Topic: Sweden 'spied on Russian leaders for US'

[Pez]

Embassy Espionage: The NSA's Secret Spy Hub in Berlin



According to SPIEGEL research, United States intelligence agencies have not only targeted Chancellor Angela Merkel's cellphone, but they have also used the American Embassy in Berlin as a listening station. The revelations now pose a serious threat to German-American relations.

It's a prime site, a diplomat's dream. Is there any better location for an embassy than Berlin's Pariser Platz? It's just a few paces from here to the Reichstag. When the American ambassador steps out the door, he looks directly onto the Brandenburg Gate.
 
 When the United States moved into the massive embassy building in 2008, it threw a huge party. Over 4,500 guests were invited. Former President George H. W. Bush cut the red-white-and-blue ribbon. Chancellor Angela Merkel offered warm words for the occasion. Since then, when the US ambassador receives high-ranking visitors, they often take a stroll out to the roof terrace, which offers a breathtaking view of the Reichstag and Tiergarten park. Even the Chancellery can be glimpsed. This is the political heart of the republic, where billion-euro budgets are negotiated, laws are formulated and soldiers are sent to war. It's an ideal location for diplomats -- and for spies.
 
Research by SPIEGEL reporters in Berlin and Washington, talks with intelligence officials and the evaluation of internal documents of the US' National Security Agency and other information, most of which comes from the archive of former NSA contractor Edward Snowden, lead to the conclusion that the US diplomatic mission in the German capital has not merely been promoting German-American friendship. On the contrary, it is a nest of espionage. From the roof of the embassy, a special unit of the CIA and NSA can apparently monitor a large part of cellphone communication in the government quarter. And there is evidence that agents based at Pariser Platz recently targeted the cellphone that Merkel uses the most.

The NSA spying scandal has thus reached a new level, becoming a serious threat to the trans-Atlantic partnership. The mere suspicion that one of Merkel's cellphones was being monitored by the NSA has led in the past week to serious tensions between Berlin and Washington.

Hardly anything is as sensitive a subject to Merkel as the surveillance of her cellphone. It is her instrument of power. She uses it not only to lead her party, the center-right Christian Democratic Union (CDU), but also to conduct a large portion of government business. Merkel uses the device so frequently that there was even debate earlier this year over whether her text-messaging activity should be archived as part of executive action.

'That's Just Not Done'

Merkel has often said -- half in earnest, half in jest -- that she operates under the assumption that her phone calls are being monitored. But she apparently had in mind countries like China and Russia, where data protection is not taken very seriously, and not Germany's friends in Washington.

Last Wednesday Merkel placed a strongly worded phone call to US President Barack Obama. Sixty-two percent of Germans approve of her harsh reaction, according to a survey by polling institute YouGov. A quarter think it was too mild. In a gesture of displeasure usually reserved for rogue states, German Foreign Minister Guido Westerwelle summoned the new US ambassador, John Emerson, for a meeting at the Foreign Ministry.

The NSA affair has shaken the certainties of German politics. Even Merkel's CDU, long a loyal friend of Washington, is now openly questioning the trans-Atlantic free trade agreement. At the Chancellery it's now being said that if the US government doesn't take greater pains to clarify the situation, certain conclusions will be drawn and talks over the agreement could potentially be put on hold.

"Spying between friends, that's just not done," said Merkel on Thursday at a European Union summit in Brussels. "Now trust has to be rebuilt." But until recently it sounded as if the government had faith in its ally's intelligence agencies.

In mid-August Merkel's chief of staff, Ronald Pofalla, offhandedly described the NSA scandal as over. German authorities offered none of their own findings -- just a dry statement from the NSA leadership saying the agency adhered to all agreements between the countries.

Now it is not just Pofalla who stands disgraced, but Merkel as well. She looks like a head of government who only stands up to Obama when she herself is a target of the US intelligence services. The German website Der Postillon published a satirical version last Thursday of the statement given by Merkel's spokesman, Steffen Seibert: "The chancellor considers it a slap in the face that she has most likely been monitored over the years just like some mangy resident of Germany."

Merkel has nothing to fear domestically from the recent turn of affairs. The election is over, the conservatives and the center-left Social Democrats are already in official negotiations toward forming a new government. No one wants to poison the atmosphere with mutual accusation.

Nevertheless, Merkel must now answer the question of how much she is willing to tolerate from her American allies.

Posing as Diplomats

A "top secret" classified NSA document from the year 2010 shows that a unit known as the "Special Collection Service" (SCS) is operational in Berlin, among other locations. It is an elite corps run in concert by the US intelligence agencies NSA and CIA.

The secret list reveals that its agents are active worldwide in around 80 locations, 19 of which are in Europe -- cities such as Paris, Madrid, Rome, Prague and Geneva. The SCS maintains two bases in Germany, one in Berlin and another in Frankfurt. That alone is unusual. But in addition, both German bases are equipped at the highest level and staffed with active personnel.

The SCS teams predominantly work undercover in shielded areas of the American Embassy and Consulate, where they are officially accredited as diplomats and as such enjoy special privileges. Under diplomatic protection, they are able to look and listen unhindered. They just can't get caught.

Wiretapping from an embassy is illegal in nearly every country. But that is precisely the task of the SCS, as is evidenced by another secret document. According to the document, the SCS operates its own sophisticated listening devices with which they can intercept virtually every popular method of communication: cellular signals, wireless networks and satellite communication.

The necessary equipment is usually installed on the upper floors of the embassy buildings or on rooftops where the technology is covered with screens or Potemkin-like structures that protect it from prying eyes.

That is apparently the case in Berlin, as well. SPIEGEL asked British investigative journalist Duncan Campbell to appraise the setup at the embassy. In 1976, Campbell uncovered the existence of the British intelligence service GCHQ. In his so-called "Echelon Report" in 1999, he described for the European Parliament the existence of the global surveillance network of the same name.

