrays it uses domestically do not intercept the content of communications. The Justice Department has stated that the devices “may be capable of intercepting the contents of communications and, therefore, such devices must be configured to disable the interception function, unless interceptions have been authorized by a Title III [wiretapping] order.”

As for jamming communications domestically, Dakota Access pipeline protesters at Standing Rock, North Dakota, in 2016 described planes and helicopters flying overhead that they believed were using technology to jam mobile phones. Protesters described having problems such as phones crashing, livestreams being interrupted, and issues uploading videos and other posts to social media.

Why are stingrays and dirtboxes so controversial?

The devices don’t just pick up data about targeted phones. Law enforcement may be tracking a specific phone of a known suspect, but any phone in the vicinity of the stingray that is using the same cellular network as the targeted phone or device will connect to the stingray. Documents in a 2011 criminal case in Canada showed that devices used by the Royal Canadian Mounted Police had a range of a third of a mile, and in just three minutes of use, one device had intercepted 136 different phones.

Law enforcement can also use a stingray in a less targeted way to sweep up information about all nearby phones. During the time a phone is connecting to or communicating with a stingray, service is disrupted for those phones until the stingray releases them. The connection should last only as long as it takes for the phone to reveal its IMSI number to the stingray, but it’s not clear what kind of testing and oversight the Justice Department has done to ensure that the devices release phones. Stingrays are supposed to allow 911 calls to pass through to a legitimate cell tower to avoid disrupting emergency services, but other emergency calls a user may try to make while their phone is connected to a stingray will not get through until the stingray releases their phone. It’s also not clear how effective the devices are at letting 911 calls go through. The FBI and DHS have indicated that they haven’t commissioned studies to measure this, but a study conducted by federal police in Canada found that the 911 bypass didn’t always work.

Depending on how many phones are in the vicinity of a stingray, hundreds could connect to the device and potentially have service disrupted. 

How long has law enforcement been using stingrays?

The technology is believed to have originated in the military, though it’s not clear when it was first used in combat zones or domestically in the U.S. The earliest public mention of a stingray-like device being used by U.S. law enforcement occurred in 1994, when the FBI used a crude, jury-rigged version of the tool to track former hacker Kevin Mitnick; authorities referred to that device as a Triggerfish. In a case in Utah in 2009, an FBI agent revealed in a court document that cell-site simulators had been in use by law enforcement for more than a decade. He also said they weren’t just used by the FBI but also by the Marshals Service, the Secret Service, and other agencies. Recent documents obtained by the ACLU also indicate that between 2017 and 2019, the Department of Homeland Security’s Homeland Security Investigations unit has used stingrays at least 466 times in investigations. BuzzFeed News had previously obtained records showing that from 2013 to 2017, HSI had used the technology 1,885 times.

Aside from the potential for widespread surveillance, are there other problems with the technology?

The other controversy with stingrays involves secrecy and lack of transparency around their use. Law enforcement agencies and the companies that make the devices have prevented the public from obtaining information about their capabilities and from learning how often the technology is deployed in investigations. Agencies sign nondisclosure agreements with the companies, which they use as a shield whenever journalists or others file public records requests to obtain information about the technology. Law enforcement agencies claim criminals could craft anti-surveillance methods to undermine the technology if they knew how it worked. The companies themselves cite trade secrets and proprietary information to prevent the public from obtaining sales literature and manuals about the technology.

For years, law enforcement used the devices without obtaining a court order or warrant. Even when they did seek approval from a court, they often described the technology in misleading terms to make it seem less invasive. They would often refer to stingrays in court documents as a “pen register device,” passive devices that sit on a network and record the numbers dialed from a certain phone number. They withheld the fact that the devices force phones to connect to them, that they force other phones that aren’t the target device to connect to them, and that they can perform more functions than simply grabbing an IMSI number. Most significantly, they withheld the fact that the device emits signals that can track a user and their phone inside a private residence. After the FBI used a stingray to track Rigmaiden (the identity thief in San Jose) in his apartment, Rigmaiden’s lawyers got the Justice Department to acknowledge it qualified as a Fourth Amendment search that would require a warrant.

