Daily Archives: January 19, 2015

When the NSA had limited access to North Korea's networks, the agency secretly tapped into South Korea's surveillance malware.

A new wave of documents from Edward Snowden's cache of National Security Agency data published by Der Spiegel demonstrate how the agency has used its network exploitation capabilities both to defend military networks from attack and to co-opt other organizations' hacks for intelligence collection and other purposes. In one case, the NSA secretly tapped into South Korean network espionage on North Korean networks to gather intelligence.

The documents were published as part of an analysis by Jacob Appelbaum and others working for Der Speigel of how the NSA has developed an offensive cyberwarfare capability over the past decade. According to a report by the New York Times, the access the NSA gained into North Korea's networkswhich initially leveraged South Korean "implants" on North Korean systems, but eventually consisted of the NSA's own malwareplayed a role in attributing the attack on Sony Pictures to North Korean state-sponsored actors.

Included with the documents released by Der Spiegel are details on how the NSA built up its Remote Operations Center to carry out "Tailored Access Operations" on a variety of targets, while also building the capability to do permanent damage to adversaries' information systems, including internal NSA newsletter interviews and training materials. Also included was a malware sample for a keylogger, apparently developed for by NSA and possibly other members of the "Five Eyes" intelligence community, was also included in the dump. The code appears to be from the Five Eyes joint program "Warriorpride," a set of tools shared by the NSA, the United Kingdom's GCHQ, The Australian Signals Directorate, Canada's Communications Security Establishment, and New Zealand's Government Communications Security Bureau.

It's not clear from the report whether the keylogger sample came from the cache of documents provided by former NSA contractor Edward Snowden, or from another source. As of now, Appelbaum and Der Spiegel have not yet responded to a request by Ars for clarification. However, Appelbaum has previously published content from the NSA, including the NSA's ANT catalog of espionage tools, that were apparently not from the Snowden cache.

The core of NSA's ability to detect, deceive, block and even repurpose others' cyber-attacks, according to the documents, are Turbine and Turmoil, components of the Turbulence family of Internet surveillance and exploitation systems. These systems are also connected to Tutelage, an NSA system used to monitor traffic to and from US military networks, to defend against attacks on Department of Defense systems.

When an attack on a DoD network is detected through passive surveillance (either through live alerts from the Turmoil surveillance filters or processing by the Xkeyscore database), the NSA can identify the components involved in the attack and take action to block it, redirect it to a false target to analyze the malware used in the attack, or do other things to disrupt or deceive the attacker. This all happens outside of DOD's networks, on the public Internet, using "Quantum" attacks injected into network traffic at a routing point.

But NSA can also use others' cyberattacks for its own purposes, including hijacking botnets operated by other actors to spread NSA's own "implant" malware. Collection of intelligence of a target using another actor's hack of that target is referred to within the signals intelligence community as "fourth party collection." By discovering an active exploit by another intelligence organization or other attacker on a target of interest, the NSA can opportunistically ramp up collection on that party as well, or even use it to distribute its own malware to do surveillance.

In a case study covered in one NSA presentation, the NSA's Tailored Access Office hijacked a botnet known by the codename "Boxingrumble" that had primarily targeted the computers of Chinese and Vietnamese dissidents, and was being used to target the DOD's unclassified NIPRNET network. The NSA was able to deflect the attack and fool the botnet into treating one of TAO's servers as a trusted command and control (C&C or C2) server. TAO then used that position of trust, gained by executing a DNS spoofing attack injected into the botnet's traffic, to gather intelligence from the bots and distribute NSA's own implant malware to the targets.

Things get even more interesting in the case of NSA's urgent need to gather more intelligence from North Korea's networks. In a question-and-answer posting to NSA's intranet, an NSA employee recounted a "fifth party" collection that occurred when the NSA hacked into South Korea's exploit of North Korean computers--and ended up collecting data from North Korea's hack of someone else:

Read more:
NSA secretly hijacked existing malware to spy on N. Korea, others

TheNational Security Agency-- also known as the NSA -- tapped into North Koreas computer network in 2010, long before the attack on Sony Pictures Entertainment in November, the New York Timesreported exclusively. The U.S. was able to pinpoint North Korea as the culprit responsible for the Sony hack since it was familiar with the DPRKs Internet operation.