Campbell refers to window-like indentations on the roof of the US Embassy. They are not glazed but rather veneered with "dielectric" material and are painted to blend into the surrounding masonry. This material is permeable even by weak radio signals. The interception technology is located behind these radio-transparent screens, says Campbell. The offices of SCS agents would most likely be located in the same windowless attic.

No Comment from the NSA

This would correspond to internal NSA documents seen by SPIEGEL. They show, for example, an SCS office in another US embassy -- a small windowless room full of cables with a work station of "signal processing racks" containing dozens of plug-in units for "signal analysis."

On Friday, author and NSA expert James Bamford also visited SPIEGEL's Berlin bureau, which is located on Pariser Platz diagonally opposite the US Embassy. "To me, it looks like NSA eavesdropping equipment is hidden behind there," he said. "The covering seems to be made of the same material that the agency uses to shield larger systems."

The Berlin-based security expert Andy Müller Maguhn was also consulted. "The location is ideal for intercepting mobile communications in Berlin's government district," he says, "be it technical surveillance of communication between cellphones and wireless cell towers or radio links that connect radio towers to the network."

Apparently, SCS agents use the same technology all over the world. They can intercept cellphone signals while simultaneously locating people of interest. One antenna system used by the SCS is known by the affable code name "Einstein."

When contacted by SPIEGEL, the NSA declined to comment on the matter.
 
 The SCS are careful to hide their technology, especially the large antennas on the roofs of embassies and consulates. If the equipment is discovered, explains a "top secret" set of classified internal guidelines, it "would cause serious harm to relations between the United States and a foreign government."

According to the documents, SCS units can also intercept microwave and millimeter-wave signals. Some programs, such as one entitled "Birdwatcher," deal primarily with encrypted communications in foreign countries and the search for potential access points. Birdwatcher is controlled directly from SCS headquarters in Maryland.

With the growing importance of the Internet, the work of the SCS has changed. Some 80 branches offer "thousands of opportunities on the net" for web-based operations, according to an internal presentation. The organization is now able not only to intercept cellphone calls and satellite communication, but also to proceed against criminals or hackers. From some embassies, the Americans have planted sensors in communications equipment of the respective host countries that are triggered by selected terms.


Original article: By SPIEGEL Staff


Part 2: How the Scandal Began

There are strong indications that it was the SCS that targeted Chancellor Angela Merkel's cellphone. This is suggested by a document that apparently comes from an NSA database in which the agency records its targets. This document, which SPIEGEL has seen, is what set the cellphone scandal in motion.

The document contains Merkel's cellphone number. An inquiry to her team revealed that it is the number the chancellor uses mainly to communicate with party members, ministers and confidants, often by text message. The number is, in the language of the NSA, a "Selector Value." The next two fields determine the format ("raw phone number") and the "Subscriber," identified as "GE Chancellor Merkel."

In the next field, labeled "Ropi," the NSA defines who is interested in the German chancellor: It is the department S2C32. "S" stands for "Signals Intelligence Directorate," the NSA umbrella term for signal reconnaissance. "2" is the agency's department for procurement and evaluation. C32 is the unit responsible for Europe, the "European States Branch." So the order apparently came down from Europe specialists in charge of signal reconnaissance.

The time stamp is noteworthy. The order was transferred to the "National Sigint Requirements List," the list of national intelligence targets, in 2002. That was the year Germany held closely watched parliamentary elections and Merkel battled Edmund Stoiber of Bavaria's Christian Social Union to become the conservatives' chancellor candidate. It was also the year the Iraq crisis began heating up. The document also lists status: "A" for active. This status was apparently valid a few weeks before President Obama's Berlin visit in June 2013.

Finally, the document defines the units tasked with implementing the order: the "Target Office of Primary Interest": "F666E." "F6" is the NSA's internal name for the global surveillance unit, the "Special Collection Service."

Thus, the NSA would have targeted Merkel's cellphone for more than a decade, first when she was just party chair, as well as later when she'd become chancellor. The record does not indicate what form of surveillance has taken place. Were all of her conversations recorded or just connection data? Were her movements also being recorded?

'Intelligence Target Number One'

Among the politically decisive questions is whether the spying was authorized from the top: from the US president. If the data is accurate, the operation was authorized under former President George W. Bush and his NSA chief, Michael Hayden. But it would have had to be repeatedly approved, including after Obama took office and up to the present time. Is it conceivable that the NSA made the German chancellor a surveillance target without the president's knowledge?

The White House and the US intelligence agencies periodically put together a list of priorities. Listed by country and theme, the result is a matrix of global surveillance: What are the intelligence targets in various countries? How important is this reconnaissance? The list is called the "National Intelligence Priorities Framework" and is "presidentially approved."

One category in this list is "Leadership Intentions," the goals and objectives of a country's political leadership. The intentions of China's leadership are of high interest to the US government. They are marked with a "1" on a scale of 1 to 5. Mexico and Brazil each receive a "3" in this category.

Germany appears on this list as well. The US intelligence agencies are mainly interested in the country's economic stability and foreign policy objectives (both "3"), as well as in its advanced weapons systems and a few other sub-items, all of which are marked "4." The "Leadership Intention" field is empty. So based on the list, it wouldn't appear that Merkel should be monitored.

Former NSA employee Thomas Drake does not see this as a contradiction. "After the attacks of September 11, 2001, Germany became intelligence target number one in Europe," he says. The US government did not trust Germany, because some of the Sept. 11 suicide pilots had lived in Hamburg. Evidence suggests that the NSA recorded Merkel once and then became intoxicated with success, says Drake. "It has always been the NSA's motto to conduct as much surveillance as possible," he adds.

A Political Bomb

When SPIEGEL confronted the government on Oct. 10 with evidence that the chancellor's cellphone had been targeted, the German security apparatus became deeply unsettled.

The Chancellery ordered the country's foreign intelligence agency, the Federal Intelligence Service (BND), to scrutinize the information. In parallel, Christoph Heusgen, Merkel's foreign policy adviser, also contacted his US counterpart, National Security Adviser Susan Rice, to tell her about SPIEGEL's research, which had been summarized on a single sheet of paper. Rice said she would look into it.