Law enforcement agents have not only deceived judges, however; they’ve also misled defense attorneys seeking information about how agents tracked their clients. In some court documents, law enforcement officials have indicated that they obtained location information about the defendant from a “confidential source,” when in truth they used a stingray to track them.

To address this deception, the Justice Department in 2015 implemented a new policy requiring all federal agents engaged in criminal investigations to obtain a probable cause search warrant before using a stingray. It also requires agents and prosecutors to tell judges when the warrant they are seeking is for a stingray; and it requires them to limit the use of the stingray’s capabilities to tracking the location of a phone and logging the phone numbers for calls received and made by the phone. They cannot collect the contents of communication, such as text messages and emails. And agents are required to purge the data they collect from non-targeted phones within 24 hours or 30 days, depending on the circumstances.

The problem, however, is that Justice Department policy is not law. And although the policy includes state and local law enforcement agencies when they are working on a case with federal agents and want to use the devices, it does not cover those agencies when they are working on cases alone. To address this loophole, lawmakers would need to pass a federal law banning the use of stingrays without a warrant, but efforts to do so have so far been unsuccessful.

One bigger issue with the Justice Department policy is that, as noted above, it only applies to criminal investigations, not national security ones, and it also includes a carve-out for “exigent circumstances” that are not clearly defined. Federal agents are not required to seek a warrant to use the technology in cases involving such circumstances. Whether the government has used the technology against Black Lives Matter protesters without a warrant is likely something that will remain a secret for some time.

The post How Cops Can Secretly Track Your Phone appeared first on The Intercept.

It’s arguably the more important race, since this is the office that will control the state’s voter registration database and any purges made to the voter roll going forward. Equally important, it’s the office that will be responsible for programming all of the state’s currently paperless voting machines that can’t be audited, though Georgia will be looking to replace these machines with an undetermined model next year. Both of these factors could make Georgia a hotbed for voter suppression tactics and vote-counting integrity in the 2020 presidential elections, experts said.

“We’ve said all along for the last two years that this is probably the most important office we would be electing in 2018 because of the broad scope of oversight and duties that the secretary of state has in Georgia,” said Sara Henderson, executive director of Common Cause Georgia, a nonprofit, nonpartisan voting advocacy group. “There’s a lot of talk within the national media that in Georgia, the counties control their own elections. But nothing could be further from the truth. That’s how we’re set up regarding our election laws, but that is not in effect how it operates here. The secretary of state absolutely 100 percent impacts how and what the counties do.”

Georgia is one of only a few states that uses a single model of voting machines statewide — in this case, paperless direct-recording electronic machines made by the now-defunct Diebold Election Systems — and also uses a centralized model for programming those machines before each election. Instead of letting county elections offices or an independent third party program them, Kemp’s office controls this task — a job it only assumed last year in a controversial move that occurred in the middle of Kemp’s heated campaign for governor.

Kemp has so far narrowly escaped a runoff in his gubernatorial race with Abrams, after barely amassing the 50 percent of votes needed for victory (he had 50.2 percent at last count, about 59,000 more votes than Abrams; a federal judge on Monday ordered election results not be certified for several more days, responding to one of several challenges seeking time to resolve questions over the number of absentee and provisional ballots being counted). But this isn’t the case for the two candidates now vying for Kemp’s former job. The tight race for secretary of state between Republican Brad Raffensperger, a state representative and businessman, and former Democratic Rep. John Barrow, who served in the House for a decade, will go into a runoff on December 4. The tally in their race as of Friday gave Raffensperger the lead with 49.2 percent of votes to Barrow’s 48.6 percent, a difference of 24,210 votes. The candidates now face challenges with getting voters to turn up for the runoff, as such races traditionally produce lower voter turnout than regular elections.

Who wins the secretary of state’s race will determine in part whether Kemp’s controversial handling of voter purges continues.

Kemp and his office have been accused of voter suppression through aggressive purges of the state’s voter roll. Last year, his office purged some 668,000 voters who Kemp’s staff said had died, moved, or been inactive in casting ballots for six years or more. But a recent investigation has called into question whether 340,000 voters who had been removed for allegedly moving out of state actually moved. Kemp also attempted to block the registration of 53,000 new voters this year by determining that signatures and other information on their applications weren’t an “exact match” with secondary documents on file for the voters; a lawsuit and court ruling, however, intervened to stop him.