But the U.S. didnt break into the computer system of Kim Jong Uns government without help. South Korea and other allies aided America, the Times said, citing an NSA document along withformer U.S. and foreign officials.

President Barack Obama blamed North Korea for the Sony hack. He had no doubt North Korea was responsible because the information came through early warning radar, the Times said.

The speed and certainty with which the United States made its determinations about North Korea told you that something was different here -- that they had some kind of inside view, James A. Lewis, acyberwarfareexpert at the Center for Strategic and International Studies in Washington, told the Times. Attributing where attacks come from is incredibly difficult and slow.

When American whistleblower Edward Snowden leaked information about the NSA to media outlets in June 2013, the country had mixed feelings about whether the U.S. government should monitor their personal communications in the search for potential threats, the Washington Post reported Saturday. A Washington Post-ABC News poll released Sunday indicates twice as many Americans are willing to give up their privacy to protect themselves from potential terror threats as those who oppose the surveillance.The study queried 1,003 adults Jan. 12-15. It had a margin of error of 3.5 points.

When it comes to privacy versus protection, young adults are the most confused. They are split with 48 percent saying threats should be investigated and 47 percent saying privacy should be put first. However, when it comes to senior citizens the divide is drastically different: 75 percent of people more than 65 years of age say threats should be examined.

Snowden, who sought asylum in Russia, released documents indicatingChinese spies stole 50 terabytes of data, including information about the F-35 Joint Strike Fighter. The Chinese were reportedly able to use data stolen from American intelligence to create "fifth-generation" fighter that could threaten the dominance the U.S. holds in the skies.

Follow me on Twitter @mariamzzarella

Read more from the original source:
NSA Broke Into North Korea's Internet Before Sony Hack: Report

The U.S. National Security Agency has had a secret foothold for years in North Koreas networks and saw signs of the Sony Pictures Entertainment attack but only in retrospect grasped its reach and depth, The New York Times reported Sunday.

The spy agency has worked for at least four years to infiltrate networks inside North Korea and those in China and Malaysia favored by the countrys hackers, the newspaper reported, citing former U.S. and foreign officials and a newly disclosed NSA document published by Der Spiegel.

The revelation explains why the U.S. quickly blamed North Korea for the attacks despite widespread skepticism from the computer security community, which said only circumstantial evidence pointed to the countrys involvement.

The hackers were incredibly careful, and patient, the Times reported, citing a person who had been briefed on the investigation.

The Sony attack stole terabytes of sensitive documents, including a salary spreadsheet for 6,000 employees, internal emails, pre-release copies of films and vast amounts of personnel data. It also broke thousands of the organizations computers by using a destructive type of malicious software that wipes files.

A group calling itself the Guardians of Peace claimed responsibility for the attacks, releasing the data piecemeal on file-sharing sites and reaching out directly to journalists with links to the material.

It initially appeared the group wanted to blackmail Sony. Only later did the North Korean connection emerge in part due to Sony Pictures plan to release The Interview, a comedy centered on an absurd campaign by two Americans to assassinate North Korean leader Kim Jong Un.

After the U.S. blamed North Korea in mid-December, it was silent on what evidence led to the conclusion. On Jan. 2, President Barack Obama authorized sanctions against North Korea, adding to those in place for years against the secretive nation.

Its the second time the U.S. has directly blamed another country for cyberattacks. In the first legal action of its kind in May 2014, federal prosecutors charged five members of the Chinese Army with stealing trade secrets from U.S. organizations over eight years. China denied the accusations.

FBI Director James Comey offered more clues for the Sony attacks on Jan. 7, saying the hackers failed to to mask their IP addresses. That revealed some emails from the hackers to Sony employees came from Internet connections used by the North.

View post:
Report: Inside North Korea's network, NSA saw signs of Sony attack