Shortly afterwards, German security authorities got back to the Chancellery with a preliminary result: The numbers, dates and secret codes on the paper indicated the information was accurate. It was probably some kind of form from an intelligence agency department requesting surveillance on the chancellor's cellphone, they said. At this point, a sense of nervousness began to grow at government headquarters. It was clear to everyone that if the Americans were monitoring Merkel's phone, it would be a political bomb.

But then Rice called the Chancellery on Friday evening to explain that if reports began to circulate that Merkel's phone had been targeted, Washington would deny it -- or at least that is how the Germans understood the message. White House Press Secretary Jay Carney assured his counterpart, Merkel's spokesperson Steffen Seibert, of the same thing. The message was passed on to SPIEGEL late that evening without comment, at which point editors decided to continue investigating.

With this, both the US agencies and Berlin won themselves more time to come up with a battle plan for approaching the deep crisis of confidence between the two countries. And it was clearly already a crisis of confidence, because Berlin obviously doubted the statements coming from the US and hadn't called off its probe. And, as later became clear, there were also inquiries taking place in the US, despite the denial from Rice.

Over the weekend, the tide turned.

Rice contacted Heusgen once again, but this time her voice sounded less certain. She said that the possibility the chancellor's phone was under surveillance could only be ruled out currently and in the future. Heusgen asked for more details, but was put off. The chief adviser to the president on Europe, Karen Donfried, and the Assistant Secretary of State for Europe and Eurasia at the US State Department, Victoria Nuland, would provide further information midweek, he was told. By this time it was clear to the Chancellery that if Obama's top security adviser no longer felt comfortable ruling out possible surveillance, this amounted to confirmation of their suspicions.

Going on the Offensive

This detail only served to intensify the catastrophe. Not only had supposed friends monitored the chancellor's cellphone, which was bad enough on its own, but leaders in Berlin were also left looking like a group of amateurs. They had believed the assurances made this summer by Obama, who downplayed the notion of spying in Germany on a visit to Berlin. German Interior Minister Hans-Peter Friedrich had even gone so far as to say at the time that Germany's concerns had "dissipated."

On Tuesday morning Merkel decided to go on the offensive. She had seen how strongly French President François Hollande had reacted to allegations that US intelligence agencies had conducted widespread surveillance on French citizens. Hollande called Obama immediately to air his anger. Merkel now wanted to speak with Obama personally too -- before her planned meeting with Hollande at the upcoming EU summit in Brussels.

Heusgen made a preliminary call to Obama to let him know that Merkel planned to make some serious complaints, with which she would then go public. At stake was control over the political interpretation of one of the year's most explosive news stories.

Merkel spoke with Obama on Wednesday afternoon, calling him from her secure landline in her Chancellery office. Both spoke English. According to the Chancellery, the president said that he had known nothing of possible monitoring, otherwise he would have stopped it. Obama also expressed his deepest regrets and apologized.

Around 5:30 p.m. the same day, Merkel's chief of staff, Pofalla, informed two members of the Parliamentary Control Panel, the body in Germany's parliament charged with keeping tabs on the country's intelligence agencies, of what was going on. At the same time, the administration went public with the matter. It contacted SPIEGEL first with a statement containing Merkel's criticism of possible spying on her cellphone. Her spokesman Seibert called it a "grave breach of trust" -- a choice of phrase seen as the highest level of verbal escalation among allied diplomats.


Original article: By SPIEGEL Staff


Part 3: Surprising Unscrupulousness

The scandal revives an old question: Are the German security agencies too trusting of the Americans? Until now, German agencies have typically concerned themselves with China and Russia in their counterintelligence work, for which the domestic intelligence agency, the Federal Office for the Protection of the Constitution (BFV), is responsible.

A year ago, there was already debate between the agencies, the Interior Ministry and the Chancellery over whether Germany should be taking a harder look at what American agents were up to in the country. But the idea was jettisoned because it seemed too politically sensitive. The main question at the time came down to whether monitoring allies should be allowed.

Even to seasoned German intelligence officials, the revelations that have come to light present a picture of surprising unscrupulousness. It's quite possible that the BFV could soon be tasked with investigating the activities of the CIA and NSA.

The ongoing spying scandal is also fueling allegations that the Germans have been allowing the NSA to lead them around by the nose. From the beginning of the NSA scandal, Berlin has conducted its attempts to clarify the allegations with a mixture of naivety and ignorance.

Letters with anxious questions were sent, and a group of government department leaders traveled to Washington to meet with Director of National Intelligence James Clapper. The BND was also commissioned with negotiating a "no-spying pact" with the US agencies. In this way, Merkel's government feigned activity while remaining largely in the dark. In fact, it relied primarily on the assurance from the US that its intentions were good.

It also seems to be difficult for German intelligence agencies to actually track the activities of the NSA. High-level government officials admit the Americans' technical capabilities are in many ways superior to what exists in Germany. At the BFV domestic intelligence agency, for example, not even every employee has a computer with an Internet connection.

But now, as a consequence of the spying scandal, the German agencies want to beef up their capabilities. "We're talking about a fundamental realignment of counterintelligence," said one senior security official. There are already more than 100 employees at the BFV responsible for counterintelligence, but officials are hoping to see this double.

One focus of strategic considerations is the embassy buildings in central Berlin. "We don't know which roofs currently have spying equipment installed," says the security official. "That is a problem."

Trade Agreement at Risk?

When the news of Merkel's mobile phone being tapped began making the rounds, the BND and the BSI, the federal agency responsible for information security, took over investigation of the matter. There too, officials have been able to do nothing more than ask questions of the Americans when such sensitive issues have come up in recent months.

But now German-American relations are threatened with an ice age. Merkel's connection to Obama wasn't particularly good before the spying scandal. The chancellor is said to consider the president overrated -- a politician who talks a lot but does little, and is unreliable to boot.