The issue of purging inactive voters came up during the secretary of state’s race. Raffensperger said in a debate that he supports purging inactive registered voters whose only lapse is not voting in past elections, while Barrow opposes such purges.

But purging voters wasn’t the only control Kemp wielded over the midterms. As chief election official in the state, he had certain authority over election procedures and recounts, including of his own gubernatorial race. Kemp came under fire by former President Jimmy Carter and others for refusing to recuse himself from overseeing an election in which he was also a candidate for office. Carter has served as an election monitor for years in dozens of other countries. “This runs counter to the most fundamental principle of democratic elections that the electoral process be managed by an independent and impartial election authority,” Carter wrote in a letter to Kemp before the election. Kemp only resigned from his secretary of state position last Thursday, after securing the lead in his gubernatorial race.

“It’s unquestionably improper for the secretary of state to control the programming and management of the voting machines that will decide his election contest [or his replacement],” said Susan Greenhalgh, policy director at the National Election Defense Coalition, a voter integrity group. “But in Georgia, it’s much worse because there is no paper ballot, no physical evidence that provides a permanent record of voter intent that can be used to confirm the correctness of the election outcome. Voters just have to trust the secretary of state.”

“In Georgia, there is no physical evidence that provides a permanent record of voter intent.”

Georgia’s current governor, Nathan Deal, appointed attorney Robyn Crittenden as interim secretary of state until the runoff for the office in December. Crittenden, an African-American who headed the state’s Department of Human Services, told the Atlanta Journal-Constitution that she intends “to take on this role in the same way I have approached my previous work in state government with a focus on transparency and service to the people of Georgia. Georgians can rest assured that I’m going to give this job my all, and that we’re going to follow the law.”

Common Cause’s Henderson called the appointment of a neutral party as interim secretary of state a good move and said her group feels “more confident about the runoff than we did about Election Day and early voting when Kemp was overseeing that process.”

During his tenure as secretary of state, Kemp didn’t just control the programming of all machines in the state; he also vigorously fought with election integrity activists who filed a lawsuit last year seeking to rid the state of its paperless voting machines on grounds that the machines aren’t secure and can’t be audited to verify that the software hasn’t been manipulated by malicious code. Georgia has been using its paperless machines since 2002, with Kemp and Republican secretaries of states that preceded him defying numerous calls over the years to replace the machines with systems that can be audited; they resisted these calls even as other states around the country, like California, Florida and Ohio, passed laws requiring their counties to switch to machines that produce a paper trail or use voter-marked paper ballots that can be audited.

Georgia isn’t the only state where the secretary of state oversees elections; that person is also chief election official in many states. But elsewhere, these offices serve a broad oversight function that doesn’t involve direct involvement in the administration of elections. Instead, local election officials in most states choose the machines they use, which generally results in a patchwork of voting machines around the state, and program those machines either through in-house staff, the voting machine vendor, or a third-party contractor. Georgia not only uses a single model of voting machine statewide, but also programs those machines from the secretary of state’s office.

This wasn’t always the case. In 2002, when the state first purchased its paperless voting machines, the programming and testing of the machines was contracted out to the Center for Election Systems at Kennesaw State University. But a story I wrote for Politico last year revealed that security problems at the center allowed a researcher to download registration records for the state’s 6.7 million voters, as well as software files for the state’s electronic poll books — used by poll workers to verify that people are registered before they can cast a ballot — and many other files. An investigation by KSU revealed that the center had a number of security lapses that had existed for years, which raised the possibility that attackers could have altered voter records or votes in previous elections without the center knowing during that time.

After the story published, Kemp’s office canceled its contract with the center. A spokesperson for Kemp said at the time that the office was considering farming out the programming of voting machines to academics at the Georgia Institute of Technology, which has a highly respected institute for information security. But Kemp ultimately decided to program the voting machines in-house, hiring Michael Barnes, director of the now-defunct Center for Election Systems, to do the work, even though the center’s poor security practices had occurred during Barnes’s management of the operation.

