As a much-anticipated documentary about NSA whistleblower Edward Snowden premiers in New York this evening, new revelations are being published simultaneously that expose more information about the NSA’s work to compromise computer networks and devices.
Newly-brought-to-light documents leaked by Snowden discuss operations by the NSA working inside China, Germany and South Korea to help physically subvert and compromise foreign networks and equipment, according to a report published by The Intercept. They also suggest the NSA may have undercover agents planted inside companies to provide assistance in gaining access to systems in the global communications industry. And they bolster previous reports that the NSA works with U.S. and foreign companies to weaken their encryption systems.
The new report is written by Peter Maass and Laura Poitras. Poitras is the celebrated documentary filmmaker who Snowden contacted in 2013 to provide her with a trove of NSA documents and who has interviewed him in Hong Kong and Moscow for her film CitizenFour.
Among the new documents, which are seen in the film, is a 13-page brief dating from 2004 about Sentry Eagle, a term the NSA used to describe a collection of closely held programs whose details were so tightly controlled that, according to the document, they could be disclosed only to a limited number of people approved by senior intelligence officials.
“Unauthorized disclosure . . .will cause exceptionally grave damage to U.S. national security,” the document states. “The loss of this information could critically compromise highly sensitive cryptologic U.S. and foreign relationships, multi-year past and future NSA investments, and the ability to exploit foreign adversary cyberspace while protecting U.S. cyberspace.”
The brief reveals new details about six categories of NSA operations that fall under the Sentry Eagle rubric. These are also known as the NSA’s “core” secrets and are identified as:
Sentry Hawk—which involves computer network exploitation (aka CNE), the government’s term for digital espionage. (For example, programs like Flame would fall into this category.)
Sentry Falcon—which involves computer network defense.
Sentry Osprey—which appears to involve overseeing NSA clandestine operations conducted in conjunction with the CIA, FBI, the Defense Intelligence Agency and Army intelligence. These operations involve human intelligence assets, or “HUMINT assets (Target Exploitation—TAREX) to support signals intelligence (SIGINT) operations.”
This is one of the biggest reveals of the report. Apparently, under Sentry Osprey, people responsible for target exploitation operations are embedded in operations conducted by the CIA, Defense Intelligence Agency, and FBI to provide technical expertise these agencies lack. This would include covert or clandestine field activities as well as interception, or “interdiction” of devices in the supply chain to modify equipment or implant bugs or beacons in hardware. The TAREX group specializes in physical subversion—that is, subversion through physical access to a device or facility, rather than by implanting spyware remotely over the internet. The report doesn’t indicate if the kinds of modifications made to equipment involve sabotage, but it’s possible the alterations made could include planting logic bombs in software to destroy data or equipment, as the Stuxnet worm did in Iran.
Some of the TAREX bases of operation overseas appear to be located in South Korea, Germany and Beijing, China. But domestic centers for these operations are also based in Hawaii, Texas and Georgia. The NSA also handily keeps TAREX personnel stationed at U.S. embassies.
The Intercept’s Glenn Greenwald described this so-called interdiction activity in his recent book No Place to Hide, which included a photo of NSA agents opening packages that had been intercepted enroute to their destination in order to implant surveillance beacons in them.
Sentry Raven—focuses on cracking encryption systems. The documents state that the NSA “works with specific U.S. commercial entities . . . to modify U.S manufactured encryption systems to make them exploitable for SIGINT.” It doesn’t name the commercial entities or the encryption tools they modified, however. This activity has been previously reported, but the stark declaration here underscores the cooperation that U.S. companies appear to be giving the NSA.
Sentry Condor—involves computer network attacks (CNA), the government’s term for computer and network penetrations that involve degrading, damaging, delaying or destroying systems.
Sentry Owl—a program involving collaboration with private companies. The report doesn’t elaborate on this.
The most controversial detail in the documents, however, involves a reference to clandestine agents infiltrating commercial entities.
Previous stories have revealed that the NSA has worked to convince U.S. companies to install backdoors and help the agency undermine encryption in their products to facilitate spying. They have also revealed how the NSA hacked computers belonging to system administrators at a telecom in Belgium to gain access to routers responsible for transmitting the mobile communications of customers. But none has discussed the NSA embedding agents in companies.
There has long been speculation about the NSA obtaining assistance from foreign companies. Most recently with regard to revelations that the NSA was intercepting all of the mobile phone communications of three countries—including Afghanistan.
Security experts have speculated that this type of nationwide collection would be difficult to accomplish without the cooperation of a telecom or the assistance of insiders to help the NSA subvert the telecom services. The NSA document, however, only makes a brief reference to undercover agents in reference to companies, without elaborating.
The Intercept notes that this could indicate moles working inside the companies or it could simply refer to undercover agents visiting commercial facilities and companies under false pretenses to further a SIGINT operation in some way. The document doesn’t specify whether the companies referred to are U.S. or foreign, though it may be both.