One example, from Berlin's perspective, was the military operation in Libya almost three years ago, which Obama initially rejected. When then-Secretary of State Hillary Clinton convinced him to change his mind, he did so without consulting his allies. Berlin saw this as evidence of his fickleness and disregard for their concerns.

The chancellor also finds Washington's regular advice on how to solve the euro crisis irritating. She would prefer not to receive instruction from the country that caused the collapse of the global financial system in the first place. Meanwhile, the Americans have been annoyed for years that Germany isn't willing to do more to boost the world economy.

Merkel also feels as though she was duped. The Chancellery now plans once again to review the assurances of US intelligence agencies to make sure they are abiding by the law.

The chancellor's office is also now considering the possibility that the much-desired trans-Atlantic free trade agreement could fail if the NSA affair isn't properly cleared up. Since the latest revelations came out, some 58 percent of Germans say they support breaking off ongoing talks, while just 28 percent are against it. "We should put the negotiations for a free-trade agreement with the US on ice until the accusations against the NSA have been clarified," says Bavarian Economy Minister Ilse Aigner, a member of the Christian Social Union, the Bavarian sister party to Merkel's Christian Democrats.

Outgoing Justice Minister Sabine Leutheusser-Schnarrenberger has used the scandal as an excuse to appeal to the conscience of her counterpart in Washington, Attorney General Eric Holder. "The citizens rightly expect that American institutions also adhere to German laws. Unfortunately, there are a number of indications to the contrary," she wrote in a letter to Holder last week.

EU Leaders Consider Consequences

The American spying tactics weren't far from the minds of leaders at the EU summit in Brussels last Thursday, either. French President Hollande was the first to bring it up at dinner, saying that while he didn't want to demonize the intelligence agencies, the Americans had so blatantly broken the law on millions of counts that he couldn't imagine how things could go on this way.

Hollande called for a code of conduct among the intelligence agencies, an idea for which Merkel also showed support. But soon doubts emerged: Wouldn't Europe also have to take a look at its own surveillance practices? What if a German or French Snowden came forward to reveal dirty spy tactics? British Prime Minister David Cameron pointed out how many terror attacks had been prevented because of spying capabilities. Then it was asked whether it has been proven that Obama even knows what his agencies are doing. Suddenly, mutual understanding seemed to waft through the group.

That was a bit too rich for Hollande: No, he interjected, spying to such an immense degree, allegedly on more than 70 million phone calls per month in France alone -- that has been undertaken by only one country: the United States. The interruption was effective. After nearly three hours, the EU member states agreed on a statement that can be read as clear disapproval of the Americans.

Merkel no longer wants to rely solely on promises. This week Günter Heiss, Chancellor Merkel's intelligence coordinator, will travel to Washington. Heiss wants the Americans finally to promise a contract excluding mutual surveillance. The German side already announced its intention to sign on to this no-spying pact during the summer, but the US government has so far shown little inclination to seriously engage with the topic.

This is, of course, also about the chancellor's cellphone. Because despite all the anger, Merkel still didn't want to give up using her old number as of the end of last week. She was using it to make calls and to send text messages. Only for very delicate conversations did she switch to a secure line.

BY JACOB APPELBAUM, NIKOLAUS BLOME, HUBERT GUDE, RALF NEUKIRCH, RENÉ PFISTER, LAURA POITRAS, MARCEL ROSENBACH, JÖRG SCHINDLER, GREGOR PETER SCHMITZ AND HOLGER STARK


Original article: By SPIEGEL Staff

[Pez]

Germany and France warn NSA spying fallout jeopardises fight against terror

Angela Merkel and François Hollande lead push at EU summit to reshape transatlantic spying and agree new code of conduct

Germany and France are to spearhead a drive to try to force the Americans to agree new transatlantic rules on intelligence and security service behaviour in the wake of the Snowden revelations and allegations of mass US spying in France and tapping of the German chancellor Angela Merkel's mobile phone.

At an EU summit in Brussels that was hijacked by the furore over the activities of the National Security Agency in the US and Britain's GCHQ, the French president, François Hollande, also called for a new code of conduct agreed between national intelligence services in the EU, raising the question of whether Britain would opt to join in.

Shaken by this week's revelations of NSA operations in France and Germany, EU leaders and Merkel in particular warned that the international fight against terrorism was being jeopardised by the perception that mass US surveillance was out of control.

The leaders "stressed that intelligence-gathering is a vital element in the fight against terrorism", a summit statement said. "A lack of trust could prejudice the necessary co-operation in the field of intelligence-gathering."

Merkel drove the point home: "We need trust among allies and partners. Such trust now has to be built anew … The United States of America and Europe face common challenges. We are allies. But such an alliance can only be built on trust."

Privately, according to senior sources who witnessed the two-hour discussion of intelligence snooping on Thursday evening, Merkel told the other leaders that the issue at stake was not that her mobile phone may have been tapped by the Americans, but that it represented "the phones of millions of European citizens".

While conceding that intelligence services everywhere might be prone to behaving badly, Hollande dismissed suggestions that the Americans were merely operating as other security services also did. He complained that the revelations by the US whistleblower, Edward Snowden, showed a level of eavesdropping and data gathering that took place nowhere in Europe and was unique to the US agency.

A delegation of nine MEPs will travel to Washington on Monday for a three-day visit, during which they will press senior US government and intelligence officials for answers on allegations of widespread spying by the US, and explore "possible legal remedies for EU citizens" resulting from the alleged surveillance.

Separately, the German government said on Friday that a group of senior officials including the heads of its foreign and domestic intelligence agencies would travel to the US "shortly" for talks at the White House and with the NSA.

The White House spokesman Jay Carney said the Obama administration was discussing Germany's concerns "through diplomatic channels at the highest level".

It is plain that the French and the Germans want to limit the damage from the NSA furore, but also hope to engage the Americans to rein in their activities. They set a deadline of the end of the year for results. The statement said other countries could join the negotiations, leaving the door open for British participation.