At least two other states, Louisiana and Maryland, also program their statewide machines centrally before each election. But of these two, only Louisiana does the programming out of the secretary of state’s office. Louisiana uses paperless voting machines statewide like Georgia, but a different model. The secretary of state’s staff loads election software onto USB sticks that are driven to each of the state’s 64 parish warehouses and loaded onto machines, according to a spokesperson. In the case of Maryland, which uses a uniform model of optical-scan systems with paper ballots statewide, the state’s Board of Elections, an agency separate from the secretary of state’s office, programs the machines and delivers the election database to counties on DVDs, or via a closed network using a VPN, before elections.

A handful of other states also use a single system statewide. Delaware uses paperless direct-recording electronic machines; Oklahoma uses a single brand of paperless direct-recording electronic machines and optical-scan machines statewide; and Colorado, Oregon, and Washington state use mail-in ballots exclusively and scan them optically. Colorado election officials program their machines themselves, however. The Intercept was unable to reach election officials in Oklahoma, Oregon, and Washington on Monday — due to Veterans Day — to determine if they program the machines centrally at the state level or individually at the county level.

Georgia lawmakers plan to look at legislation to replace the current statewide voting machines with new systems that use paper and can be audited. A Georgia commission will likely decide between optical-scan machines that use voter-marked paper ballots or ballot-marking devices that use a touchscreen machine to mark ballots that are then printed out for voters to examine before they’re inserted into an optical reader that records and tallies the votes.

Both Barrow and Raffensperger have said they support switching to machines that use paper ballots, but Barrow has said he prefers voter-marked paper ballots, while Raffensperger has said he prefers ballot-marking devices. In both cases, the paper ballot serves as an auditing record that can be used to compare against the digital tallies tabulated by the software on the optical scanner. But election integrity activists say that some ballot-marking systems are problematic if they print a barcode on the ballot. With these systems, although the voter is able to see their selections printed on the ballot, the ballot reader uses the barcode to record and tally votes. A hacker could subvert the software on the ballot-marking device to print one thing in the human-readable portion of the ballot that the voter sees, while printing something else in the barcode that the machine reads and records. If Georgia doesn’t conduct manual audits of the paper ballots, no one would know if the barcodes were manipulated, which would essentially put Georgia in the same situation it’s in today with elections that aren’t verified.

It’s not clear how long it will take Georgia to decide on new systems and get them in place, though it won’t be soon enough for the secretary of state’s runoff in December. Election integrity activists fought to get a court to decertify Georgia’s paperless systems and force counties to use paper ballots for the midterms. Although U.S. District Judge Amy Totenberg agreed with the plaintiffs that the secretary of state’s office had failed to adequately secure the systems, she felt it would create too much of a burden on election officials to switch the entire state to paper so soon before the election.

Barrow said during a debate with Raffensperger this year that if elected, he would do what Kemp has resisted and decertify the state’s current paperless machines, forcing counties to switch to paper ballots until lawmakers choose replacement machines.

Henderson says the outcome of this election will have a huge impact on how future elections in the state are run.

“We have a lot to do to undo what Brian Kemp did during his nearly eight years in office as secretary of state,” she told The Intercept. “I think the world is really waking up to what a serious situation we have in Georgia regarding voter suppression.”

The post One Little-Watched Race Has Huge Implications for Election Hacking and Voter Suppression in Georgia appeared first on The Intercept.

It turns out those scripts and tools are just as interesting as the exploits. They show that in 2013 — the year the NSA tools were believed to have been stolen by the Shadow Brokers  — the agency was tracking at least 45 different nation-state operations, known in the security community as advanced persistent threats, or APTs. Some of these appear to be operations known by the broader security community — but some may be threat actors and operations currently unknown to researchers.

The scripts and scanning tools dumped by Shadow Brokers and studied by the Hungarians were created by an NSA team known as Territorial Dispute, or TeDi. Intelligence sources told The Intercept that the NSA established the team after hackers, believed to be from China, stole designs for the military’s Joint Strike Fighter plane, along with other sensitive data, from U.S. defense contractors in 2007; the team was supposed to detect and counter sophisticated nation-state attackers more quickly, when they first began to emerge online.

