Documents provided by former National Security Agency contractor Edward Snowden have revealed that the NSA and its partner, Great Britain's GCHQ, have done a whole lot more than just passively monitor what passes over the Internet. Using their surveillance tools, the intelligence agencies have been able to identify and target individuals at organizations of interest—not just suspected terrorist cells.

The latest target of these "tailored access" efforts to come to light is OPEC, the Organization of Petroleum Exporting Countries. Brazil's Petrobras, Belgium's Belgacom, and many others have been targeted as well, based on documents provided by Snowden. According to a report in Der Spiegel, the NSA and GCHQ have had access to OPEC's internal networks and systems since January of 2008, allowing the NSA to provide intelligence on individual members of OPEC and the countries' negotiations and tactics. As with the GHCQ hack of engineers at Belgian telecom provider Belgacom, the infiltration of OPEC took advantage of partnerships with international telecommunications providers to reroute Internet traffic to and from targeted users within the organization, including Saudi Arabia's OPEC governor, through network equipment controlled by the intelligence agencies. That allowed the NSA and GCHQ to perform "man-in-the-middle" attacks that let them install malware onto the target computers and gain access to OPEC's internal network—even gaining administrative privileges for the network and access to file servers.

The attack, called a "Quantum insert," is just part of an arsenal of network monitoring and attack tools that the NSA and GCHQ have created that have essentially turned the global Internet into a weapons system that can scan for, identify, target, and attack nearly anyone of interest who connects to Internet services across borders.

How to pwn friends and spy on people

Here’s how the NSA and GCHQ go after an organization like OPEC step by step, based on an analysis of the NSA and GCHQ documents exposed by Snowden:

Step 1: Identify. Using the NSA-built packet capture and inspection system called TURMOIL, the agencies filter through Internet traffic at a network choke point looking for specific "fingerprints" in traffic that identify users with the organization being targeted. Data from TURMOIL gets pulled into a number of traffic analysis tools, such as XKeyscore and TRAFFICTHIEF, which do different sorts of packet analysis.

XKeyscore is the NSA's distributed search engine, catching a large chunk of international Internet traffic for analysis. It helps find things deep in the clutter of the Internet that analysts might miss by allowing them to use search terms to find things in both live and cached Internet traffic.

TRAFFICTHIEF, on the other hand, is much more focused. It filters for very "strong" indicators, like known sets of IP addresses, addresses within e-mail traffic, or user names in logins to social networks or other services. It provides less depth of analysis than XKeyscore, but it can handle much larger loads of data because it is more selective about what it processes.

Together, the tools can be used to identify the systems used by an individual or organization, including ranges of addresses that they may use from work or home.

Step 2: Target. Using the profiles built using the surveillance tools, the agencies can then identify potential points of attack. XKeyscore, for example, can be used to search for patterns that identify known security vulnerabilities within a range of addresses. Web visit histories, e-mail traffic, and other data are analyzed looking for the most likely (and least detectable) approach to gain access, and a specific attack plan is crafted, including the identification of where to launch the attack from.

At the NSA, this sort of thing is the work of Tailored Access Operations. In the case of OPEC, the targeting process apparently went on for several years as the NSA sought openings for an attack.

Step 3: Attack. Depending on who the target is, the NSA and GCHQ have a variety of options. The least costly is to use access provided by one of the intelligence agencies' telecommunications "partners" who own network equipment at an exchange or other choke point that the target's Internet traffic passes through. The agency running the attack can use that access to introduce changes to Internet routing tables that detour the targeted individual's traffic. But in some cases, the NSA and GCHQ may have to perform "unilateral" taps on network backbones to gain that level of access—targeting a piece of network hardware to take over or splicing directly into the target's own connection to the Internet.

It's not clear which attack the NSA used to gain access to OPEC's systems, though the GCHQ used a Quantum attack two years later to gain its own very special access to the cartel's network. In the case of the Belgacom hack, the GCHQ used a Quantum insert attack—routing the Web requests for LinkedIn and Slashdot from the engineer being targeted to a server posing as those sites. The NSA has used the same approach to intercept traffic to sites such as Google.

The man-in-the-middle server can present content from the actual sites the target intended to visit, but it can also add content to the traffic, using what's called packet injection—modifying the contents of the data as it passes through—and intercept the user's credentials. And by using a forged certificate, the NSA can intercept encrypted traffic intended for the destination site.

Once the user has connected to the fake server, the intelligence agencies can use the connection to launch attacks against the target's Web browser to install monitoring software or other malware, using similar techniques to those used by hackers. They can also use credentials exposed via the man-in-the-middle attack to gain access to other accounts owned by the target and to troll through connections in those services that might be potential targets.

Step 4: Exploit. Once the target's computer has been successfully attacked, the effort begins to look much like that of the Chinese cyber warriors' attack of the New York Times or what cybercriminals typically do when they score access to high-value targets. The agencies' hackers work to stealthily expand their level of access, using customized remote administration tools to grab user privileges and gain access to other network resources—mail servers, file servers, and other network systems. They then start to "exfiltrate" data from these systems and deliver them to analysts.

The gift that keeps on giving

The problem with these types of attacks (at least for the NSA and GCHQ) is that up front, they're expensive to conduct. The Quantum attack messes directly with the workings of the Internet, and it requires the cooperation of a telecom company—which undoubtedly comes with a hefty price tag. And the NSA and GCHQ have to spend human, computing, and financial resources to develop the custom attacks (or buy them from hackers), build and monitor the attack packages, and then quickly cover their tracks. The cost elevates rapidly when the NSA or GCHQ has to do the black-bag work of tapping into networks themselves to gain access.

Because of the targeted nature of these attacks, the NSA and GCHQ can likely only manage a fairly limited number of such efforts. But once those efforts are complete, they're the gift that keeps on giving in terms of intelligence data—at least until the operations are exposed. The NSA's monitoring of OPEC likely ended within the last few years as US dependence on Saudi Arabian oil decreased, but there are plenty of other targets that NSA is likely continuing to mine for intelligence information.

Listing image by EON Productions