Given the role of GCHQ in the mass surveillance, Cameron found himself the target of veiled criticism at the summit, according to witnesses. Merkel complained that Britain enjoyed a privileged position with the Americans because it is the only EU member in the "Five Eyes Club" – the intelligence-sharing arrangement linking the US, the UK, Canada, Australia and New Zealand.

Senior EU security officials suspect that Berlin may seek to exploit the crisis to gain admission to, or at least greater co-operation with, the Five Eyes pact.

Cameron, sources said, responded to the critical remarks by stressing that under his premiership the shared intelligence with the four other countries had resulted in several terrorist plots being foiled, with countless lives saved.

The controversy deepened on Thursday when the Guardian revealed that the NSA had monitored the phone conversations of 35 world leaders after being given their phone numbers by an official in another US government department. The latest claims, which emerged from a classified document provided by Snowden, have further overshadowed this week's EU summit in Brussels.

Despite US efforts to placate Merkel – including a phone call with the US president, Barack Obama, on Wednesday – she has refused to conceal her anger.

Merkel briefed the other leaders in some detail on the 20-minute conversation with Obama, sources said, adding that several participants commented that they thought the US leader was "embarrassed".

The European anger and frustration was directed at a US agency seen to be out of control and beyond appropriate scrutiny rather than being aimed at Obama.

The latest confidential memo provided by Snowden reveals that the NSA encourages senior officials in its "customer" departments – such as the White House, state department and the Pentagon – to share their Rolodexes so that the agency can add the phone numbers of leading foreign politicians to their surveillance systems.

The document notes that one unnamed US official handed over 200 numbers, including those of the 35 world leaders, none of whom has been named. These were immediately "tasked" for monitoring by the NSA.


Original article: Ian Traynor in Brussels theguardian.com, Friday 25 October 2013 12.31 BST

[Pez]

NSA-document: SE status in the intelligence community

TOP

National Security 18 April 2013
Security Service

Information Paper


(SIIREL to USA, FVEY) Subject: NSA Intelligence Relationship with Sweden
(U) Introduction

TO USA, FVEY) NSA's relationship with the Swedish SIGINT service,
Forsvarets Radioanstalt (FRA), was established in 1954 under the UKUSA agreement.
At that time it was agreed that GCHQ would take the lead for the exchange of COMINT
information and that NSA would take the lead for the ELINT exchange. As of April
2004, NSA, GCHQ and the FRA agreed to dissolve this part of the UKUSA agreement
and hold bilateral exchanges on both COMINT and ELINT.

NSA's relationship with the FRA, an extremely competent, technically
innovative, and trusted Third Party partner, continues to grow. The FRA provided NSA
with access to its cable collection in 2011, providing unique collection on high-priority
Russian targets such as leadership, internal politics, and energy.

. FRA's efforts against counter-terrorism (CT) targets continue to expand, and
new legislation enacted in January 2013 has improved its ability to work directly with the
Swedish internal security service (SAPO). NSA's Data Acquisition is actively engaged
with the FRA, which has numerous collection sites and is proficient in collecting a wide
variety of communications.

(U) Key Issues

The FRA continues to place more emphasis on cyber. NSA's National
Threat Operations Center (NTOC) and FRA have an ongoing exchange
discussing malware topics. The FRA is positioning itself to become the cyber defense
authority in Sweden and hopes to receive the Swedish government mandate in the near
future.

Derived From: 1-52
Dated: 20070108
Declassify On: 20320108
TOP

SE status in the intelligence community

[Pez]

Attacking Tor: how the NSA targets users' online anonymity

Secret servers and a privileged position on the internet's backbone used to identify users and attack target computers


Tor is a well-designed and robust anonymity tool, and successfully attacking it is difficult. Photograph: Magdalena Rehova/Alamy

The online anonymity network Tor is a high-priority target for the National Security Agency. The work of attacking Tor is done by the NSA's application vulnerabilities branch, which is part of the systems intelligence directorate, or SID. The majority of NSA employees work in SID, which is tasked with collecting data from communications systems around the world.

According to a top-secret NSA presentation provided by the whistleblower Edward Snowden, one successful technique the NSA has developed involves exploiting the Tor browser bundle, a collection of programs designed to make it easy for people to install and use the software. The trick identified Tor users on the internet and then executes an attack against their Firefox web browser.

The NSA refers to these capabilities as CNE, or computer network exploitation.

The first step of this process is finding Tor users. To accomplish this, the NSA relies on its vast capability to monitor large parts of the internet. This is done via the agency's partnership with US telecoms firms under programs codenamed Stormbrew, Fairview, Oakstar and Blarney.

The NSA creates "fingerprints" that detect http requests from the Tor network to particular servers. These fingerprints are loaded into NSA database systems like XKeyscore, a bespoke collection and analysis tool which NSA boasts allows its analysts to see "almost everything" a target does on the internet.

Using powerful data analysis tools with codenames such as Turbulence, Turmoil and Tumult, the NSA automatically sifts through the enormous amount of internet traffic that it sees, looking for Tor connections.

Last month, Brazilian TV news show Fantastico showed screenshots of an NSA tool that had the ability to identify Tor users by monitoring internet traffic.

The very feature that makes Tor a powerful anonymity service, and the fact that all Tor users look alike on the internet, makes it easy to differentiate Tor users from other web users. On the other hand, the anonymity provided by Tor makes it impossible for the NSA to know who the user is, or whether or not the user is in the US.

After identifying an individual Tor user on the internet, the NSA uses its network of secret internet servers to redirect those users to another set of secret internet servers, with the codename FoxAcid, to infect the user's computer. FoxAcid is an NSA system designed to act as a matchmaker between potential targets and attacks developed by the NSA, giving the agency opportunity to launch prepared attacks against their systems.

Once the computer is successfully attacked, it secretly calls back to a FoxAcid server, which then performs additional attacks on the target computer to ensure that it remains compromised long-term, and continues to provide eavesdropping information back to the NSA.