“As opposed to the U.S. only finding out in five years that everything was stolen, their goal was to try to figure out when it was being stolen in real time,” one intelligence source told The Intercept.

But their mission evolved to also provide situational awareness for NSA hackers to help them know when other nation-state actors are in machines that they’re trying to hack. The NSA could not immediately be reached for comment.

“Their goal was to try to figure out when it was being stolen in real time.”

When the NSA hacks machines in Iran, Russia, China, and elsewhere, its operators want to know if foreign spies are in the same machines because these hackers can steal NSA tools or spy on NSA activity in the machines. If the other hackers are noisy and reckless, they can also cause the NSA’s own operations to get exposed. So based on who else is on a machine, the NSA might decide to withdraw or proceed with extra caution. Indeed, there are a number of warnings and other comments among the Territorial Dispute data instructing operators what to do when they discover certain malware files of particular interest — “UNKNOWN – PLEASE PULL BACK” are the instructions to operators for one file; “DANGEROUS MALWARE – SEEK HELP ASAP” and “FRIENDLY TOOL – SEE HELP ASAP” apply to others.

“They started to become concerned about sitting on a box with our tools and there being other actors there that could steal or figure out what we were doing. It was to avoid being detected,” a second intelligence official familiar with the program told The Intercept. 

The Territorial Dispute scripts use digital signatures to hunt APT actors. Such signatures act like fingerprints for hacking groups — they can include file names or snippets of code from known malware that the advanced threat actors use repeatedly or particular changes the advanced hackers are known to make to a machine’s core operating system settings. Such elements are called indicators of compromise, or IoC, by the security community. 

None of the advanced threat groups are identified in the NSA scripts by names commonly used for them by the research community — instead the NSA calls them Sig1, Sig2, etc. — but the Hungarian researchers have spent the last year going through the scripts to try to match them to known malware samples and advanced threat groups. They have also studied the sequence of signatures in the NSA’s numbered list to determine when the Territorial Dispute team added certain operations to the list and see if the NSA may have known about certain operations before the security community.

In at least one case, involving a sophisticated hacking group known as Dark Hotel, believed to be from South Korea and targeting entities in Asia, it appears the NSA may have been tracking some of the group’s tools in 2011, about three years before the broader security community discovered them.

“It raises questions … about whether the NSA should have leaked or published information about some of this unidentified stuff,” said Boldizsár Bencsáth, from the Laboratory of Cryptography and System Security, also known as CrySyS Lab.

The research team, led by Bencsáth, includes colleagues from his lab and researchers from the Hungarian security firm Ukatemi. The CrySyS Lab is best known for its 2011 discovery of an Israeli spy tool called Duqu, believed to be created by some of the same Israeli hackers who were involved in developing the famous Stuxnet digital attack used to sabotage Iran’s nuclear program. 

Bencsáth’s team plans to release its findings about the NSA scripts this week at the Kaspersky Security Summit in Cancun, Mexico, in the hopes that other researchers will dig through the data to identify more of the advanced threat groups that the NSA is hunting. The team also hopes the information will help the community classify some malware samples and signatures that have previously been uncovered by the security community, but remain unattributed to a specific threat group because researchers don’t know to which advanced hacking group they belong. The team has only been able to definitively identify a handful of the advanced threat groups so far, with plausible guesses about many others.

“Based on the current results, some attacks, samples, or even hundreds of samples will get to be identified as part of some APT attacks that [were] previously unknown or partially unknown,” the team’s report states.

Bencsáth notes that in most cases the NSA used between two and five indicators of compromise for each threat group it was hunting, even though security researchers can generally amass dozens or, in some cases, even hundreds for a hacking group. One of the intelligence officials told The Intercept that the NSA only needs a few high-quality signatures to find an APT. “It’s a big myth that there are thousands of [signatures] for any particular groups,” he notes. “These [Territorial Dispute] guys really focus on finding the two or three telltale signs that could lock you in [on an APT].”