Exploiting the Tor browser bundle

Tor is a well-designed and robust anonymity tool, and successfully attacking it is difficult. The NSA attacks we found individually target Tor users by exploiting vulnerabilities in their Firefox browsers, and not the Tor application directly.

This, too, is difficult. Tor users often turn off vulnerable services like scripts and Flash when using Tor, making it difficult to target those services. Even so, the NSA uses a series of native Firefox vulnerabilities to attack users of the Tor browser bundle.

According to the training presentation provided by Snowden, EgotisticalGiraffe exploits a type confusion vulnerability in E4X, which is an XML extension for Javascript. This vulnerability exists in Firefox 11.0 – 16.0.2, as well as Firefox 10.0 ESR – the Firefox version used until recently in the Tor browser bundle. According to another document, the vulnerability exploited by EgotisticalGiraffe was inadvertently fixed when Mozilla removed the E4X library with the vulnerability, and when Tor added that Firefox version into the Tor browser bundle, but NSA were confident that they would be able to find a replacement Firefox exploit that worked against version 17.0 ESR.

The Quantum system

To trick targets into visiting a FoxAcid server, the NSA relies on its secret partnerships with US telecoms companies. As part of the Turmoil system, the NSA places secret servers, codenamed Quantum, at key places on the internet backbone. This placement ensures that they can react faster than other websites can. By exploiting that speed difference, these servers can impersonate a visited website to the target before the legitimate website can respond, thereby tricking the target's browser to visit a Foxacid server.

In the academic literature, these are called "man-in-the-middle" attacks, and have been known to the commercial and academic security communities. More specifically, they are examples of "man-on-the-side" attacks.

They are hard for any organization other than the NSA to reliably execute, because they require the attacker to have a privileged position on the internet backbone, and exploit a "race condition" between the NSA server and the legitimate website. This top-secret NSA diagram, made public last month, shows a Quantum server impersonating Google in this type of attack.

The NSA uses these fast Quantum servers to execute a packet injection attack, which surreptitiously redirects the target to the FoxAcid server. An article in the German magazine Spiegel, based on additional top secret Snowden documents, mentions an NSA developed attack technology with the name of QuantumInsert that performs redirection attacks. Another top-secret Tor presentation provided by Snowden mentions QuantumCookie to force cookies onto target browsers, and another Quantum program to "degrade/deny/disrupt Tor access".

This same technique is used by the Chinese government to block its citizens from reading censored internet content, and has been hypothesized as a probable NSA attack technique.

The FoxAcid system

According to various top-secret documents provided by Snowden, FoxAcid is the NSA codename for what the NSA calls an "exploit orchestrator," an internet-enabled system capable of attacking target computers in a variety of different ways. It is a Windows 2003 computer configured with custom software and a series of Perl scripts. These servers are run by the NSA's tailored access operations, or TAO, group. TAO is another subgroup of the systems intelligence directorate.

The servers are on the public internet. They have normal-looking domain names, and can be visited by any browser from anywhere; ownership of those domains cannot be traced back to the NSA.

However, if a browser tries to visit a FoxAcid server with a special URL, called a FoxAcid tag, the server attempts to infect that browser, and then the computer, in an effort to take control of it. The NSA can trick browsers into using that URL using a variety of methods, including the race-condition attack mentioned above and frame injection attacks.

FoxAcid tags are designed to look innocuous, so that anyone who sees them would not be suspicious. An example of one such tag [LINK REMOVED] is given in another top-secret training presentation provided by Snowden.

There is no currently registered domain name by that name; it is just an example for internal NSA training purposes.

The training material states that merely trying to visit the homepage of a real FoxAcid server will not result in any attack, and that a specialized URL is required. This URL would be created by TAO for a specific NSA operation, and unique to that operation and target. This allows the FoxAcid server to know exactly who the target is when his computer contacts it.

According to Snowden, FoxAcid is a general CNE system, used for many types of attacks other than the Tor attacks described here. It is designed to be modular, with flexibility that allows TAO to swap and replace exploits if they are discovered, and only run certain exploits against certain types of targets.

The most valuable exploits are saved for the most important targets. Low-value exploits are run against technically sophisticated targets where the chance of detection is high. TAO maintains a library of exploits, each based on a different vulnerability in a system. Different exploits are authorized against different targets, depending on the value of the target, the target's technical sophistication, the value of the exploit, and other considerations.

In the case of Tor users, FoxAcid might use EgotisticalGiraffe against their Firefox browsers.

According to a top-secret operational management procedures manual provided by Snowden, once a target is successfully exploited it is infected with one of several payloads. Two basic payloads mentioned in the manual, are designed to collect configuration and location information from the target computer so an analyst can determine how to further infect the computer.

These decisions are made in part by the technical sophistication of the target and the security software installed on the target computer; called Personal Security Products or PSP, in the manual.

FoxAcid payloads are updated regularly by TAO. For example, the manual refers to version 8.2.1.1 of one of them.

FoxAcid servers also have sophisticated capabilities to avoid detection and to ensure successful infection of its targets. The operations manual states that a FoxAcid payload with the codename DireScallop can circumvent commercial products that prevent malicious software from making changes to a system that survive a reboot process.

The NSA also uses phishing attacks to induce users to click on FoxAcid tags.

TAO additionally uses FoxAcid to exploit callbacks – which is the general term for a computer infected by some automatic means – calling back to the NSA for more instructions and possibly to upload data from the target computer.

According to a top-secret operational management procedures manual, FoxAcid servers configured to receive callbacks are codenamed FrugalShot. After a callback, the FoxAcid server may run more exploits to ensure that the target computer remains compromised long term, as well as install "implants" designed to exfiltrate data.

By 2008, the NSA was getting so much FoxAcid callback data that they needed to build a special system to manage it all.

 
Original article: Bruce Schneier theguardian.com, Friday 4 October 2013 15.50 BST

[Pez]

Quantum Spying: GCHQ Used Fake LinkedIn Pages to Target Engineers



Officials at LinkedIn say they "would not authorize such activity for any purpose".

Elite GCHQ teams targeted employees of mobile communications companies and billing companies to gain access to their company networks. The spies used fake copies of LinkedIn profiles as one of their tools.

The Belgacom employees probably thought nothing was amiss when they pulled up their profiles on LinkedIn, the professional networking site. The pages looked the way they always did, and they didn't take any longer than usual to load.

 The victims didn't notice that what they were looking at wasn't the original site but a fake profile with one invisible added feature: a small piece of malware that turned their computers into tools for Britain's GCHQ intelligence service.

The British intelligence workers had already thoroughly researched the engineers. According to a "top secret" GCHQ presentation disclosed by NSA whistleblower Edward Snowden, they began by identifying employees who worked in network maintenance and security for the partly government-owned Belgian telecommunications company Belgacom.

Then they determined which of the potential targets used LinkedIn or Slashdot.org, a popular news website in the IT community.

'Quantum Insert'

The computers of these "candidates" were then infected with computer malware that had been placed using infiltration technology the intelligence agency refers to as "Quantum Insert," which enabled the GCHQ spies to deeply infiltrate the Belgacom internal network and that of its subsidiary BICS, which operates a so-called GRX router system. This type of router is required when users make calls or go online with their mobile phones while abroad.

SPIEGEL's initial reporting on "Operation Socialist," a GCHQ program that targeted Belgacom, triggered an investigation by Belgian public prosecutors. In addition, two committees of the European Parliament are investigating an attack by a European Union country on the leading telecommunications provider in another EU member state.

The operation is not an isolated case, but in fact is only one of the signature projects of an elite British Internet intelligence hacking unit working under the auspices of a group called MyNOC, or "My Network Operations Centre." MyNOCs bring together employees from various GCHQ divisions to cooperate on especially tricky operations. In essence, a MyNOC is a unit that specializes in infiltrating foreign networks. Call it Her Majesty's hacking service, if you like.

When GCHQ Director Iain Lobban appeared before the British parliament last Thursday, he made an effort to reassure lawmakers alarmed by recent revelations. British intelligence couldn't exactly stand back and watch the United Kingdom be targeted for industrial espionage, Lobban said. But, he noted, only those whose activities pose a threat to the national or economic security of the United Kingdom could in fact be monitored by his agency.

A Visit from Charles and Camilla

Even members of the royal family occasionally stop by to see what British intelligence is up to. In one photo that appears in a secret document, Charles, the Prince of Wales, and his wife Camilla, the Duchess of Cornwall, are shown listening to a presentation at a MyNOC workstation called "A Space." The tongue-in-cheek caption reads "Interlopers in A Space."

The presentation does not indicate the extent to which the royal family is kept abreast of current espionage operations. Their last visit was reportedly about Afghanistan, not Belgium. But the visit had been to the same location where what the secret document described as the "very successful" operation against Belgacom as well as "Operation Wylekey," also run by a MyNOC unit, had been conducted.

This also relates to an issue that the British have made a focal point of their intelligence-gathering activities: the most comprehensive access possible to worldwide mobile networks, the critical infrastructures for the digital age.

Mobile networks are a blessing and a curse for spies worldwide. Because each major wireless communications company operates its own networks, tapping into them becomes more complex. On the other hand, the mobile multi-use devices in our pockets are a blessing, because they often reveal more personal information than stationary computers, such as the user's lifestyle habits and location. They can also be transformed into bugging devices that can be activated remotely at any time to listen in on the user's conversations.

Mobile Phones Become Monitoring Tools

"We can locate, collect, exploit (in real time where appropriate) high value mobile devices & services in a fully converged target centric manner," a GCHQ document from 2011 states. For years, the British spies have aspired to potentially transform every mobile phone on the planet into a monitoring tool that could be activated at any time.

But the government hackers apparently have to employ workarounds in order to infiltrate the relatively inaccessible mobile phone networks.

According to the presentation, in the case of Belgacom this involved the "exploitation of GRX routers," from which so-called man-in-the-middle attacks could be launched against the subjects' smartphones. "This way, an intelligence service could read the entire Internet communications of the target and even track their location or implant spying software on their device," mobile networks expert Philippe Langlois says of the development. It is an effective approach, Langlois explains, since there are several hundred wireless companies, but only about two dozen GRX providers worldwide.

But this isn't the only portal into the world of global mobile communications that GCHQ has exploited. Another MyNOC operation, "Wylekey," targets "international mobile billing clearinghouses."

These clearinghouses, which are relatively unknown to the general public, process international payment transactions among wireless companies, giving them access to massive amounts of connection data.

The GCHQ presentation, which SPIEGEL was able to view, contains a list of the billing companies that are on the radar of the British. At the top of the list are Comfone, a company based in Bern, Switzerland, and Mach, which has since been split into two companies, one owned by another firm called Syniverse and another called Starhome Mach. Syniverse was also on the list of companies to monitor. Together, these companies dominate the industry worldwide. In the case of Mach, the GCHQ personnel had "identified three network engineers" to target. Once again, the Quantum Insert method was deployed.

The spies first determine who works for a company identified as a target, using open source data like the LinkedIn professional social networking site. IT personnel and network administrators are apparently of particular interest to the GCHQ attackers, because their computers can provide extensive access privileges to protected corporate infrastructures.

Targeting an Innocent Employee

In the case of Mach, for example, the GCHQ spies came across a computer expert working for the company's branch in India. The top-secret document shows how extensively the British intelligence agents investigated the life of the innocent employee, who is listed as a "target" after that.
 
 A complex graph of his digital life depicts the man's name in red crosshairs and lists his work computers and those he uses privately ("suspected tablet PC"). His Skype username is listed, as are his Gmail account and his profile on a social networking site. The British government hackers even gained access to the cookies on the unsuspecting victim's computers, as well as identifying the IP addresses he uses to surf the web for work or personal use.
 