The F-35 Joint Strike Fighter. After Chinese hackers reportedly stole plans for the aircraft from a defense contractor, the NSA stepped up its efforts to detect nation-state hackers, sources told The Intercept.

The NSA doesn’t just scan for foreign threat actors to protect its own operations, it’s also interested in observing what the foreign hackers are stealing and how they’re doing it. And such scanning can also help the NSA uncover high-value targets in geographical regions where it might lack the insight needed to identify the best machines to target.

“In some regions where you might not have all the specific insights it could be very important to know if you’re on the right box,” the second official told The Intercept. If multiple threat actors are on the same machine, this would indicate a valuable target.

In fact, it’s not uncommon to find multiple advanced persistent threat groups on high-value systems. In March 2014, Kaspersky Lab discovered multiple groups on a machine at a research institute in the Middle East that Kaspersky dubbed the “Magnet of Threats”; in addition to Regin, believed to be a British spy kit, they found the NSA’s Equation Group malware, as well as modules belonging to Flame, believed to be an Israeli operation; Animal Farm, believed to belong to French intelligence; Careto (or Mask), believed to be a Spanish-speaking nation-state group; and Turla, a Russian-speaking group. 

The Territorial Dispute team created their signatures for APTs in sequential order; whenever a new attack was uncovered or someone found something interesting that was suspected of being an advanced threat group, a new signature was created, according to one of the intelligence sources. Although the team initially focused on Chinese and Russian hacking groups, those of other nations got added over time, including Israel and even the U.S., as Bencsáth’s team discovered.

Sig1, the first NSA malware signature on the list when it was created in 2007, refers to Agent.btz, according to Bencsáth’s team. Dubbed “the most serious breach of the U.S. military’s classified computer systems,” the Agent.btz worm is believed to have been introduced to the Department of Defense’s high-security Secret Internet Protocol Router, or SIPR, network for classified information from a USB stick that a soldier picked up at an internet cafe in Afghanistan. It has been attributed to Russia.

Bencsáth’s team identifies Sig25 as the threat actor known to researchers as Dark Hotel and Tapaoux. A top-tier actor, the group is believed to have been active since 2007 and targets high-profile executives, government agencies, and NGOs, with their primary focus being entities in North Korea, Japan, and India — countries in Asia with nuclear programs. “Their targeting is nuclear-themed, but they also target the defense industry base in the U.S. and important executives from around the world in all sectors having to do with economic development and investments,” Costin Raiu, director of Kaspersky Lab’s Global Research and Analysis Team, has said. Raiu’s team, which publicly exposed some of Dark Hotel’s hacks in 2014, found indications it may have originated from South Korea.

One of the former intelligence officials told The Intercept that Sig16 is an Israeli APT. The Hungarian researchers believe this signature is for Flame, a massive spy kit discovered by Kaspersky Lab in 2012 and believed to have been created in 2007 by the some of the same team that worked on Stuxnet.

Sig8 on the NSA list is looking for signs of Stuxnet infections on machines, according to Bencsáth’s team.

Why would the NSA be searching machines it’s hacking for its own malware or that of its hacking allies? In the case of hacking tools belonging to the close U.S. allies in the “Five Eyes” group that includes the United Kingdom, Canada, Australia, and New Zealand, it’s likely looking for these for deconfliction purposes, so that parties with mutual interests aren’t running into each other on the same machines. But in the case of Stuxnet, one of the former intelligence officials said that signatures were added by the Territorial Dispute team in 2010 after Stuxnet had begun to spread uncontrollably — spreading that led to its discovery and public exposure.  

“There were cleanup efforts,” the official said.

All of this raises questions about what NSA operators are told about the APTs for which they’re scanning. Stuxnet was a highly classified, closely held operation that was known to only a small group of people in the government and the NSA, so telling operators about the malware Sig8 was trying to detect could have put the cover operation at risk of being exposed. For this reason, the former intelligence officials told The Intercept that the operators are kept largely in the dark.

“The guys running ops were told they had to start running these scripts to see if any of these other tools were there,” he said. “But they don’t know what any of the things are.”

The post Leaked Files Show How the NSA Tracks Other Countries’ Hackers appeared first on The Intercept.