In short, GCHQ knew everything about the man's digital life, making him an open book for its spies. SPIEGEL has contacted the man, but to protect his privacy is not publishing his name.

But that was only the preparatory stage. After mapping the man's personal data, now it was time for the attack department to take over. On the basis of this initial information, the spies developed digital attack weapons for six Mach employees, described in the document as "six targeting packs for key individuals," customized for the victims' computers.


Original article: By SPIEGEL Staff


Part 2: GCHQ Wants To Make Mobile Web an All-Seeing Surveillance Machine

In an article in Britain's Guardian newspaper, American IT security expert Bruce Schneier describes in detail how Quantum Insert technology is used to place malware. Apparently, the agencies use high-speed servers located at key Internet switching points. When a target calls up a specific website, such as LinkedIn, these servers are activated. Instead of the desired website, they supply an exact copy, but one that also smuggles the government hackers' spying code onto the target computers.

According to other secret documents, Quantum is an extremely sophisticated exploitation tool developed by the NSA and comes in various versions. The Quantum Insert method used with Belgacom is especially popular among British and US spies. It was also used by GCHQ to infiltrate the computer network of OPEC's Vienna headquarters.

The injection attempts are known internally as "shots," and they have apparently been relatively successful, especially the LinkedIn version. "For LinkedIn the success rate per shot is looking to be greater than 50 percent," states a 2012 document.

Much like the Belgacom spying operation, Wylekey is considered a great success. According to a summary, it provided GCHQ with detailed information about Mach, its communications infrastructure, its business profile and various key individuals.

Another document indicates that the operation yielded much more than that. In addition to "enhanced knowledge of the various clearinghouses, their customers," it also provided "knowledge of and access to encrypted links between the clearinghouses and various mobile network operators."

Interim reports on the course of the Belgacom operation were even more enthusiastic, concluding that the British spies had penetrated "deep into the network" of the Belgian company and were "at the edge of the network." This enabled the British internal encryption specialists ("Crypt Ops") to launch their "Operation Socialist II," so as to crack the encrypted connections, or VPNs.

'LinkedIn Would Not Authorize Such Activity'

When contacted, LinkedIn stated that the company takes the privacy and security of its members "very seriously" and "does not sanction the creation or use of fake LinkedIn profiles or the exploitation of its platform for the purposes alleged in this report." "To be clear," the company continued, "LinkedIn would not authorize such activity for any purpose." The company stated it "was not notified of the alleged activity."

A spokesman for Starhome Mach said his company is "with immediate effect undertaking a full security audit to ensure that our infrastructure is secure" and that its platform had recently switched to a completely new configuration with mainly new hardware. Officials at Comfone said: "We have no knowledge of the British intelligence service infiltrating our systems." Syniverse also stated "there have been no known breaches of the Syniverse or MACH data centers by any government agency."

GCHQ did not comment on questions posed by SPIEGEL.

'Any Mobile Device, Anywhere, Anytime!'

For the British, all of this was apparently only an intermediate step on the path to a greater goal. In addition to the conventional Internet, GCHQ now wants to turn the mobile web into an all-seeing surveillance machine.

This is how the GCHQ spies described their "vision" in 2011: "Any mobile device, anywhere, anytime!"

In this context, the attacks on Belgacom and the clearinghouses merely serve as door openers. Once the telecommunications companies' actual mobile phone networks have been infiltrated, completely new monitoring possibilities present themselves to the spies. A briefing dating from 2011 stated the agency wanted to "increase operational capability to remotely deploy implants when we only know the MSISDN." In other words, GCHQ's phone hackers would ideally like to repurpose every mobile phone in the world into a bugging device, merely on the basis of the phone number. "That would be game changing," the document reads.

REPORTED BY LAURA POITRAS, MARCEL ROSENBACH, CHRISTOPH SCHEUERMANN, HOLGER STARK AND CHRISTIAN STÖCKER


Original article: By SPIEGEL Staff

[devnullius]

Attacking Tor: how the NSA targets users' online anonymity anyone who sees them would not be suspicious. An example of one such tag [LINK REMOVED]

WTF? I wanna SEE! And visit! :>

VERY interesting read... Reads like an exciting movie I would LOVE to watch. I would even PAY for it in an official, registered cinema ;p

Up until know the technical secrets that came out, did not surprise me very much. Already in the 90s I thought about "internet" and "spying" a lot. Especially on how one would do it and how secure I wouldn't be if "one" had full access to the backbone.

Things I did not could have thought of are the MASSIVE scale this operates on! If they would only use this power to mine bitcoins... :s Or peaceful operations in general

What truly surprised me was the time-shifting trick. Yeah I know it's man-in-the-middle, but I found it a very special kind of "man"  there in that middle. Why? Cause it's solely based on being faster.

Very smart all in all I'm impressed; truly some geniuses @ NSA. Luckily, they were also very arrogant. And arrogance... Always leads to a fall ;p See Blatter. Kim Un.* ...

PEACE! God damn't

devnullius


* in Dutch, "Un" is pronounced "oen" - meaning "morron". If you look at Kim's face... Yeah, it seems about right ;p

[Pez]

Have you try to search on YouTube? 

http://www.youtube.com/results?search_query=Attacking+Tor%3A+how+the+NSA+targets+users&sm=12

A interesting movie I found their:
http://www.youtube.com/watch?v=MqvSEQ7jmeY


One other for them who did not know.

How the NSA uses cellphone tracking to find and 'develop' targets
http://youtu.be/-rTr6PfEVwg

Can the Tor browser (or anything) Really Keep Your Web Activities
http://youtu.be/3uIAlByKorM

Snowden Leak: NSA Targeted Tor Users' Anonymity
http://youtu.be/QuWyim1cPis

TOR is Safe No More!
http://youtu.be/95QfumZMerM

[devnullius]

 

I was only hoping for something more Hollywood-like. With Leonardo DiCaprio or something. Maybe even with some romantic interests interwoven... Something like "Hackers" - loved that one!  :>

D